Dependency Security Agent Skill
Dependency security — npm audit, lockfile verification, supply chain attack prevention.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Dependency security — npm audit, lockfile verification, supply chain attack prevention.
homepage: https://yepapi.com/skills/dependency-security
metadata:
tags: [security, dependencies, npm, supply-chain]
---
# Dependency Security
## Rules
- Run `npm audit` in CI — fail the build on high/critical vulnerabilities
- Use `lockfile-lint` to verify all packages resolve to the official npm registry
- Pin major versions in `package.json`: use `^` for minor updates, never `*` or `latest`
- Review new dependencies before installing: check npm download counts, last publish date, maintainer count
- Use `npm ls --all` to audit transitive dependencies — your direct deps pull in hundreds more
- Set up Snyk, Socket.dev, or GitHub Dependabot for real-time vulnerability alerts
- Update dependencies weekly — stale deps accumulate known vulnerabilities
\`\`\`yaml
# GitHub Actions — audit in CI
- name: Audit dependencies
run: npm audit --audit-level=high
- name: Verify lockfile integrity
run: npx lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https
\`\`\`
\`\`\`json
// package.json — pin major versions
{
"dependencies": {
"next": "^14.0.0",
"react": "^18.0.0",
"zod": "^3.0.0"
}
}
\`\`\`
## Avoid
- `npm install random-package` without checking the package first — typosquatting is real
- Ignoring `npm audit` warnings — known vulnerabilities are the easiest attack vector
- Using `*` or `latest` as version ranges — a compromised publish instantly hits your build
- Running `postinstall` scripts from untrusted packages without review
- Assuming popular packages are safe — even `event-stream` (millions of downloads) was compromisedInstall
Why Use the Dependency Security Skill?
Without this skill, your AI guesses at dependency security patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Dependency Security skill installed. Your AI knows the context and writes code that fits.
"Add npm audit and lockfile verification to my CI pipeline"
"Set up Dependabot for automated dependency update PRs with security alerts"
"Create a pre-install script that verifies package integrity and registry sources"
Dependency Security skill — FAQ
It provides rules for npm audit in CI, lockfile integrity verification, supply chain attack prevention, and real-time vulnerability monitoring. Your AI writes dependency management code that protects against compromised packages.
Run `npx skills add YepAPI/skills --skill dependency-security` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Update dependencies weekly to avoid accumulating known vulnerabilities. Use Dependabot or Renovate for automated PRs, and always run npm audit in CI to catch issues before they reach production.