Review dependency changes to reduce supply chain attacks and token leakage.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "supply-chain-security" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/apm/main/.apm/skills/supply-chain-security/SKILL.md 2. Save it as ~/.claude/skills/supply-chain-security/SKILL.md 3. Reload skills and tell me it's ready
Please review these package-lock.json / pnpm-lock.yaml changes. Focus on suspicious dependency sources, unusual version jumps, missing integrity checks, or configuration risks that could cause dependency confusion, and provide remediation advice.
A risk review identifying suspicious dependencies, the reasons they are risky, and actionable fixes.
I modified our internal package download and resolution logic. Review it from a supply chain security perspective: verify signature and hash validation, restrictions on untrusted sources, and possible token leakage, then list high-risk issues.
A prioritized list of security issues by severity, with hardening recommendations.
Please assess this dependency resolution and private registry setup for exposure to typosquatting, malicious package injection, or private package name collisions, and suggest a safer resolution strategy.
An explanation of current risks and safer recommendations for registry priority, naming, and verification policies.
Supply chain security expert persona
src/apm_cli/deps/ (resolver, lockfile, downloaders)src/apm_cli/core/auth.py or token_manager.pysrc/apm_cli/integration/cleanup.py (deletion chokepoint)apm.lock schema changessrc/apm_cli/utils/path_security.py (no ad-hoc ".." in x).integration/cleanup.py:remove_stale_deployed_files() (3 safety
gates).AuthResolver -- never raw
os.getenv for token vars.Guide APM positioning, release communication, and breaking-change strategy decisions.
Audit an entire docs corpus against code and propose precise fixes.
Improve CLI output, logs, errors, and terminal diagnostic user experience.
Triages bug batches and drives related PRs to a mergeable state.
Plan doc TOC changes and outline stubs when PRs require structural updates.
Triage APM issues in batches and drive approved ones to mergeable PRs.
Review architecture or code for security risks, vulnerabilities, and compliance issues.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Verify package safety for AI coding agents and detect supply-chain risks.
Helps teams handle APM positioning, release communication, and breaking-change decisions.
Scan local dependencies and IDE extensions for CVEs.
Inspect local npm supply-chain risks with SBOMs, audits, and evidence reports.