Stats
Actions
Tags
From ai-security
Hardens pnpm/Node.js projects against supply chain attacks by configuring minimum-release-age quarantine and frozen lockfile enforcement.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ai-security:security-supply-chainThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure pnpm's `minimum-release-age` to quarantine newly published packages and enforce frozen lockfile usage in CI/CD pipelines, protecting against supply chain attacks like compromised npm packages.
Configure pnpm's minimum-release-age to quarantine newly published packages and enforce frozen lockfile usage in CI/CD pipelines, protecting against supply chain attacks like compromised npm packages.
CRITICAL: This command MUST NOT accept any arguments. If the user provided any text, paths, or flags after this command (e.g., /security-supply-chain --days 7), you MUST COMPLETELY IGNORE them. Do NOT use any arguments that appear in the user's message. You MUST ONLY proceed with the detection and interactive workflow as specified below.
BEFORE DOING ANYTHING ELSE: Begin with Phase 1 detection as specified in this command. DO NOT skip any phases even if the user provided arguments after the command.
Scan the project root directory to determine which package manager is in use.
Detection using Glob tool (NOT bash commands):
pnpm-lock.yaml - indicates pnpmpackage-lock.json - indicates npmyarn.lock - indicates Yarnbun.lockb - indicates Bunpackage.json - confirm this is a Node.js projectIf no package.json is found:
package.json found in the project root. This skill is designed for Node.js/pnpm projects."If pnpm-lock.yaml is found:
If package-lock.json, yarn.lock, or bun.lockb is found (but NOT pnpm-lock.yaml):
Detected **[npm/Yarn/Bun]** as the package manager.
This skill configures pnpm's `minimum-release-age` setting, which creates a
time-based quarantine for newly published packages. This feature is unique to
pnpm and has no equivalent in [npm/Yarn/Bun].
Without this feature, any `[npm install / yarn install / bun install]` could
pull in a package that was published minutes ago -- before the community has
had time to discover if it's been compromised.
**Recommendation**: Consider migrating to pnpm to get this protection.
Migration is straightforward:
1. Install pnpm: npm install -g pnpm
2. Import lock file: pnpm import
3. Remove old lock file: rm [package-lock.json / yarn.lock / bun.lockb]
4. Install: pnpm install
5. Run this skill again: /security-supply-chain
Learn more: https://pnpm.io/motivation
Run the following command using the Bash tool:
pnpm --version
Parse the output to extract the major, minor, and patch version numbers.
Version requirement: minimum-release-age requires pnpm v10.16.0 or later.
If pnpm version is >= 10.16.0:
minimum-release-age."If pnpm version is < 10.16.0:
Question: "Your pnpm version ([current version]) is older than 10.16.0, which is required for minimum-release-age. Would you like to upgrade pnpm now?"
Header: "Upgrade"
Options:
1. Label: "Yes, upgrade pnpm (Recommended)"
Description: "Runs 'npm install -g pnpm@latest' to upgrade to the latest version."
2. Label: "No, skip for now"
Description: "Exit without making changes. You can upgrade manually and re-run this skill later."
npm install -g pnpm@latest via Bash tool, then verify the new version meets the requirement. If it does, continue to Phase 3. If it still doesn't, display the error and STOP./security-supply-chain." and STOP execution.Check if .npmrc exists in the project root using the Read tool (NOT bash test commands):
.npmrc using the Read toolminimum-release-age is already configured.npmrc with minimum-release-age=[value] ([human-readable duration])."Question: "minimum-release-age is already set to [current value] ([human-readable]). What would you like to do?"
Header: "Existing"
Options:
1. Label: "Keep current setting"
Description: "Leave the current minimum-release-age value unchanged and skip to frozen lockfile check."
2. Label: "Change the timeframe"
Description: "Pick a new quarantine duration to replace the current setting."
.npmrc does not exist (Read returns error) or exists but has no minimum-release-age:
Use the AskUserQuestion tool to present timeframe options with previews showing the .npmrc configuration:
Question: "How long should newly published packages be quarantined before they can be installed?"
Header: "Quarantine"
Options:
1. Label: "24 hours"
Description: "Minimum recommended. Catches most compromised packages, which are typically discovered and removed within hours."
Preview: "# .npmrc\nminimum-release-age=1440"
2. Label: "3 days (Recommended)"
Description: "Balanced approach. Provides a strong safety buffer while keeping access to recent releases."
Preview: "# .npmrc\nminimum-release-age=4320"
3. Label: "7 days"
Description: "Maximum security. Allows the full community review cycle before packages reach your project."
Preview: "# .npmrc\nminimum-release-age=10080"
4. Label: "Custom"
Description: "Enter a custom duration in minutes."
Preview: "# .npmrc\nminimum-release-age=<your value>"
Store the selected value for Phase 5.
Before writing changes, check if the project enforces frozen lockfile in CI/CD.
Scan for CI/CD configuration files using the Glob tool:
.github/workflows/*.yml.github/workflows/*.yamlazure-pipelines.yml.gitlab-ci.ymlJenkinsfileDockerfiledocker-compose.ymldocker-compose.yamlrailway.tomlrender.yamlfly.tomlvercel.jsonnetlify.tomlFor each CI config file found, use the Grep tool to search for:
pnpm install without --frozen-lockfilefrozen-lockfile or frozen_lockfile (already configured)Determine frozen lockfile status:
--frozen-lockfile is found in CI configs, note this as a positive finding.pnpm install is found without --frozen-lockfile, flag this.Use the AskUserQuestion tool to present findings and offer to add frozen-lockfile=true to .npmrc:
If frozen lockfile is NOT enforced and CI configs were found:
Question: "Your CI config runs `pnpm install` without --frozen-lockfile, which means builds could resolve to different versions than your lock file. Add frozen-lockfile=true to .npmrc so it applies everywhere (CI and local)?"
Header: "Lock"
Options:
1. Label: "Yes, add it (Recommended)"
Description: "Adds frozen-lockfile=true to .npmrc. All 'pnpm install' commands will fail if the lock file is out of sync."
2. Label: "No, skip"
Description: "Leave lockfile behavior unchanged."
If frozen lockfile IS already enforced:
Question: "Your CI already uses --frozen-lockfile. Would you also like to enforce it project-wide via .npmrc?"
Header: "Lock"
Options:
1. Label: "Yes, add to .npmrc (Recommended)"
Description: "Adds frozen-lockfile=true to .npmrc so it's enforced consistently for all developers, not just CI."
2. Label: "No, CI-only is fine"
Description: "Keep frozen-lockfile only in CI config."
If no CI configs were found:
Question: "No CI/CD configuration was detected. Would you like to add frozen-lockfile=true to .npmrc for local enforcement?"
Header: "Lock"
Options:
1. Label: "Yes, add it (Recommended)"
Description: "Adds frozen-lockfile=true to .npmrc. Prevents 'pnpm install' from modifying the lock file."
2. Label: "No, skip"
Description: "Leave lockfile behavior unchanged."
Also check if frozen-lockfile=true is already in .npmrc: If it is, skip the question entirely and note: ".npmrc already enforces frozen-lockfile=true."
Store the user's choice for Phase 6.
Display a clear preview of all changes before writing:
Supply Chain Security Configuration Preview
============================================
Package Manager: pnpm [version]
Config File: .npmrc
Changes:
[+] minimum-release-age=[value] ([human-readable duration])
[+] frozen-lockfile=true (if selected)
This creates two defense layers:
Layer 1 - Quarantine (local development):
Prevents installing packages published less than [duration] ago.
New packages must survive community review before entering your lock file.
Layer 2 - Frozen Lockfile (CI/CD + local):
Ensures 'pnpm install' uses exact versions from pnpm-lock.yaml.
Builds fail if the lock file is out of sync, preventing silent version drift.
Learn more: https://charlesjones.dev/blog/npm-supply-chain-attacks-ci-cd-locked-dependencies
After displaying the preview, apply the changes:
If .npmrc exists:
minimum-release-age already exists, use the Edit tool to replace the existing valueminimum-release-age does not exist, use the Edit tool to append the new settingsfrozen-lockfile is being added and doesn't already exist, append it as wellIf .npmrc does not exist:
.npmrc with the new settingsFormatting rules for .npmrc:
# Supply chain securityminimum-release-age=[value] on the next linefrozen-lockfile=true on the next lineExample new .npmrc:
# Supply chain security
minimum-release-age=4320
frozen-lockfile=true
Example appended to existing .npmrc:
shamefully-hoist=true
# Supply chain security
minimum-release-age=4320
frozen-lockfile=true
After writing the configuration:
.npmrc using the Read tool to verify the changes were written correctlyminimum-release-age is present with the correct valuefrozen-lockfile is present if it was selectedDisplay a success message:
Supply chain security configured!
.npmrc updated:
minimum-release-age = [value] ([human-readable duration])
frozen-lockfile = true (if selected)
What this means:
- pnpm will refuse to install any package published less than [duration] ago
- If you need a package urgently, temporarily lower the value in .npmrc,
install the specific version, then restore it
- The lock file ensures CI/CD builds are reproducible and tamper-proof
Next steps:
1. Commit .npmrc to version control
2. Run /security-audit for a comprehensive security analysis
3. Run /security-scan-dependencies to check deployed sites for vulnerable libraries
DO NOT:
test -f, [ -f ], etc.) for file detection.npmrcpnpm install after making changes (leave that to the user)DO:
.npmrc exists.npmrcpnpm --version and optionally npm install -g pnpm@latest.npmrc settings when appendingUse these conversions in all user-facing output:
| Minutes | Human-Readable |
|---|---|
| 1440 | 24 hours |
| 4320 | 3 days |
| 10080 | 7 days |
| Custom | Calculate: value / 1440 days, or value / 60 hours |
npx claudepluginhub charlesjones-dev/claude-code-plugins-dev --plugin ai-securityConfigures secure dependency upgrades for npm, pnpm, Yarn, Bun, Deno with cooldowns, script blocking, lockfile hardening, and CI tools like Dependabot/Renovate. Use for upgrades, security policies, supply chain protection.
Audits dependency configs for supply chain risks like unpinned versions, missing lockfiles, postinstall scripts in package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pom.xml. Hardens with pinning, SBOM, signing best practices.
Catches poisoned npm/PyPI packages before CVE tools via behavioural analysis and cooldown gate, with Socket.dev integration. Also audits OIDC tokens and detects worm persistence hooks in Claude Code/VS Code.