This handles the full lifecycle of upgrading dependencies with supply chain security baked in: cooldown periods to let new packages age before you install them, post-install script blocking to prevent arbitrary code execution, and lockfile validation to catch injection attacks. It supports npm, Bun, pnpm, Yarn, and Deno with specific hardening configs for each. You can run it in default mode for instant opinionated setup (7-day cooldown, scripts blocked, Dependabot configured) or go interactive to customize everything from automerge policies to Socket CLI integration. It's built around the reality that supply chain attacks happen fast and most teams don't have good defenses in place until after an incident.
npx skills add https://github.com/secondsky/claude-skills --skill dependency-upgrade