# npm Supply Chain Security Hardening
# Aligned with recommendations from Supabase npm supply chain protection guide

# Disable all lifecycle scripts by default (preinstall/install/postinstall)
# This is one of the most effective defenses against malicious packages
ignore-scripts=true

# Minimum release age (in days) before a new package version can be installed
# Helps protect against newly published malicious versions (npm 11+ feature)
# Start with 3 days; can increase to 7 later
min-release-age=3

# Disable funding messages (reduces noise)
fund=false

# Always run audit (non-blocking in CI where appropriate)
audit=true
