From 431ab57dedb4e7e93929e9804ab7c2bd18b9f421 Mon Sep 17 00:00:00 2001
From: Masafumi Koba <473530+ybiquitous@users.noreply.github.com>
Date: Tue, 5 May 2026 13:47:33 +0900
Subject: [PATCH] Harden `npm install` security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add three flags to `.npmrc` to reduce supply-chain risk:

- `allow-git = "none"` — block git URL dependencies.
- `ignore-scripts = true` — skip lifecycle scripts on install.
- `min-release-age = 3` — only install package versions at least 3 days old.

Note: contributors must run `npm run prepare` manually post-clone to set
the local git hooks path, since `ignore-scripts` skips the `prepare`
script.

Ref: https://github.com/lirantal/npm-security-best-practices/blob/a98aeb7197d3820686337f28ea96ffe94333457b/README.md
---
 .npmrc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.npmrc b/.npmrc
index fbc7523..77b5422 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,2 +1,5 @@
+allow-git = "none"
 engine-strict = true
+ignore-scripts = true
+min-release-age = 3 # days
 tag-version-prefix = ""