# Refuse to run install-lifecycle scripts from any package in the dependency
# tree. A compromised maintainer or hijacked publish token cannot then ship
# code that executes at `npm install` / `npm ci` time on developer laptops or
# CI runners. Background: shai-hulud-class supply-chain attacks ride
# postinstall scripts to run arbitrary code with the user's identity.
#
# This is safe for woo because the dependency tree audited cleanly: no
# package in production OR dev tree requires an install script to be
# functional. Modern esbuild ships its platform binary inside the
# `@esbuild/<platform>` package (a plain file install); its top-level
# `postinstall: node install.js` is integrity verification, not the
# binary itself, so skipping it does not break `vite build` or `vitest`.
# Playwright browser binaries are fetched by an explicit `npx playwright
# install`, not by lifecycle scripts.
#
# If a future dependency genuinely requires its install script, run that
# specific rebuild with `npm rebuild --ignore-scripts=false <pkg>` —
# explicit invocations bypass this flag.
ignore-scripts=true
