| name | dependency-upgrade |
| description | Secure dependency upgrades with supply chain protection, cooldowns, and staged rollout. Use when upgrading deps, configuring security policies, or preventing supply chain attacks. |
| license | MIT |
Dependency Upgrade
Manage dependency upgrades with supply chain security, compatibility analysis, staged rollout, and comprehensive testing across all major package managers.
When to Use This Skill
- Upgrading major framework or library versions
- Configuring supply chain attack prevention (cooldown, script blocking, lockfile hardening)
- Setting up secure package manager configuration
- Resolving dependency conflicts or peer dependency issues
- Planning incremental upgrade paths with testing
- Automating dependency updates with Renovate, Dependabot, or Snyk
- Auditing dependencies for vulnerabilities
- Setting up CI/CD dependency security workflows
Two Modes of Operation
Interactive — Walk through setup questions to generate tailored config. Use for fresh setup.
Default — Apply recommended defaults immediately: 7-day cooldown, block all scripts, frozen-lockfile, lockfile-lint, Dependabot with cooldown. Customization optional.
Interactive Setup Flow
When the user wants tailored configuration, walk through these decisions. Skip this section entirely if using default mode.
Tier 1: Required Decisions
Always ask these 3 questions before generating any config:
1. Package Manager
"Which package manager does this project use?"
| Answer | Generates |
|---|
| npm | .npmrc |
| Bun | bunfig.toml |
| pnpm | pnpm-workspace.yaml |
| Yarn | .yarnrc.yml |
| Deno | deno.json config |
2. Cooldown Period
"How many days should newly published packages age before install? This prevents supply chain attacks where malicious packages are discovered and unpublished within days."
| Option | Days | Use Case |
|---|
| Aggressive | 3 | Catches most typosquatting |
| Recommended | 7 | Good balance for most projects |
| Conservative | 14 | Critical/production systems |
| Paranoid | 21 | Matches Snyk's built-in default |
| Custom | N | User specifies |
3. Post-Install Script Policy
"How should lifecycle scripts (postinstall, preinstall) be handled? These are the #1 attack vector for supply chain attacks."
| Option | Behavior |
|---|
| Block all (recommended) | --ignore-scripts + allow-git=none |
| Allowlist | Block by default, allow specific trusted packages |
| Review only | Warn but don't block |
Tier 2: Security Tooling (Offer as Batch)
"Which of these security features would you like to configure? Select any that apply."
4. CI/CD Automation Tool
| Answer | Generates |
|---|
| Dependabot | .github/dependabot.yml with cooldown |
| Renovate | renovate.json with minimumReleaseAge |
| Snyk | No config needed (21-day cooldown built-in) |
| None | Skip |
5. Automerge Policy
| Option | Behavior |
|---|
| None | All updates require manual review |
| Minor+Patch only | Auto-merge safe updates, review majors |
| All with approval | Auto-merge after team approval |
6. Update Schedule
| Option | Config Value |
|---|
| Daily | "daily" |
| Weekly (default) | "weekly" |
| Biweekly | "biweekly" |
| Monthly | "monthly" |
7. Install-Time Security Tooling
"Which security tools should protect dependency installation?"
| Option | Free? | What It Does |
|---|
| socket npm wrapper | Yes (beta) | Wraps npm/npx, blocks malicious packages before install. Run socket wrapper on to enable system-wide. |
| npq | Yes | Pre-install auditor (CVE, typosquat, age, provenance checks) |
| Socket Firewall (sfw) | No | Real-time deep analysis, blocks malicious packages |
| socket npm + npq | Yes | Both free tools combined |
| None | — | Skip |
Load references/socket-cli-guide.md for full Socket CLI setup including authentication and free vs authenticated features.
8. Lockfile Validation
| Option | Behavior |
|---|
| Yes (recommended) | Adds lockfile-lint + CI script |
| No | Skip |
Tier 3: Advanced Options (Only If User Opts In)
"Would you like to configure any advanced options?"
9. Dev Containers — Generate hardened .devcontainer/devcontainer.json (Yes/No)
10. Secrets Manager — 1Password CLI / Infisical / None
11. pnpm Trust Policy — Enable trustPolicy: no-downgrade (pnpm 10.21+ only, Yes/No)
12. Cooldown Exclusions — Package names that bypass cooldown (e.g., @types/react, typescript, esbuild)
Security-First Upgrade Principles
- Cooldown before installing — Wait 7 days for new package versions to be vetted by the community
- Block post-install scripts — Prevent arbitrary code execution during
npm install
- Freeze lockfiles in CI — Use deterministic installs (
npm ci, --frozen-lockfile)
- Validate lockfile integrity — Use
lockfile-lint to detect injection
- Audit before trusting — Use
npq or Socket CLI to check packages before installing
- Upgrade incrementally — One major version at a time with testing between each
- Never blindly upgrade — Avoid
npm update or npm-check-updates -u without review
- Scan before and after — Use
socket scan to detect supply chain issues beyond CVEs
Cooldown Period: Prevent Supply Chain Attacks
Newly published packages may contain malicious code discovered within hours. Configure a cooldown period to delay installation.
Quick Setup
npm (.npmrc):
min-release-age=7
Bun (bunfig.toml):
[install]
minimumReleaseAge = 604800
minimumReleaseAgeExcludes = ["@types/bun", "typescript"]
pnpm (pnpm-workspace.yaml):
minimumReleaseAge: 10080
minimumReleaseAgeExclude:
- '@types/react'
- typescript
Yarn (.yarnrc.yml):
npmMinimalAgeGate: "7d"
npmPreapprovedPackages:
- "@types/react"
- "typescript"
Load references/cooldown-config-guide.md for detailed per-PM configuration, CI tool integration, and exclusion patterns.
Use templates/<pm>-security.tmpl for copy-paste ready config files.
Disable Post-Install Scripts
Post-install scripts are the most common supply chain attack vector (Shai-Hulud, Nx, event-stream incidents).
Quick Setup
npm:
npm config set ignore-scripts true
npm config set allow-git none
Bun: Disabled by default. Allow specific packages in package.json:
{ "trustedDependencies": ["esbuild", "sharp"] }
pnpm (10.0+): Disabled by default. Allow specific packages in pnpm-workspace.yaml:
allowBuilds:
esbuild: true
strictDepBuilds: true
Load references/package-manager-security.md for full per-PM hardening including pnpm trustPolicy, blockExoticSubdeps, and @lavamoat/allow-scripts.
Deterministic & Frozen Installs
Always use frozen install commands in CI to ensure reproducible builds:
| Package Manager | Command | What It Does |
|---|
| npm | npm ci | Deletes node_modules, installs exact lockfile versions |
| Bun | bun install --frozen-lockfile | Fails if lockfile is out of sync |
| pnpm | pnpm install --frozen-lockfile | Fails if lockfile is out of sync |
| Yarn | yarn install --immutable --immutable-cache | Validates lockfile and cache |
| Deno | deno install --frozen | Frozen installation |
Commit all lockfiles to version control: package-lock.json, bun.lock, pnpm-lock.yaml, yarn.lock, deno.lock.
Lockfile Validation
Install and configure lockfile-lint to detect lockfile injection attacks:
npm install --save-dev lockfile-lint
{
"scripts": {
"lint:lockfile": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https",
"preinstall": "npm run lint:lockfile"
}
}
Note: lockfile-lint does not currently support Bun's bun.lock / bun.lockb formats.
Pre-Install Security Auditing
npq — Pre-Install Auditor
npm install -g npq
npq install <package>
npq install <package> --dry-run
alias npm='npq-hero'
NPQ_PKG_MGR=pnpm npq install <package>
NPQ_PKG_MGR=bun npq install <package>
Socket Firewall (sfw) — Real-Time Blocker
npm install -g sfw
sfw npm install <package>
sfw pnpm add <package>
sfw yarn add <package>
Load references/supply-chain-security.md for full comparison of npq vs sfw and what each validates.
Socket CLI Integration
Socket CLI provides proactive supply chain security beyond basic vulnerability scanning — covering malware detection, typosquatting, protestware, install script risks, and license compliance.
Proactive Upgrade Workflow
1. PRE-UPGRADE: socket scan create --report → establish baseline
2. EVALUATE: socket package score npm <pkg>@<ver> → assess target package safety
3. SAFE INSTALL: socket npm install <pkg> → block malicious packages
4. POST-UPGRADE: socket scan create --report → verify no new alerts
5. DIFF: socket scan diff <before> <after> → see exactly what changed
6. FIX: socket fix --minimum-release-age 7d → auto-fix any new CVEs
7. OPTIMIZE: socket optimize → apply security overrides
Quick Reference
npm install -g socket
socket login
socket package score npm <package>
socket scan create --report
socket fix --minimum-release-age 7d
socket ci
socket wrapper on
Load references/socket-cli-guide.md for comprehensive command reference, CI workflow templates, alert categories, and free vs authenticated feature matrix.
Dependency Analysis
bun audit
npm audit
yarn audit
socket package score npm <package>
socket scan create --report
bun outdated
npm outdated
bunx npm-check-updates --interactive
npm ls <package-name>
yarn why <package-name>
Staged Upgrade Strategy
Upgrade one dependency at a time with testing between each:
git checkout -b upgrade/<package>-<version>
socket scan create --report
socket package score npm <package>@<version>
bun add <package>@<version>
bun test && bunx tsc --noEmit && bun run build
socket scan create --report
git add -A && git commit -m "chore: upgrade <package> to <version>"
Load references/staged-upgrades.md for codemod automation, custom migration scripts, and peer dependency handling.
Load references/compatibility-matrix.md for version compatibility tables (React 18/19, Next.js 13-15, TypeScript, Tailwind 3/4).
Automated Updates with Cooldown
Configure CI/CD tools to respect cooldown periods:
Dependabot (.github/dependabot.yml)
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
Renovate (renovate.json)
{
"extends": ["config:base"],
"minimumReleaseAge": "7 days",
"packageRules": [
{
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"minimumReleaseAge": "14 days"
}
]
}
Snyk
Snyk includes a built-in 21-day cooldown for upgrade PRs. No configuration needed.
Socket Fix (complements Dependabot/Renovate)
Socket Fix automatically resolves CVEs with intelligent upgrade planning. Runs alongside other automation tools — it focuses on CVE remediation specifically:
socket fix --minimum-release-age 7d
socket fix --minimum-release-age 7d --no-major-updates
socket fix --id GHSA-hhq3-ff78-jv3g --minimum-release-age 7d
socket fix --no-apply-fixes --minimum-release-age 7d
For CI autopilot mode (auto-creates and auto-merges fix PRs), use templates/socket-fix-ci.tmpl.
Load references/socket-cli-guide.md for full socket fix options including --autopilot, --range-style, and --pr-limit.
Use templates/dependabot-security.tmpl or templates/renovate-security.tmpl for complete config files.
Publishing Security
For package maintainers:
npm profile enable-2fa auth-and-writes
npm publish --provenance
Load references/supply-chain-security.md for full publishing security guide including OIDC setup and dependency tree reduction.
Dev Environment Hardening
Isolate dependency execution from the host system:
- Dev containers — limit blast radius of malicious packages
- Secrets management — use 1Password CLI or Infisical instead of plaintext
.env files
- Dependency tree reduction — replace common packages with native JS
Use templates/devcontainer-security.tmpl for a hardened dev container config.
Load references/secrets-and-containers.md for dev container setup, secrets management, and dependency reduction patterns.
Testing Strategy
Run tests at every level after each upgrade:
bunx tsc --noEmit && bun run lint
bun test
bun run build
bun run test:e2e
Load references/testing-strategy.md for full testing pyramid, CI integration, and bundle analysis.
Rollback Plan
#!/bin/bash
git stash
git checkout -b upgrade/<package>
bun add <package>@latest
if bun test && bun run build; then
git add package.json bun.lock
git commit -m "chore: upgrade <package>"
else
echo "Upgrade failed, rolling back"
git checkout main
git branch -D upgrade/<package>
bun install
fi
Upgrade Checklist
Pre-Upgrade:
- [ ] Review current dependency versions
- [ ] Read changelogs for breaking changes
- [ ] Create feature branch
- [ ] Tag current state (git tag pre-upgrade)
- [ ] Run full test suite (baseline)
- [ ] Verify cooldown period is configured
Security Pre-Checks:
- [ ] Post-install scripts are disabled
- [ ] Lockfile validation is active
- [ ] Install auditing tools configured (if applicable)
- [ ] CI uses frozen-lockfile install
- [ ] Run `socket scan create --report` for baseline (if Socket available)
During Upgrade:
- [ ] Upgrade one dependency at a time
- [ ] Check target package: `socket package score npm <pkg>` (if Socket available)
- [ ] Respect cooldown period (don't force latest)
- [ ] Update peer dependencies
- [ ] Fix TypeScript errors
- [ ] Run test suite after each upgrade
- [ ] Check bundle size impact
Post-Upgrade:
- [ ] Post-upgrade scan: `socket scan diff` to verify no new alerts (if Socket available)
- [ ] Consider `socket fix --minimum-release-age 7d` for any new CVEs
- [ ] Full regression testing
- [ ] Performance testing
- [ ] Update documentation
- [ ] Deploy to staging
- [ ] Monitor for errors
- [ ] Deploy to production
Common Pitfalls
- Upgrading all dependencies at once (use incremental upgrades)
- Blindly running
npm update or npm-check-updates -u without review
- Not testing after each individual upgrade
- Ignoring peer dependency warnings
- Forgetting to update or commit the lock file
- Not reading breaking change notes in changelogs
- Skipping major versions instead of stepping through them
- Not having a rollback plan
- Trusting npmjs.org displayed source code (can differ from actual tarball)
- Leaving post-install scripts enabled (most common attack vector)
- Not configuring a cooldown period for new package versions
When to Load References
Load these reference files when the user needs detailed information beyond the quick-reference in SKILL.md:
| Load This File | When |
|---|
references/cooldown-config-guide.md | Configuring cooldown for a specific PM, CI tool integration, or exclusion patterns |
references/package-manager-security.md | Full per-PM hardening guide including pnpm trust policy, blockExoticSubdeps, cross-PM cheat sheet |
references/supply-chain-security.md | Understanding attack vectors, incident history, npq vs sfw vs Socket CLI comparison, publisher security (2FA, provenance, OIDC) |
references/secrets-and-containers.md | Setting up dev containers, secrets management with 1Password/Infisical |
references/socket-cli-guide.md | Using Socket CLI for scans, fixes, package scoring, CI integration, wrapper mode, alert categories |
references/compatibility-matrix.md | Checking version compatibility for React, Next.js, TypeScript, Tailwind upgrades |
references/staged-upgrades.md | Codemod automation, custom migration scripts, peer dependency handling, workspace upgrades |
references/testing-strategy.md | Full testing pyramid, CI integration, bundle analysis, performance testing |
Template Files
Ready-to-use config files in templates/:
| Template | Purpose |
|---|
npmrc-security.tmpl | Secure .npmrc with scripts disabled + cooldown |
bunfig-security.tmpl | Secure bunfig.toml with cooldown + exclusions |
pnpm-workspace-security.tmpl | Secure pnpm-workspace.yaml with cooldown, allowBuilds, trustPolicy |
yarnrc-security.tmpl | Secure .yarnrc.yml with age gate + preapproved packages |
dependabot-security.tmpl | Dependabot config with 7-day cooldown |
renovate-security.tmpl | Renovate config with minimumReleaseAge + automerge rules |
devcontainer-security.tmpl | Hardened dev container with security options |
socket-fix-ci.tmpl | GitHub Actions: Socket Fix autopilot with cooldown-aligned CVE remediation |
socket-scan-ci.tmpl | GitHub Actions: Socket CI security gate for every push/PR |