Pi skill package for reviewing dependency-impacting Node.js work across npm-registry-compatible package managers.
Use it before project initialization, feature development that may add packages, package additions, package updates, package-manager migration, or changes to package.json, lockfiles, npm/pnpm/yarn/bun settings, or workspace dependency policy.
Package name: pi-dependency-safety
pi install npm:pi-dependency-safetyFor local package testing from this package directory:
pi install ./For temporary skill-file testing without installing the package:
pi --skill ./skills/npm-dependency-safetyFrom another repository, pass the absolute path to this skill directory:
pi --skill /absolute/path/to/pi-dependency-safety/skills/npm-dependency-safety- npm-registry package risk before adding or updating dependencies.
- CVEs, OSV/GitHub advisories, package-manager audit data, issue trackers, Socket.dev reports, and recent supply-chain signals.
- Package metadata risk signals including lifecycle scripts, binaries, dependency graph shape, maintainers, publish time, and deprecation.
- Package-manager policy for npm, pnpm, yarn, bun, and mixed setups.
- Existing Dependabot/Renovate/CI/scanner automation as evidence, not a substitute for pre-change review.
- pnpm dependency build script controls such as approved/blocked builds and strict dependency-build behavior.
- Privacy/network approval before external lookups for private repos or unknown policy.
skills/npm-dependency-safety/
├── SKILL.md
└── references/
├── orchestration.md
├── package-manager-checks.md
├── package-policy.md
├── pnpm-hardening.md
├── report-format.md
└── risk-review.md
Publish only after validating package contents:
npm pack --dry-run --json
npm publish --access publicIf publishing under a scope, update package.json and this README before publishing, then use the scoped package name in the install command.
Apache-2.0. Copyright 2026 ludevdot.