ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TypeScript Package Manager

Expert 10x Software engineer specializing in TypeScript with deep knowledge of all popular package management tools including npm, yarn, pnpm, bun, and deno....

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 126 · 0 current installs · 0 all-time installs
byJohn Haugabook@jhauga
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (TypeScript package-manager expertise) matches the provided assets: guides for npm/yarn/pnpm/bun/deno, templates, and helper scripts (bun-workflow.js, npm-workflow.js, health-check.js). The included JS helpers and docs are appropriate for the stated purpose.
!
Instruction Scope
SKILL.md and the included workflow files instruct running CLI commands and provide migration steps that include executing network installers (e.g., curl -fsSL https://bun.sh/install | bash) and other shell commands. While expected for tooling setup, these instructions allow arbitrary remote code execution if run without inspection — the agent's runtime instructions should not be executed blindly.
Install Mechanism
There is no install spec for the skill itself (instruction-only), so nothing will be written to disk by an installer. However, documentation and scripts advise downloading and running external installers (bun.sh). The URLs used (bun.sh) are the official project site, but piping remote scripts into a shell is inherently risky and should be reviewed before running.
Credentials
The skill declares no required environment variables or credentials. Some example templates and commented snippets reference tokens (e.g., $NPM_TOKEN) in typical registry configuration contexts, but the skill does not demand secrets at install time.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration or to persist credentials for other skills. It is user-invocable and allows autonomous invocation (default), which is expected for skills.
Assessment
This skill appears to do what it claims: documentation, templates, and helper scripts for managing TypeScript package managers. Before you run any of the suggested commands or bundled scripts, review them carefully: they call out to the system shell (child_process.execSync) and recommend commands that download and run remote installers (e.g., curl | bash). If you plan to execute migration/install steps, prefer installing from trusted package sources, inspect remote install scripts first, run in an isolated environment or container, and avoid pasting or piping installers into a shell on a production machine. Also avoid entering registry tokens into commands unless you understand where they're stored. If you need higher assurance, request the exact runtime behavior or run the helper scripts in a sandbox to inspect their network and file activity.
scripts/bun-workflow.js:45
Shell command execution detected (child_process).
scripts/health-check.js:47
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975tdbrz922c06j9aaqrqddqn82qh9n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

TypeScript Package Manager Skill

An expert skill for managing TypeScript projects with comprehensive knowledge of modern package management tools and ecosystem best practices.

When to Use This Skill

  • Setting up or configuring package managers (npm, yarn, pnpm, bun, deno)
  • Managing project dependencies and resolving conflicts
  • Optimizing package.json configuration
  • Working with monorepos and workspaces
  • Troubleshooting installation or dependency issues
  • Configuring package scripts and build pipelines
  • Understanding lock files and version constraints
  • Integrating package managers with build tools
  • Migrating between package managers
  • Performance optimization of package operations

Prerequisites

  • Node.js environment (for npm, yarn, pnpm, bun)
  • Basic understanding of TypeScript/JavaScript projects
  • Terminal/command line access
  • Understanding of semantic versioning (semver)

Shorthand Keywords

Keywords to trigger this skill quickly:

openPrompt = ["typescript-package-manager", "ts-pkg", "pkg-manager"]

Use these shorthand commands for quick invocation:

  • ts-pkg --install <package>
  • pkg-manager --compare-tools
  • ts-pkg migrate to pnpm
  • pkg-manager --optimize workspace

Core Capabilities

Package Manager Expertise

This skill provides deep knowledge across all major JavaScript/TypeScript package managers:

  • npm: The default Node.js package manager, widely used and battle-tested
  • yarn: Fast, reliable package manager with enhanced features
  • pnpm: Disk-space efficient with strict dependency isolation
  • bun: Ultra-fast all-in-one toolkit with native package management
  • deno: Secure-by-default runtime with built-in tooling

Dependency Management

  • Installing, updating, and removing dependencies
  • Managing dev dependencies vs production dependencies
  • Understanding peer dependencies and optional dependencies
  • Resolving version conflicts and compatibility issues
  • Audit and security vulnerability management
  • Dependency deduplication and optimization

Configuration and Optimization

  • package.json structure and best practices
  • Lock file management (package-lock.json, yarn.lock, pnpm-lock.yaml)
  • Workspace and monorepo configuration
  • Scripts and lifecycle hooks
  • Registry configuration and private packages
  • CI/CD integration

Ecosystem Integration

  • TypeScript compiler (tsc) integration with package managers
  • Build tool configuration (Vite, webpack, esbuild, Rollup, Turbopack)
  • Testing framework setup (Vitest, Jest, Mocha)
  • Linting and formatting tools (ESLint, Prettier)
  • Development server configuration and hot reload
  • CI/CD pipeline optimization

Key Concepts

Semantic Versioning (semver)

Understanding version constraints in package.json:

  • ^1.2.3 (caret): >=1.2.3 <2.0.0 - Allows minor and patch updates (recommended)
  • ~1.2.3 (tilde): >=1.2.3 <1.3.0 - Allows only patch updates
  • 1.2.3 (exact): Exact version only
  • >=1.2.3 <2.0.0 (range): Custom version range
  • latest: Always use latest version (dangerous, not recommended)

Lock Files

Lock files ensure reproducible installations across environments:

  • package-lock.json (npm): JSON format, exact dependency tree
  • yarn.lock (yarn): YAML-like format, deterministic resolution
  • pnpm-lock.yaml (pnpm): YAML format with content-addressable storage
  • bun.lockb (bun): Binary format for fast parsing

Best Practice: Always commit lock files to version control.

Workspaces (Monorepos)

Manage multiple packages in a single repository:

{
  "workspaces": ["packages/*", "apps/*"]
}

Benefits:

  • Shared dependencies across packages
  • Cross-package development and testing
  • Unified versioning and release coordination
  • Simplified dependency management

Best Practices

  1. Choose the Right Tool: Understand trade-offs between package managers for your project needs

    • npm: Maximum compatibility, widest ecosystem support
    • yarn: Enhanced features, good monorepo support
    • pnpm: Best disk space efficiency, strict dependencies
    • bun: Maximum speed, all-in-one tooling
    • deno: Security-first, URL-based imports

  2. Lock File Discipline: Always commit lock files to ensure reproducible builds across environments

  3. Semantic Versioning: Use appropriate version constraints

    • Use ^ (caret) for most dependencies (recommended)
    • Use ~ (tilde) for conservative updates
    • Use exact versions only when necessary

  4. Security First: Regularly audit dependencies for vulnerabilities

    npm audit      # npm
yarn audit     # yarn
pnpm audit     # pnpm
bun pm audit   # bun

  5. Workspace Optimization: Leverage workspaces for monorepo efficiency and shared dependencies

  6. Script Consistency: Use cross-platform compatible scripts (avoid shell-specific commands)

  7. Minimal Dependencies: Avoid unnecessary packages to reduce complexity, security surface, and bundle size

  8. Documentation: Document package manager choice, special configurations, and setup instructions in README.md

  9. CI/CD Optimization: Use frozen lockfiles in CI for deterministic builds

    npm ci                                    # npm
yarn install --frozen-lockfile            # yarn
pnpm install --frozen-lockfile            # pnpm
bun install --frozen-lockfile             # bun

  10. Version Management: Use packageManager field in package.json to enforce consistency

    {
  "packageManager": "pnpm@8.15.0"
}

Choosing the Right Package Manager

Decision Factors

npm (Default Choice)

  • ✅ Maximum compatibility and ecosystem support
  • ✅ Default with Node.js, no additional setup
  • ✅ Well-tested and mature
  • ❌ Slower than alternatives
  • ❌ Less disk-efficient

yarn (Enhanced Features)

  • ✅ Good performance and caching
  • ✅ Excellent monorepo/workspace support
  • ✅ Plug'n'Play mode (Berry) for zero-installs
  • ❌ Classic vs Berry version confusion
  • ❌ Plug'n'Play requires IDE setup

pnpm (Recommended for Most Projects)

  • ✅ 60-70% disk space savings
  • ✅ 2-3x faster than npm
  • ✅ Strict dependency isolation prevents phantom dependencies
  • ✅ Excellent monorepo support
  • ❌ May expose hidden dependency issues

bun (Cutting Edge)

  • ✅ Blazing fast (5-10x faster than npm)
  • ✅ All-in-one: runtime, bundler, test runner
  • ✅ Native TypeScript support
  • ❌ Newer and less mature
  • ❌ Some npm package incompatibilities

deno (Security-First)

  • ✅ Secure by default with explicit permissions
  • ✅ Native TypeScript support
  • ✅ No package.json or node_modules
  • ❌ Different paradigm (URL-based imports)
  • ❌ Smaller ecosystem than npm

Quick Recommendation

  • New TypeScript project: pnpm or bun
  • Existing project: Keep current manager unless migrating for specific benefits
  • Monorepo: pnpm or yarn (berry)
  • Maximum compatibility: npm
  • Security-critical: deno or pnpm

Common Tasks

Installing Dependencies

# npm
npm install

# yarn
yarn install

# pnpm
pnpm install

# bun
bun install

Adding New Dependencies

# Production dependency
npm install package-name
yarn add package-name
pnpm add package-name
bun add package-name

# Development dependency
npm install --save-dev package-name
yarn add --dev package-name
pnpm add --save-dev package-name
bun add --dev package-name

Running Scripts

# All package managers support npm scripts
npm run script-name
yarn script-name
pnpm script-name
bun run script-name

Troubleshooting

Common Issues

Installation Failures:

  • Clear cache and retry
  • Delete node_modules and lock file, reinstall
  • Check for incompatible peer dependencies
  • Verify Node.js version compatibility

Version Conflicts:

  • Use resolutions/overrides in package.json
  • Upgrade conflicting dependencies
  • Consider using pnpm for better isolation

Performance Issues:

  • Use pnpm or bun for faster operations
  • Enable caching mechanisms
  • Optimize workspace configuration

Lock File Conflicts:

  • Resolve merge conflicts carefully
  • Regenerate lock file if corrupted
  • Ensure team uses same package manager

References

See the references/ folder for detailed documentation:

  • package-management.md - Comprehensive guide to JavaScript/TypeScript package managers including npm, yarn, pnpm, bun, deno, with concepts, version management, security, and best practices
  • integration-with-build-tools.md - Complete guide to integrating package managers with Vite, webpack, esbuild, Rollup, TypeScript compiler (tsc), and CI/CD pipelines

Scripts

See the scripts/ folder for workflow guides and automation:

  • npm-workflow.md / npm-workflow.js - Complete npm workflow from initialization to publishing
  • yarn-workflow.md - Complete yarn workflow covering Classic (1.x) and Berry (3.x+) versions
  • pnpm-workflow.md - Complete pnpm workflow with monorepo and workspace features
  • bun-workflow.md / bun-workflow.js - Complete bun workflow for ultra-fast package management
  • health-check.md / health-check.js - Package manager health check and diagnostics scripts

Assets

See the assets/ folder for templates and reference materials:

  • package-manager-comparison.md - Detailed comparison matrix, benchmarks, and decision tree for choosing package managers
  • package-json-template.md - Production-ready package.json template with field-by-field explanations and best practices

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…