# Studio frontend npm configuration.
#
# Mini Shai-Hulud / Axios-style supply chain defense.
# Requires npm >=11.10.0. Refuses tarballs published less than 7 days ago,
# closing the typical 4-72h attack window between malicious publish and
# upstream removal. npm interprets the bare integer as DAYS; do not
# append `d`, npm 11.x will parse `7d` as a Date string and abort.
min-release-age=7
# Do not re-add the old `minimum-release-age` alias: npm >=11.16 warns on
# unknown project configs and npm 12 stops accepting them.
# Belt-and-braces: refuse to write back loose `^x.y.z` ranges into
# package.json when a maintainer runs `npm install <pkg>` locally. This
# does NOT rewrite already-present ranges (those need an explicit
# `npm install <name>@<version> --save-exact` pass) but it stops new
# carets from creeping into the manifest as patch-version footguns.
save-exact=true
# Pin the default registry so a stale or hostile *lower-precedence* ~/.npmrc
# can't silently redirect our installs to an attacker registry. Note this does
# NOT block an ambient NPM_CONFIG_REGISTRY env var: npm and bun honor that at a
# higher precedence than this project file. That is exactly why Unsloth does not
# read NPM_CONFIG_REGISTRY and instead exposes one deliberate, explicit opt-in.
#
# Corporate mirror / proxy (issue #6491): if your firewall blocks
# registry.npmjs.org, set UNSLOTH_NPM_REGISTRY=<your-mirror-url> when running
# ./install.sh (or setup.sh / setup.ps1). The installer threads it as
# `--registry <url>`, which overrides this line for both npm and bun while
# leaving the min-release-age and save-exact locks above in force. Do not edit
# this line for that -- the env var keeps the default pinned for everyone else.
registry=https://registry.npmjs.org/
audit-level=high
fund=false
# Maintainer note: use `npm ci` (never `npm install`) in CI and locally
# when reproducing a build. The 7-day cooldown above is enforced by npm
# itself; downgrading or removing it bypasses the supply-chain gate.
