010101-package-securitylisted

# Package Manager Security This skill helps you harden npm, pnpm, and bun against supply chain attacks. It provides configuration guides, best practices, and troubleshooting for all three package managers. ## How to use this skill 1. Identify which package manager(s) the user's query is about (npm, pnpm, bun, or multiple) 2. If they ask about **npm** → read `references/npm.md` 3. If they ask about **pnpm** → read `references/pnpm.md` 4. If they ask about **bun** → read `references/bun.md` 5. If they ask about multiple or general concepts (lockfiles, CI/CD, version pinning) → read all relevant files 6. Answer concisely and directly. Provide configuration snippets and commands the user can copy/paste. ## Common concepts (apply to all three) These security practices apply regardless of package manager. Mention them when relevant. ### Lockfile enforcement - Always commit the lockfile: `package-lock.json` (npm), `pnpm-lock.yaml` (pnpm), `bun.lock` (bun) - In CI/CD, use the frozen-lockfile equivalent: - npm: `npm ci` - pnpm: `pnpm install --frozen-lockfile` - bun: `bun install --frozen-lockfile` - Review lockfile changes in PRs — unexpected additions can indicate compromised deps ### Version pinning - Prefer exact versions (`"axios": "1.12.0"`) over ranges (`"axios": "^1.12.0"`) - Tilde ranges (`"axios": "~1.12.0"`) are safer than caret ranges for production - Never use `"*"` or `"latest"` in production ### Supply chain monitoring - `npm audit signatures` — verify pac