| name | dependencies |
| description | Dependency management scenarios: adding, installing, updating, removing, auditing, or configuring packages; choosing npm, pnpm, bun, uv, pip, cargo, or another package manager; reviewing lockfiles; diagnosing dependency install issues. |
dependencies
Use this skill whenever dependency changes or package-manager installs are involved. Prefer the smallest dependency surface that solves the task.
Start with the machine configuration check
Before adding, installing, updating, or removing dependencies, run the read-only checker from this skill directory:
python3 scripts/dependency_config_check.py [--json]
Read the output and tell the user about warnings that affect the requested dependency operation. The script resolves npm, pnpm, Bun, uv, and pip config paths from the current platform and environment, explains which machine-wide dependency-safety settings are present, and warns when the recommended hardening baseline is missing. It never modifies files.
Dependency-change workflow
The local dependency hardening setup is intentionally strict and not fully finalized. If it clearly breaks a normal workflow, report the specific failing setting/tool to the user and propose concrete options, such as a one-command bypass, a project-local exception, a temporary config relaxation, or using a safer older/pinned version.
- Identify the existing package manager from lockfiles and project files; do not switch package managers unless the user asks. When a Node.js project does not already standardize on a package manager, prefer pnpm over npm when possible.
- Prefer no new dependency when a small standard-library or existing-project solution is enough.
- If a dependency is needed, explain why this dependency is worth the added attack surface.
- Avoid installing brand-new releases unless there is a clear reason, such as a security fix.
- Avoid
npx, pnpm dlx, and bunx for unreviewed packages because one-shot executors can bypass normal project review habits and may not respect every release-age policy.
- Review install-script, Git, GitHub, tarball, and direct-URL dependencies carefully before installing.
- Pin newly added direct dependencies to exact versions when the package manager and project policy allow it; upgrades should be deliberate.
- Commit lockfiles for applications and workspaces unless the project explicitly documents a different policy.
- In CI or production instructions, prefer clean/frozen installs:
npm ci, pnpm install --frozen-lockfile, bun install --frozen-lockfile, or uv sync --locked.
- After changing dependencies, run the narrowest relevant tests and package-manager checks available in the project.
Socket Firewall wrapper
When available, prefer running supported package managers through Socket Firewall Free (sfw) for an additional malicious-package screening layer:
sfw npm install
sfw pnpm add <package>
sfw pip install -r requirements.txt
sfw uv sync
sfw cargo fetch
Interactive shells may alias supported commands to sfw, for example alias npm="sfw npm". If an alias or sfw itself appears to be causing an unrelated workflow failure, tell the user and suggest a scoped workaround instead of silently bypassing it.
Recommended machine hardening baseline
Do not apply global configuration automatically. When the user asks to configure the machine, first review each setting with its file path, value, protection, and likely breakage risk; then wait for explicit approval.
Recommended current-user global settings:
- npm
~/.npmrc
min-release-age=7 — avoid package versions published in the last 7 days.
ignore-scripts=true — block dependency lifecycle scripts by default.
allow-git=none — block Git dependencies.
save-exact=true — save newly added dependencies as exact versions.
- pnpm global config file; prefer
pnpm config set --global <key> <value> over editing a path directly. To inspect the path, use pnpm config get globalconfig when available. Common paths are $XDG_CONFIG_HOME/pnpm/config.yaml, ~/Library/Preferences/pnpm/config.yaml on macOS, %LOCALAPPDATA%\\pnpm\\config\\config.yaml on Windows, and ~/.config/pnpm/config.yaml on Linux.
minimumReleaseAge: 10080 — avoid package versions published in the last 7 days.
minimumReleaseAgeStrict: true — fail instead of falling back to too-new versions.
blockExoticSubdeps: true — prevent transitive Git and direct tarball dependencies.
trustPolicy: no-downgrade — fail when package publishing trust evidence regresses.
saveExact: true — save newly added dependencies as exact versions.
- Bun global config file; use
~/.bunfig.toml or $XDG_CONFIG_HOME/.bunfig.toml on Unix-like systems. On Windows, use the Bun user config location documented by the installed Bun version.
[install] minimumReleaseAge = 604800 — avoid package versions published in the last 7 days.
[install] exact = true — save newly added dependencies as exact versions.
- uv user config file; use
~/.config/uv/uv.toml on Unix-like systems or %APPDATA%\\uv\\uv.toml on Windows.
exclude-newer = "1 week" — avoid package artifacts uploaded in the last week.
index-strategy = "first-index" — keep uv's dependency-confusion-safe index behavior explicit.
no-build = true — avoid building source distributions.
no-sources = true — ignore Git, URL, path, and workspace sources during resolution.
prerelease = "disallow" — avoid prereleases unless a project or command explicitly overrides it.
add-bounds = "exact" — add newly added dependencies with exact pins.
- pip user config file; use
~/.config/pip/pip.conf on Unix-like systems or %APPDATA%\\pip\\pip.ini on Windows. pip has no release-age gate or global exact-pin policy.
require-hashes = true under [global] — require hashes for requirements-file installs.
only-binary = :all: under [global] — avoid source distributions.
Stricter optional settings:
- npm
allow-remote=none — block remote tarball dependencies; can break projects that intentionally use tarballs.
- Bun
[install] ignoreScripts = true — block all install lifecycle scripts, including project scripts and trusted dependencies; can break legitimate installs.
User-facing warning style
When the checker reports missing hardening, keep the warning actionable and scoped to the current task:
Dependency safety warning: npm does not have min-release-age set in ~/.npmrc, so npm may install packages immediately after publication. For this install, prefer an older pinned version or review the package before proceeding.
Do not expose secrets from package-manager configuration files. If auth tokens appear in output or files, summarize their presence without printing values.