npm-security

What problem does it solve?

Many JavaScript projects are vulnerable to supply chain attacks, unsafe install scripts, lockfile tampering, and insecure publishing practices. This Skill helps developers and maintainers discover those risks in their repository configuration and provides actionable remediation steps to reduce attack surface and secure CI/publishing pipelines.

Core Features & Use Cases

• Dual-mode operation: run a project audit that inspects package.json, lockfiles, CI configs and environment files, or use the reference mode to get best-practice guidance on a specific security topic.
• Comprehensive checks: detects package manager, verifies postinstall script policies, enforces release cooldowns, validates lockfile integrity, ensures deterministic installs, flags blind upgrade scripts, recommends security tooling (npq, sfw), scans for plaintext secrets, and reviews publishing controls like provenance and OIDC.
• Actionable fixes: for every failed check the Skill supplies the exact config snippet or command to fix the issue and suggests CI integration steps for automated enforcement.
• Use cases: auditing a monorepo before onboarding contributors, vetting a new dependency before installation, hardening CI publish workflows, or adding lockfile validation to pipeline checks.

Quick Start

Audit this project's npm security posture and return a pass/fail checklist with specific fix commands for each failing item.