Skillquality 0.45

deps

Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.

Price
free
Protocol
skill
Verified
no
Endpoint
https://skills.sh/tartinerlabs/skills/deps

What it does

You harden npm supply chain security for JS/TS projects. Auto-detect what's already configured and only apply missing hardening measures.

1. Detect Package Manager

Check for lockfiles in this order:

  1. pnpm-lock.yamlpnpm
  2. bun.lock / bun.lockbbun
  3. yarn.lockyarn
  4. package-lock.jsonnpm
  5. No lockfile → ask the user

Use the detected package manager for all commands. Replace <pm> in rule files with the detected manager.

2. Detect Existing Config

Before applying any hardening, scan for existing configurations:

  • .npmrc / .yarnrc.yml / bunfig.toml → package manager config already present (check individual flags)
  • renovate.json / .renovaterc / .renovaterc.json / renovate key in package.json → Renovate already configured
  • .github/workflows/*.yml containing audit → audit workflow exists
  • .github/workflows/*.yml containing dependency-review → dependency review exists
  • .github/workflows/*.yml containing lockfile → lockfile integrity check exists
  • package.json dependency versions without ^ or ~ prefixes → already pinned

Skip rules whose checks already pass. Report what was skipped at the end.

3. Apply Rules

Read each rule file for detailed instructions and config templates.

RuleImpactFile
.npmrc security flagsHIGHrules/npmrc.md
Release quarantineMEDIUMrules/release-quarantine.md
Version pinningHIGHrules/version-pinning.md
RenovateMEDIUMrules/renovate.md
Audit workflowHIGHrules/audit-workflow.md
Dependency reviewHIGHrules/dependency-review.md
Lockfile integrityMEDIUMrules/lockfile-integrity.md

4. Output Summary

After all rules are processed, display a summary:

## Supply Chain Hardening Complete

### Applied
- [list of rules applied with brief description]

### Skipped (already configured)
- [list of rules skipped with reason]

### Manual Steps Required
- [any post-setup steps, e.g. "Run `pnpm exec husky` to reinitialise git hooks"]

Assumptions

  • Project has a package.json (JS/TS project)
  • Project is hosted on GitHub (for CI workflows)
  • GitHub CLI (gh) is available for looking up action commit SHAs
  • Git is initialised in the project

Capabilities

skillsource-tartinerlabsskill-depstopic-agent-skillstopic-automationtopic-claude-codetopic-claude-code-skillstopic-clitopic-code-qualitytopic-developer-toolstopic-github-actionstopic-productivitytopic-tailwind-css

Install

Installnpx skills add tartinerlabs/skills
Sourcehttps://github.com/tartinerlabs/skills/tree/main/skills/deps
skills.shhttps://skills.sh/tartinerlabs/skills/deps
Transportskills-sh
Protocolskill

Quality

0.45/ 1.00

deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 7 github stars · SKILL.md body (2,304 chars)

Provenance

Indexed fromgithub
Enriched2026-05-18 19:13:56Z · deterministic:skill-github:v1 · v1
First seen2026-05-18
Last seen2026-05-18

Agent access

JSONhttps://clawmart.sh/api/listings/cSrfch