stash-supply-chain-security
Implements supply-chain security controls for npm packages in the @cipherstash/stack monorepo, enhancing CI workflows and dependency management.
Install this skill
or
82/100
Security score
The stash-supply-chain-security skill was audited on May 26, 2026 and we found 6 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 63
Access to hidden dotfiles in home directory
SourceSKILL.md
| 63 | `.npmrc` pins both the default registry and the `@cipherstash` scope to `https://registry.npmjs.org/`. Auth tokens stay in user-level `~/.npmrc` or env vars — never committed. |
medium line 106
Access to .env file
SourceSKILL.md
| 106 | `tests.yml` writes `.env` files at CI time from GitHub Secrets. This is acceptable: secrets are never committed, scoped to the runner, and rotate via the GitHub UI. The `.env` files exist only for the |
medium line 108
Access to .env file
SourceSKILL.md
| 108 | Do **not** commit any `.env` file to the repo. |
low line 43
External URL reference
SourceSKILL.md
| 43 | - A test parses `pnpm-lock.yaml` and asserts every resolved tarball URL starts with `https://registry.npmjs.org/` |
low line 63
External URL reference
SourceSKILL.md
| 63 | `.npmrc` pins both the default registry and the `@cipherstash` scope to `https://registry.npmjs.org/`. Auth tokens stay in user-level `~/.npmrc` or env vars — never committed. |
low line 82
External URL reference
SourceSKILL.md
| 82 | - [Socket Firewall (`sfw`)](https://socket.dev) — real-time blocker for known-malicious packages: `sfw pnpm add <pkg>` |
Scanned on May 26, 2026
View Security Dashboard