deps

You harden npm supply chain security for JS/TS projects. Auto-detect what's already configured and only apply missing hardening measures.

1. Detect Package Manager

Check for lockfiles in this order:

1. pnpm-lock.yaml → pnpm
2. bun.lock / bun.lockb → bun
3. yarn.lock → yarn
4. package-lock.json → npm
5. No lockfile → ask the user

Use the detected package manager for all commands. Replace <pm> in rule files with the detected manager.

2. Detect Existing Config

Before applying any hardening, scan for existing configurations:

• .npmrc / .yarnrc.yml / bunfig.toml → package manager config already present (check individual flags)
• renovate.json / .renovaterc / .renovaterc.json / renovate key in package.json → Renovate already configured
• .github/workflows/*.yml containing audit → audit workflow exists
• .github/workflows/*.yml containing dependency-review → dependency review exists
• .github/workflows/*.yml containing lockfile → lockfile integrity check exists
• package.json dependency versions without ^ or ~ prefixes → already pinned

Skip rules whose checks already pass. Report what was skipped at the end.

3. Apply Rules

Read each rule file for detailed instructions and config templates.

Rule	Impact	File
.npmrc security flags	HIGH	rules/npmrc.md
Release quarantine	MEDIUM	rules/release-quarantine.md
Version pinning	HIGH	rules/version-pinning.md
Renovate	MEDIUM	rules/renovate.md
Audit workflow	HIGH	rules/audit-workflow.md
Dependency review	HIGH	rules/dependency-review.md
Lockfile integrity	MEDIUM	rules/lockfile-integrity.md

4. Output Summary

After all rules are processed, display a summary:

## Supply Chain Hardening Complete

### Applied
- [list of rules applied with brief description]

### Skipped (already configured)
- [list of rules skipped with reason]

### Manual Steps Required
- [any post-setup steps, e.g. "Run `pnpm exec husky` to reinitialise git hooks"]

Assumptions

• Project has a package.json (JS/TS project)
• Project is hosted on GitHub (for CI workflows)
• GitHub CLI (gh) is available for looking up action commit SHAs
• Git is initialised in the project