From 3813bac3c9c3435aa0b2f4ddabf7d5e8be5ff185 Mon Sep 17 00:00:00 2001
From: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
Date: Wed, 20 May 2026 11:16:32 -0500
Subject: [PATCH 1/2] Mitigate npm supply-chain attacks via `.npmrc` file

- Add `ignore-scripts=true` to prevent execution of `postinstall` and other lifecycle scripts, supply-chain attack protection.
- Add `min-release-age=7` to avoids packages uploaded in the last 7 days, supply-chain attack protection. (Requires npm >= 11.10.0)
- Add `package-lock=true` to ensure consistent dependency resolution across environments.

Signed-off-by: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
---
 .npmrc | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..050bd2d
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,3 @@
+ignore-scripts=true
+min-release-age=7
+package-lock=true

From bc391c4f603159a5f3affb9164812d557f5a8e21 Mon Sep 17 00:00:00 2001
From: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
Date: Wed, 20 May 2026 21:40:53 -0500
Subject: [PATCH 2/2] Drop cooldown period

Signed-off-by: Nathanael Esayeas <nathanael.esayeas@protonmail.com>
---
 .npmrc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.npmrc b/.npmrc
index 050bd2d..9401040 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,3 +1,2 @@
 ignore-scripts=true
-min-release-age=7
 package-lock=true