- Home
- Skills
- Harperaa
- Secure Claude Skills
- Dependency Security
dependency-security_skill
- JavaScript
4
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill harperaa/secure-claude-skills --skill dependency-security- SKILL.md12.8 KB
Overview
This skill helps manage dependencies and secure the JavaScript/npm supply chain to prevent vulnerable or malicious packages from reaching production. It provides audit routines, update strategies, and practical safeguards like committing package-lock.json, using npm ci in CI, and scanning with tools such as npm audit and Snyk. Use it to enforce reproducible installs, catch known CVEs, and reduce the blast radius of supply chain attacks.
How this skill works
The skill runs automated checks (npm audit, npm outdated) and a scripted security-check that reports vulnerabilities and outdated packages. It recommends safe fixes (npm audit fix), documents risky options (npm audit fix --force), and embeds guardrails: package-lock.json, npm ci for CI installs, scoped registries for internal packages, and optional Snyk/Dependabot integration. It also defines routines for monthly updates and pre-deploy audits to ensure zero known vulnerabilities.
When to use it
- Before every production deploy (run npm audit --production)
- When adding or approving a new npm package
- During monthly dependency maintenance and patching
- Before and after major framework upgrades (e.g., Next.js)
- When setting up CI/CD or security scans (Dependabot, Snyk, npm audit)
Best practices
- Always commit package-lock.json to git to ensure reproducible installs
- Use npm ci in CI pipelines to install exactly the locked versions
- Run npm audit and fix reported vulnerabilities before deploy; require 0 production vulnerabilities
- Audit new packages manually: check downloads, maintainers, recent commits and look for typosquatting
- Avoid npm audit fix --force without tests and migration review; run full test suite after any major bumps
Example use cases
- Pre-deploy checklist: run bash scripts/security-check.sh, fix issues, and only deploy if npm audit --production shows 0 vulnerabilities
- Monthly maintenance: run npm outdated, update patch/minor versions, run npm audit, test, and commit package-lock.json
- CI pipeline: use npm ci, run npm audit --production, npx snyk test and fail builds on moderate+ vulnerabilities
- Migration: create an upgrade branch for major framework updates, follow the upgrade guide, run tests and staging verification
- Investigating a new package: review npm page and GitHub, check downloads and maintainers, install in a sandbox and run npm audit
FAQ
No. The recommended policy is to never deploy with known production vulnerabilities. Run npm audit --production and fix or mitigate issues before deployment.
When is npm audit fix --force acceptable?
Only use --force when you have a clear migration plan, have reviewed changelogs, run the full test suite, and manually verified the app in staging. It can introduce breaking changes.
How do I prevent dependency confusion for internal packages?
Use scoped package names and configure your .npmrc to point that scope to your internal registry. Do not publish internal packages to public npm.