Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From dependency-upgrade
Configures secure dependency upgrades for npm, pnpm, Yarn, Bun, Deno with cooldowns, script blocking, lockfile hardening, and CI tools like Dependabot/Renovate. Use for upgrades, security policies, supply chain protection.
npx claudepluginhub secondsky/claude-skills --plugin dependency-upgradeHow this skill is triggered — by the user, by Claude, or both
Slash command
/dependency-upgrade:dependency-upgradeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Manage dependency upgrades with supply chain security, compatibility analysis, staged rollout, and comprehensive testing across all major package managers.
references/compatibility-matrix.mdreferences/cooldown-config-guide.mdreferences/package-manager-security.mdreferences/secrets-and-containers.mdreferences/staged-upgrades.mdreferences/supply-chain-security.mdreferences/testing-strategy.mdscripts/generate-dependency-upgrades.shtemplates/bunfig-security.tmpltemplates/dependabot-security.tmpltemplates/devcontainer-security.tmpltemplates/npmrc-security.tmpltemplates/pnpm-workspace-security.tmpltemplates/renovate-security.tmpltemplates/yarnrc-security.tmplAudits dependency configs for supply chain risks like unpinned versions, missing lockfiles, postinstall scripts in package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pom.xml. Hardens with pinning, SBOM, signing best practices.
Manages third-party libraries, runtimes, and SaaS dependencies across package managers. Use when setting update cadences, responding to security advisories, evaluating new dependencies, or unblocking upgrades.
Audits and hardens third-party dependencies with npm audit, lockfiles, Dependabot, script blocking, and vulnerability monitoring. Useful for CI security gating and supply chain hardening.
Share bugs, ideas, or general feedback.
Manage dependency upgrades with supply chain security, compatibility analysis, staged rollout, and comprehensive testing across all major package managers.
Interactive — Walk through setup questions to generate tailored config. Use for fresh setup.
Default — Apply recommended defaults immediately: 7-day cooldown, block all scripts, frozen-lockfile, lockfile-lint, Dependabot with cooldown. Customization optional.
When the user wants tailored configuration, walk through these decisions. Skip this section entirely if using default mode.
Always ask these 3 questions before generating any config:
1. Package Manager
"Which package manager does this project use?"
| Answer | Generates |
|---|---|
| npm | .npmrc |
| Bun | bunfig.toml |
| pnpm | pnpm-workspace.yaml |
| Yarn | .yarnrc.yml |
| Deno | deno.json config |
2. Cooldown Period
"How many days should newly published packages age before install? This prevents supply chain attacks where malicious packages are discovered and unpublished within days."
| Option | Days | Use Case |
|---|---|---|
| Aggressive | 3 | Catches most typosquatting |
| Recommended | 7 | Good balance for most projects |
| Conservative | 14 | Critical/production systems |
| Paranoid | 21 | Matches Snyk's built-in default |
| Custom | N | User specifies |
3. Post-Install Script Policy
"How should lifecycle scripts (postinstall, preinstall) be handled? These are the #1 attack vector for supply chain attacks."
| Option | Behavior |
|---|---|
| Block all (recommended) | --ignore-scripts + allow-git=none |
| Allowlist | Block by default, allow specific trusted packages |
| Review only | Warn but don't block |
"Which of these security features would you like to configure? Select any that apply."
4. CI/CD Automation Tool
| Answer | Generates |
|---|---|
| Dependabot | .github/dependabot.yml with cooldown |
| Renovate | renovate.json with minimumReleaseAge |
| Snyk | No config needed (21-day cooldown built-in) |
| None | Skip |
5. Automerge Policy
| Option | Behavior |
|---|---|
| None | All updates require manual review |
| Minor+Patch only | Auto-merge safe updates, review majors |
| All with approval | Auto-merge after team approval |
6. Update Schedule
| Option | Config Value |
|---|---|
| Daily | "daily" |
| Weekly (default) | "weekly" |
| Biweekly | "biweekly" |
| Monthly | "monthly" |
7. Install-Time Auditing
| Option | Installs |
|---|---|
| npq | Pre-install package auditor (open source) |
| Socket Firewall (sfw) | Real-time malicious package blocker |
| Both | Both tools with shell aliases |
| None | Skip |
8. Lockfile Validation
| Option | Behavior |
|---|---|
| Yes (recommended) | Adds lockfile-lint + CI script |
| No | Skip |
"Would you like to configure any advanced options?"
9. Dev Containers — Generate hardened .devcontainer/devcontainer.json (Yes/No)
10. Secrets Manager — 1Password CLI / Infisical / None
11. pnpm Trust Policy — Enable trustPolicy: no-downgrade (pnpm 10.21+ only, Yes/No)
12. Cooldown Exclusions — Package names that bypass cooldown (e.g., @types/react, typescript, esbuild)
npm installnpm ci, --frozen-lockfile)lockfile-lint to detect injectionnpq or sfw to check packages before installingnpm update or npm-check-updates -u without reviewNewly published packages may contain malicious code discovered within hours. Configure a cooldown period to delay installation.
npm (.npmrc):
min-release-age=7
Bun (bunfig.toml):
[install]
minimumReleaseAge = 604800 # 7 days in seconds
minimumReleaseAgeExcludes = ["@types/bun", "typescript"]
pnpm (pnpm-workspace.yaml):
minimumReleaseAge: 10080 # 7 days in minutes
minimumReleaseAgeExclude:
- '@types/react'
- typescript
Yarn (.yarnrc.yml):
npmMinimalAgeGate: "7d"
npmPreapprovedPackages:
- "@types/react"
- "typescript"
Load references/cooldown-config-guide.md for detailed per-PM configuration, CI tool integration, and exclusion patterns.
Use templates/<pm>-security.tmpl for copy-paste ready config files.
Post-install scripts are the most common supply chain attack vector (Shai-Hulud, Nx, event-stream incidents).
npm:
npm config set ignore-scripts true
npm config set allow-git none
Bun: Disabled by default. Allow specific packages in package.json:
{ "trustedDependencies": ["esbuild", "sharp"] }
pnpm (10.0+): Disabled by default. Allow specific packages in pnpm-workspace.yaml:
allowBuilds:
esbuild: true
strictDepBuilds: true # Hard error on unreviewed scripts
Load references/package-manager-security.md for full per-PM hardening including pnpm trustPolicy, blockExoticSubdeps, and @lavamoat/allow-scripts.
Always use frozen install commands in CI to ensure reproducible builds:
| Package Manager | Command | What It Does |
|---|---|---|
| npm | npm ci | Deletes node_modules, installs exact lockfile versions |
| Bun | bun install --frozen-lockfile | Fails if lockfile is out of sync |
| pnpm | pnpm install --frozen-lockfile | Fails if lockfile is out of sync |
| Yarn | yarn install --immutable --immutable-cache | Validates lockfile and cache |
| Deno | deno install --frozen | Frozen installation |
Commit all lockfiles to version control: package-lock.json, bun.lock, pnpm-lock.yaml, yarn.lock, deno.lock.
Install and configure lockfile-lint to detect lockfile injection attacks:
npm install --save-dev lockfile-lint
{
"scripts": {
"lint:lockfile": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https",
"preinstall": "npm run lint:lockfile"
}
}
Note: lockfile-lint does not currently support Bun's bun.lock / bun.lockb formats.
npm install -g npq
npq install <package> # Audit before installing
npq install <package> --dry-run # Audit without installing
# Shell alias for seamless use
alias npm='npq-hero'
# Use with other PMs
NPQ_PKG_MGR=pnpm npq install <package>
NPQ_PKG_MGR=bun npq install <package>
npm install -g sfw
sfw npm install <package> # Blocks malicious packages
sfw pnpm add <package>
sfw yarn add <package>
Load references/supply-chain-security.md for full comparison of npq vs sfw and what each validates.
# Audit for vulnerabilities
bun audit # Bun
npm audit # npm
yarn audit # Yarn
# Check for outdated packages
bun outdated
npm outdated
# Interactive upgrade (safe — review each)
bunx npm-check-updates --interactive
# Analyze dependency tree
npm ls <package-name>
yarn why <package-name>
Upgrade one dependency at a time with testing between each:
# 1. Create feature branch
git checkout -b upgrade/<package>-<version>
# 2. Upgrade single package
bun add <package>@<version>
# 3. Test immediately
bun test && bunx tsc --noEmit && bun run build
# 4. Commit and continue
git add -A && git commit -m "chore: upgrade <package> to <version>"
Load references/staged-upgrades.md for codemod automation, custom migration scripts, and peer dependency handling.
Load references/compatibility-matrix.md for version compatibility tables (React 18/19, Next.js 13-15, TypeScript, Tailwind 3/4).
Configure CI/CD tools to respect cooldown periods:
.github/dependabot.yml)version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
renovate.json){
"extends": ["config:base"],
"minimumReleaseAge": "7 days",
"packageRules": [
{
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"minimumReleaseAge": "14 days"
}
]
}
Snyk includes a built-in 21-day cooldown for upgrade PRs. No configuration needed.
Use templates/dependabot-security.tmpl or templates/renovate-security.tmpl for complete config files.
For package maintainers:
# Enable 2FA
npm profile enable-2fa auth-and-writes
# Publish with provenance (cryptographic build proof)
npm publish --provenance
# Trusted publishing via OIDC (eliminates long-lived tokens)
# Configure on npmjs.com, then:
# In GitHub Actions: permissions: id-token: write
Load references/supply-chain-security.md for full publishing security guide including OIDC setup and dependency tree reduction.
Isolate dependency execution from the host system:
.env filesUse templates/devcontainer-security.tmpl for a hardened dev container config.
Load references/secrets-and-containers.md for dev container setup, secrets management, and dependency reduction patterns.
Run tests at every level after each upgrade:
# 1. Static analysis (fastest)
bunx tsc --noEmit && bun run lint
# 2. Unit tests
bun test
# 3. Build check
bun run build
# 4. Integration / E2E (after major upgrades)
bun run test:e2e
Load references/testing-strategy.md for full testing pyramid, CI integration, and bundle analysis.
#!/bin/bash
git stash
git checkout -b upgrade/<package>
bun add <package>@latest
if bun test && bun run build; then
git add package.json bun.lock
git commit -m "chore: upgrade <package>"
else
echo "Upgrade failed, rolling back"
git checkout main
git branch -D upgrade/<package>
bun install
fi
Pre-Upgrade:
- [ ] Review current dependency versions
- [ ] Read changelogs for breaking changes
- [ ] Create feature branch
- [ ] Tag current state (git tag pre-upgrade)
- [ ] Run full test suite (baseline)
- [ ] Verify cooldown period is configured
Security Pre-Checks:
- [ ] Post-install scripts are disabled
- [ ] Lockfile validation is active
- [ ] Install auditing tools configured (if applicable)
- [ ] CI uses frozen-lockfile install
During Upgrade:
- [ ] Upgrade one dependency at a time
- [ ] Respect cooldown period (don't force latest)
- [ ] Update peer dependencies
- [ ] Fix TypeScript errors
- [ ] Run test suite after each upgrade
- [ ] Check bundle size impact
Post-Upgrade:
- [ ] Full regression testing
- [ ] Performance testing
- [ ] Update documentation
- [ ] Deploy to staging
- [ ] Monitor for errors
- [ ] Deploy to production
npm update or npm-check-updates -u without reviewLoad these reference files when the user needs detailed information beyond the quick-reference in SKILL.md:
| Load This File | When |
|---|---|
references/cooldown-config-guide.md | Configuring cooldown for a specific PM, CI tool integration, or exclusion patterns |
references/package-manager-security.md | Full per-PM hardening guide including pnpm trust policy, blockExoticSubdeps, cross-PM cheat sheet |
references/supply-chain-security.md | Understanding attack vectors, incident history, npq vs sfw comparison, publisher security (2FA, provenance, OIDC) |
references/secrets-and-containers.md | Setting up dev containers, secrets management with 1Password/Infisical |
references/compatibility-matrix.md | Checking version compatibility for React, Next.js, TypeScript, Tailwind upgrades |
references/staged-upgrades.md | Codemod automation, custom migration scripts, peer dependency handling, workspace upgrades |
references/testing-strategy.md | Full testing pyramid, CI integration, bundle analysis, performance testing |
Ready-to-use config files in templates/:
| Template | Purpose |
|---|---|
npmrc-security.tmpl | Secure .npmrc with scripts disabled + cooldown |
bunfig-security.tmpl | Secure bunfig.toml with cooldown + exclusions |
pnpm-workspace-security.tmpl | Secure pnpm-workspace.yaml with cooldown, allowBuilds, trustPolicy |
yarnrc-security.tmpl | Secure .yarnrc.yml with age gate + preapproved packages |
dependabot-security.tmpl | Dependabot config with 7-day cooldown |
renovate-security.tmpl | Renovate config with minimumReleaseAge + automerge rules |
devcontainer-security.tmpl | Hardened dev container with security options |