npm-solution-scout
An intelligent assistant for discovering, evaluating, and installing npm packages that solve specific development problems.
When to Use This Skill
Trigger this skill when the user:
- •Describes a Node.js/JavaScript development problem needing a library solution
- •Asks "what package should I use for X?"
- •Requests help finding npm packages for a specific use case
- •Mentions needing a library/module/package for their project
- •Examples: "I need a library for parsing CSV", "what's the best way to handle dates in JS?", "I need JWT authentication"
Do NOT trigger for:
- •Questions about npm CLI usage itself
- •Package-specific documentation questions (use web search)
- •Debugging existing package issues
- •General JavaScript questions not requiring external packages
Workflow
1. Problem Understanding
Extract from user's request:
- •Core problem: What are they trying to solve?
- •Runtime: Node.js, browser, or both?
- •Language: TypeScript or JavaScript?
- •Framework: React, Vue, Express, Next.js, etc.
- •Environment constraints: Bundle size, tree-shaking, ESM/CJS
- •License requirements: MIT, Apache, permissive only?
If critical information is missing, ask UP TO 4 targeted questions. Keep it concise.
2. Package Discovery
Execute scripts/search-npm.js to find candidate packages:
node scripts/search-npm.js "<search-query>" [--limit 20]
The script uses npm search --json for reliable results. If it fails, it falls back to HTTP requests to registry.npmjs.org.
Load references/package-evaluation.md to understand evaluation criteria.
3. Deep Evaluation
For the top 10-15 candidates from search, run:
node scripts/evaluate-candidates.js <pkg1> <pkg2> <pkg3> ...
This fetches detailed metadata using npm view --json and applies scoring heuristics.
4. Ranking and Recommendation
Present 3-7 evaluated options in a comparison table with:
- •Package name and version
- •Downloads/week
- •Last publish date
- •Maintenance score
- •License
- •Key strengths/weaknesses
- •TypeScript support
- •ESM/CJS compatibility
Recommend:
- •1 primary choice with full justification
- •1 alternative with trade-off explanation
Load references/safety-checklist.md and verify recommendations pass safety checks.
5. Installation (Only After Explicit Confirmation)
CRITICAL: Never install without user confirmation phrases like:
- •"install it"
- •"yes, install"
- •"go ahead"
- •"install now"
When authorized, run:
node scripts/detect-package-manager.js
This detects:
- •
pnpmifpnpm-lock.yamlexists ORpackageManagerfield in package.json starts withpnpm@ - •
npmifpackage-lock.jsonexists - •Defaults to
npmotherwise - •Detects monorepo via
pnpm-workspace.yamlorworkspacesin package.json
For monorepos, ASK which workspace should receive the dependency.
Then execute:
node scripts/install-deps.js <package-name> [--workspace <workspace-name>]
6. Post-Installation Validation
After installation, automatically run:
- •Audit:
npm auditorpnpm audit(report vulnerabilities) - •Tests: If
testscript exists in package.json, run it (non-blocking) - •Lint: If
lintscript exists, run it (non-blocking)
Report results. If tests/lint fail, inform user but don't rollback automatically.
7. Final Response
Provide:
- •Installed package name and version
- •Installation command used
- •Audit results summary
- •Next steps (import examples, configuration needed)
- •Link to package documentation
Safety Rules
- •Never install deprecated packages
- •Warn about packages with no activity in 2+ years
- •Flag packages with known vulnerabilities
- •Verify license compatibility
- •Detect potential typosquatting (similar names to popular packages)
- •Never auto-install without explicit user confirmation
Example Usage
Example 1: CSV Parsing
User: "I need to parse large CSV files in Node.js"
Behavior:
- •Extract: runtime=Node.js, use-case=CSV parsing, constraint=large files
- •Search:
node scripts/search-npm.js "csv parser" - •Evaluate top candidates: csv-parser, papaparse, fast-csv, csv-parse
- •Recommend: papaparse (streams, browser+Node) vs fast-csv (Node-only, faster)
- •Wait for confirmation
- •If confirmed: detect package manager → install → audit → report
Example 2: Date Manipulation
User: "What's the best library for handling dates? I'm using TypeScript in a React app"
Behavior:
- •Extract: runtime=browser, language=TS, framework=React
- •Ask: "Do you need timezone support? Any bundle size constraints?"
- •Search and evaluate: date-fns, dayjs, luxon, moment (deprecated)
- •Recommend: date-fns (tree-shakeable, TS, modern) vs dayjs (smaller, simpler API)
- •Wait for confirmation
Example 3: JWT Authentication
User: "I need JWT auth for my Express API"
Behavior:
- •Extract: runtime=Node.js, framework=Express, use-case=JWT
- •Search: jsonwebtoken, jose, fast-jwt
- •Evaluate and recommend: jsonwebtoken (standard, widely used) vs jose (modern, spec-compliant)
- •Mention security considerations (secret management, expiration)
- •Wait for confirmation
- •Post-install: suggest middleware setup example
File Reference Guide
- •Load
references/package-evaluation.mdbefore ranking packages (step 3) - •Load
references/safety-checklist.mdbefore final recommendation (step 4) - •Execute
scripts/detect-package-manager.jsbefore installation (step 5) - •Execute
scripts/search-npm.jsduring discovery (step 2) - •Execute
scripts/evaluate-candidates.jsduring evaluation (step 3) - •Execute
scripts/install-deps.jsduring installation (step 5)
Dry-Run Mode
By default, this skill operates in recommendation-only mode. It will:
- •Search packages ✓
- •Evaluate and rank ✓
- •Recommend solutions ✓
- •Install packages ✗ (only after explicit user confirmation)
This ensures safe, deliberate dependency management.