| name | dependency-upgrade |
| description | Secure dependency upgrades with supply chain protection, cooldowns, and staged rollout. Use when upgrading deps, configuring security policies, or preventing supply chain attacks. |
| license | GPL-3.0 |
Dependency Upgrade
Related Skills
- sap-hana-cli: For dependency-aware database tooling workflows and upgrade guidance
- sap-cap-capire: For CAP dependency-safe runtime and service configuration guidance
- sap-fiori-tools: For secure UI5/Fiori dependency strategy when tooling touches frontend packages
Manage dependency upgrades with supply chain security, compatibility analysis, staged rollout, and comprehensive testing across all major package managers.
When to Use This Skill
- Upgrading major framework or library versions
- Configuring supply chain attack prevention (cooldown, script blocking, lockfile hardening)
- Setting up secure package manager configuration
- Resolving dependency conflicts or peer dependency issues
- Planning incremental upgrade paths with testing
- Automating dependency updates with Renovate, Dependabot, or Snyk
- Auditing dependencies for vulnerabilities
- Setting up CI/CD dependency security workflows
Two Modes of Operation
Interactive — Walk through setup questions to generate tailored config. Use for fresh setup.
Default — Apply recommended defaults immediately: 7-day cooldown, block all scripts, frozen-lockfile, lockfile-lint, Dependabot with cooldown. Customization optional.
Interactive Setup Flow
When the user wants tailored configuration, walk through these decisions. Skip this section entirely if using default mode.
Tier 1: Required Decisions
Always ask these 3 questions before generating any config:
1. Package Manager
"Which package manager does this project use?"
| Answer | Generates |
|---|
| npm | .npmrc |
| Bun | bunfig.toml |
| pnpm | pnpm-workspace.yaml |
| Yarn | .yarnrc.yml |
| Deno | deno.json config |
2. Cooldown Period
"How many days should newly published packages age before install? This prevents supply chain attacks where malicious packages are discovered and unpublished within days."
| Option | Days | Use Case |
|---|
| Aggressive | 3 | Catches most typosquatting |
| Recommended | 7 | Good balance for most projects |
| Conservative | 14 | Critical/production systems |
| Paranoid | 21 | Matches Snyk's built-in default |
| Custom | N | User specifies |
3. Post-Install Script Policy
"How should lifecycle scripts (postinstall, preinstall) be handled? These are the #1 attack vector for supply chain attacks."
| Option | Behavior |
|---|
| Block all (recommended) | --ignore-scripts + allow-git=none |
| Allowlist | Block by default, allow specific trusted packages |
| Review only | Warn but don't block |
Tier 2: Security Tooling (Offer as Batch)
"Which of these security features would you like to configure? Select any that apply."
4. CI/CD Automation Tool
| Answer | Generates |
|---|
| Dependabot | .github/dependabot.yml with cooldown |
| Renovate | renovate.json with minimumReleaseAge |
| Snyk | No config needed (21-day cooldown built-in) |
| None | Skip |
5. Automerge Policy
| Option | Behavior |
|---|
| None | All updates require manual review |
| Minor+Patch only | Auto-merge safe updates, review majors |
| All with approval | Auto-merge after team approval |
6. Update Schedule
| Option | Config Value |
|---|
| Daily | "daily" |
| Weekly (default) | "weekly" |
| Biweekly | "biweekly" |
| Monthly | "monthly" |
7. Install-Time Security Tooling
"Which security tools should protect dependency installation?"
| Option | Free? | What It Does |
|---|
| socket npm wrapper | Yes (beta) | Wraps npm/npx, blocks malicious packages before install. Run socket wrapper on to enable system-wide. |
| npq | Yes | Pre-install auditor (CVE, typosquat, age, provenance checks) |
| Socket Firewall (sfw) | No | Real-time deep analysis, blocks malicious packages |
| socket npm + npq | Yes | Both free tools combined |
| None | — | Skip |
Load references/socket-cli-guide.md for full Socket CLI setup including authentication and free vs authenticated features.
8. Lockfile Validation
| Option | Behavior |
|---|
| Yes (recommended) | Adds lockfile-lint + CI script |
| No | Skip |
Tier 3: Advanced Options (Only If User Opts In)
"Would you like to configure any advanced options?"
9. Dev Containers — Generate hardened .devcontainer/devcontainer.json (Yes/No)
10. Secrets Manager — 1Password CLI / Infisical / None
11. pnpm Trust Policy — Enable trustPolicy: no-downgrade (pnpm 10.21+ only, Yes/No)
12. Cooldown Exclusions — Package names that bypass cooldown (e.g., @types/react, typescript, esbuild)
Security-First Upgrade Principles
- Cooldown before installing — Wait 7 days for new package versions to be vetted by the community
- Block post-install scripts — Prevent arbitrary code execution during
npm install
- Freeze lockfiles in CI — Use deterministic installs (
npm ci, --frozen-lockfile)
- Validate lockfile integrity — Use
lockfile-lint to detect injection
- Audit before trusting — Use
npq or Socket CLI to check packages before installing
- Upgrade incrementally — One major version at a time with testing between each
- Never blindly upgrade — Avoid
npm update or npm-check-updates -u without review
- Scan before and after — Use
socket scan to detect supply chain issues beyond CVEs
Cooldown Period: Prevent Supply Chain Attacks
Newly published packages may contain malicious code discovered within hours. Configure a cooldown period to delay installation.
Quick Setup
npm (.npmrc):
min-release-age=7
Bun (bunfig.toml):
[install]
minimumReleaseAge = 604800
minimumReleaseAgeExcludes = ["@types/bun", "typescript"]
pnpm (pnpm-workspace.yaml):
minimumReleaseAge: 10080
minimumReleaseAgeExclude:
- '@types/react'
- typescript
Yarn (.yarnrc.yml):
npmMinimalAgeGate: "7d"
npmPreapprovedPackages:
- "@types/react"
- "typescript"
Load references/cooldown-config-guide.md for detailed per-PM configuration, CI tool integration, and exclusion patterns.
Use templates/<pm>-security.tmpl for copy-paste ready config files.
Disable Post-Install Scripts
Post-install scripts are the most common supply chain attack vector (Shai-Hulud, Nx, event-stream incidents).
Quick Setup
npm:
npm config set ignore-scripts true
npm config set allow-git none
Bun: Disabled by default. Allow specific packages in package.json:
{ "trustedDependencies": ["esbuild", "sharp"] }
pnpm (10.0+): Disabled by default. Allow specific packages in pnpm-workspace.yaml:
allowBuilds:
esbuild: true
strictDepBuilds: true
Load references/package-manager-security.md for full per-PM hardening including pnpm trustPolicy, blockExoticSubdeps, and @lavamoat/allow-scripts.
Deterministic & Frozen Installs
Always use frozen install commands in CI to ensure reproducible builds:
| Package Manager | Command | What It Does |
|---|
| npm | npm ci | Deletes node_modules, installs exact lockfile versions |
| Bun | bun install --frozen-lockfile | Fails if lockfile is out of sync |
| pnpm | pnpm install --frozen-lockfile | Fails if lockfile is out of sync |
| Yarn | yarn install --immutable --immutable-cache | Validates lockfile and cache |
| Deno | deno install --frozen | Frozen installation |
Commit all lockfiles to version control: package-lock.json, bun.lock, pnpm-lock.yaml, yarn.lock, deno.lock.
Lockfile Validation
Install and configure lockfile-lint to detect lockfile injection attacks:
npm install --save-dev lockfile-lint
{
"scripts": {
"lint:lockfile": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https",
"preinstall": "npm run lint:lockfile"
}
}
Note: lockfile-lint does not currently support Bun's bun.lock / bun.lockb formats.
Pre-Install Security Auditing
npq — Pre-Install Auditor
npm install -g npq
npq install <package>
npq install <package> --dry-run
alias npm='npq-hero'
NPQ_PKG_MGR=pnpm npq install <package>
NPQ_PKG_MGR=bun npq install <package>
Socket Firewall (sfw) — Real-Time Blocker
npm install -g sfw
sfw npm install <package>
sfw pnpm add <package>
sfw yarn add <package>
Load references/supply-chain-security.md for full comparison of npq vs sfw and what each validates.
Socket CLI Integration
Socket CLI provides proactive supply chain security beyond basic vulnerability scanning — covering malware detection, typosquatting, protestware, install script risks, and license compliance.
Proactive Upgrade Workflow
1. PRE-UPGRADE: socket scan create --report → establish baseline
2. EVALUATE: socket package score npm <pkg>@<ver> → assess target package safety
3. SAFE INSTALL: socket npm install <pkg> → block malicious packages
4. POST-UPGRADE: socket scan create --report → verify no new alerts
5. DIFF: socket scan diff <before> <after> → see exactly what changed
6. FIX: socket fix --minimum-release-age 7d → auto-fix any new CVEs
7. OPTIMIZE: socket optimize → apply security overrides
Quick Reference
npm install -g socket
socket login
socket package score npm <package>
socket scan create --report
socket fix --minimum-release-age 7d
socket ci
socket wrapper on
Load references/socket-cli-guide.md for comprehensive command reference, CI workflow templates, alert categories, and free vs authenticated feature matrix.
Dependency Analysis
bun audit
npm audit
yarn audit
socket package score npm <package>
socket scan create --report
bun outdated
npm outdated
bunx npm-check-updates --interactive
npm ls <package-name>
yarn why <package-name>
Staged Upgrade Strategy
Upgrade one dependency at a time with testing between each:
git checkout -b upgrade/<package>-<version>
socket scan create --report
socket package score npm <package>@<version>
bun add <package>@<version>
bun test && bunx tsc --noEmit && bun run build
socket scan create --report
git add -A && git commit -m "chore: upgrade <package> to <version>"
Load references/staged-upgrades.md for codemod automation, custom migration scripts, and peer dependency handling.
Load references/compatibility-matrix.md for version compatibility tables (React 18/19, Next.js 13-15, TypeScript, Tailwind 3/4).
Automated Updates with Cooldown
Configure CI/CD tools to respect cooldown periods:
Dependabot (.github/dependabot.yml)
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
Renovate (renovate.json)
{
"extends": ["config:base"],
"minimumReleaseAge": "7 days",
"packageRules": [
{
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"minimumReleaseAge": "14 days"
}
]
}
Snyk
Snyk includes a built-in 21-day cooldown for upgrade PRs. No configuration needed.
Socket Fix (complements Dependabot/Renovate)
Socket Fix automatically resolves CVEs with intelligent upgrade planning. Runs alongside other automation tools — it focuses on CVE remediation specifically:
socket fix --minimum-release-age 7d
socket fix --minimum-release-age 7d --no-major-updates
socket fix --id GHSA-hhq3-ff78-jv3g --minimum-release-age 7d
socket fix --no-apply-fixes --minimum-release-age 7d
For CI autopilot mode (auto-creates and auto-merges fix PRs), use templates/socket-fix-ci.tmpl.
Load references/socket-cli-guide.md for full socket fix options including --autopilot, --range-style, and --pr-limit.
Use templates/dependabot-security.tmpl or templates/renovate-security.tmpl for complete config files.
Publishing Security
For package maintainers:
npm profile enable-2fa auth-and-writes
npm publish --provenance
Load references/supply-chain-security.md for full publishing security guide including OIDC setup and dependency tree reduction.
Dev Environment Hardening
Isolate dependency execution from the host system:
- Dev containers — limit blast radius of malicious packages
- Secrets management — use 1Password CLI or Infisical instead of plaintext
.env files
- Dependency tree reduction — replace common packages with native JS
Use templates/devcontainer-security.tmpl for a hardened dev container config.
Load references/secrets-and-containers.md for dev container setup, secrets management, and dependency reduction patterns.
Testing Strategy
Run tests at every level after each upgrade:
bunx tsc --noEmit && bun run lint
bun test
bun run build
bun run test:e2e
Load references/testing-strategy.md for full testing pyramid, CI integration, and bundle analysis.
Rollback Plan
#!/bin/bash
git stash
git checkout -b upgrade/<package>
bun add <package>@latest
if bun test && bun run build; then
git add package.json bun.lock
git commit -m "chore: upgrade <package>"
else
echo "Upgrade failed, rolling back"
git checkout main
git branch -D upgrade/<package>
bun install
fi
Upgrade Checklist
Pre-Upgrade:
- [ ] Review current dependency versions
- [ ] Read changelogs for breaking changes
- [ ] Create feature branch
- [ ] Tag current state (git tag pre-upgrade)
- [ ] Run full test suite (baseline)
- [ ] Verify cooldown period is configured
Security Pre-Checks:
- [ ] Post-install scripts are disabled
- [ ] Lockfile validation is active
- [ ] Install auditing tools configured (if applicable)
- [ ] CI uses frozen-lockfile install
- [ ] Run `socket scan create --report` for baseline (if Socket available)
During Upgrade:
- [ ] Upgrade one dependency at a time
- [ ] Check target package: `socket package score npm <pkg>` (if Socket available)
- [ ] Respect cooldown period (don't force latest)
- [ ] Update peer dependencies
- [ ] Fix TypeScript errors
- [ ] Run test suite after each upgrade
- [ ] Check bundle size impact
Post-Upgrade:
- [ ] Post-upgrade scan: `socket scan diff` to verify no new alerts (if Socket available)
- [ ] Consider `socket fix --minimum-release-age 7d` for any new CVEs
- [ ] Full regression testing
- [ ] Performance testing
- [ ] Update documentation
- [ ] Deploy to staging
- [ ] Monitor for errors
- [ ] Deploy to production
Common Pitfalls
- Upgrading all dependencies at once (use incremental upgrades)
- Blindly running
npm update or npm-check-updates -u without review
- Not testing after each individual upgrade
- Ignoring peer dependency warnings
- Forgetting to update or commit the lock file
- Not reading breaking change notes in changelogs
- Skipping major versions instead of stepping through them
- Not having a rollback plan
- Trusting npmjs.org displayed source code (can differ from actual tarball)
- Leaving post-install scripts enabled (most common attack vector)
- Not configuring a cooldown period for new package versions
When to Load References
Load these reference files when the user needs detailed information beyond the quick-reference in SKILL.md:
| Load This File | When |
|---|
references/cooldown-config-guide.md | Configuring cooldown for a specific PM, CI tool integration, or exclusion patterns |
references/package-manager-security.md | Full per-PM hardening guide including pnpm trust policy, blockExoticSubdeps, cross-PM cheat sheet |
references/supply-chain-security.md | Understanding attack vectors, incident history, npq vs sfw vs Socket CLI comparison, publisher security (2FA, provenance, OIDC) |
references/secrets-and-containers.md | Setting up dev containers, secrets management with 1Password/Infisical |
references/socket-cli-guide.md | Using Socket CLI for scans, fixes, package scoring, CI integration, wrapper mode, alert categories |
references/compatibility-matrix.md | Checking version compatibility for React, Next.js, TypeScript, Tailwind upgrades |
references/staged-upgrades.md | Codemod automation, custom migration scripts, peer dependency handling, workspace upgrades |
references/testing-strategy.md | Full testing pyramid, CI integration, bundle analysis, performance testing |
Template Files
Ready-to-use config files in templates/:
| Template | Purpose |
|---|
npmrc-security.tmpl | Secure .npmrc with scripts disabled + cooldown |
bunfig-security.tmpl | Secure bunfig.toml with cooldown + exclusions |
pnpm-workspace-security.tmpl | Secure pnpm-workspace.yaml with cooldown, allowBuilds, trustPolicy |
yarnrc-security.tmpl | Secure .yarnrc.yml with age gate + preapproved packages |
dependabot-security.tmpl | Dependabot config with 7-day cooldown |
renovate-security.tmpl | Renovate config with minimumReleaseAge + automerge rules |
devcontainer-security.tmpl | Hardened dev container with security options |
socket-fix-ci.tmpl | GitHub Actions: Socket Fix autopilot with cooldown-aligned CVE remediation |
socket-scan-ci.tmpl | GitHub Actions: Socket CI security gate for every push/PR |
