Related: The skill itself is here: https://gist.github.com/al3-team/c6947ae66ae870b12753badc61f81147
A Claude Code skill (pnpm-supply-chain-protection) that, in one pass, locks down a pnpm project against supply-chain attacks and then runs the tests that prove the protection actually fires.
| name | pnpm-supply-chain-protection |
|---|---|
| description | Lock down a pnpm project against supply-chain attacks (compromised maintainer accounts pushing malicious patches) using minimumReleaseAge + pinned pnpm. Use when the user says "add minimumReleaseAge", "pin pnpm", "supply-chain protection", "engine-strict", "lock down dependencies", "protect against compromised packages", or runs /pnpm-supply-chain. Installs the protection and then runs the tests that prove it actually fires. |
The actual supply-chain protection is minimumReleaseAge: 10080 (a 7-day quarantine on direct + transitive deps) in pnpm-workspace.yaml. By the time you'd install a compromised version, the npm community will have flagged it.
The other two layers are reproducibility plumbing that makes the protection reliable across machines: