# z4j dashboard npm/pnpm hardening
#
# Why this file exists
# --------------------
# npm has had multiple supply-chain compromises in the last few
# years (event-stream, ua-parser-js, colors.js, axios transitive
# breaches in 2025, ...). The default install behaviour - run
# arbitrary postinstall scripts from any package in the
# transitive graph - is the load-bearing vector. Most of the
# settings below close that surface.
#
# Effect summary:
# - postinstall / preinstall / install scripts are blocked
#   globally. If a transitive dep is compromised and ships a
#   postinstall payload, npm refuses to run it.
# - integrity verification is mandatory for every download.
# - lockfile drift is an error, not a warning.
# - public registry is pinned (no shadow registry overrides).

# Block install / preinstall / postinstall script execution from
# the entire dependency graph. This is THE most important line
# in this file. The vast majority of npm supply-chain payloads
# fire from a compromised dep's postinstall. We do not need any
# postinstall behaviour to build the dashboard.
ignore-scripts=true

# Subresource integrity is mandatory; an integrity mismatch
# aborts the install.
strict-ssl=true

# Require a present, in-sync lockfile. CI sets this via
# `npm ci --frozen-lockfile` / `pnpm install --frozen-lockfile`
# but we also pin the per-developer behaviour so a casual
# `npm install` on someone's laptop cannot quietly drift the
# lockfile.
package-lock=true
fund=false
audit=true
audit-level=moderate

# Pin the registry so a hijacked .npmrc in a parent directory
# cannot redirect installs to a malicious mirror.
registry=https://registry.npmjs.org/

# pnpm-specific: hoist no transitive deps into the package
# root. Cuts the "phantom dependency" surface where code can
# import a transitive dep that we never intentionally
# installed.
hoist=false
shamefully-hoist=false

# pnpm-specific: refuse to install if the lockfile would have
# to change. This is the local-developer equivalent of
# `--frozen-lockfile`.
prefer-frozen-lockfile=true

# pnpm-specific: block postinstall scripts from packages we
# have not explicitly trusted via `pnpm.onlyBuiltDependencies`
# in package.json. Same defensive posture as
# ``ignore-scripts=true`` above; pnpm 9.15+ enforces this
# stricter than npm.
enable-pre-post-scripts=false
