fix-dependency-security
Installation
SKILL.md
Fix dependency security
End-to-end workflow for vulnerabilities, deprecations, and supply-chain install safety in Node/pnpm projects.
Principles
- Prefer real upgrades over silencing warnings (
allowedDeprecatedVersions, ignoring audit). - One source of policy for pnpm:
pnpm-workspace.yaml(overrides,minimumReleaseAge,blockExoticSubdeps) — not scatteredpackage.jsonpnpmblocks. - Wrap risky commands with SFW so malicious packages are blocked before download.
- Re-verify after every change: install → audit → type-check/lint.