From 222ec709ef108a99cd31775b3f2e546e83ff94ea Mon Sep 17 00:00:00 2001
From: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
Date: Wed, 20 May 2026 21:27:25 -0500
Subject: [PATCH 1/2] Mitigate npm supply-chain attacks via `.npmrc` file

- Add `ignore-scripts=true` to prevent execution of `postinstall` and other lifecycle scripts, supply-chain attack protection.
- Add `min-release-age=7` to avoids packages uploaded in the last 7 days, supply-chain attack protection. (Requires npm >= 11.10.0)
- Add `package-lock=true` to ensure consistent dependency resolution across environments.

Signed-off-by: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
---
 .npmrc | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 00000000..050bd2da
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,3 @@
+ignore-scripts=true
+min-release-age=7
+package-lock=true

From ed836e02d43db1fcbd4d3c5ec7810d0c77cef02b Mon Sep 17 00:00:00 2001
From: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
Date: Wed, 20 May 2026 21:38:54 -0500
Subject: [PATCH 2/2] Drop cooldown period

Signed-off-by: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
---
 .npmrc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.npmrc b/.npmrc
index 050bd2da..9401040f 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,3 +1,2 @@
 ignore-scripts=true
-min-release-age=7
 package-lock=true