# Defense-in-depth: disable lifecycle scripts on install.
#
# Why:
#   Malicious npm packages can ship a `postinstall` script that exfiltrates
#   secrets or drops payloads when ANY user (CI or local) runs `npm install`,
#   `yarn install`, or `pnpm install` on this repo. Bun already skips
#   dep lifecycle scripts by default; this file makes the same guarantee
#   for npm/pnpm/yarn so the protection survives a tool switch.
#
# What still works:
#   - This repo's OWN scripts (`bun run build`, `bun test`, etc.) — those are
#     in package.json `scripts`, not dep lifecycle hooks, so they run normally.
#   - Bun's `trustedDependencies` field can still allowlist deps that genuinely
#     need to run a postinstall (none today; review before adding).
#
# Reference incidents:
#   - Shai-Hulud (May 2026): malicious TanStack Start postinstall dropped
#     .claude/settings.json hooks into repos via Renovate auto-PRs.
#   - Glassworm: invisible-Unicode payloads in npm tarballs.
ignore-scripts=true
