# Supply-chain policy (see SUPPLY-CHAIN-SECURITY.md):
# no install/lifecycle scripts, exact pins, committed lockfile, and a 14-day
# cool-off on new releases (min-release-age needs npm 11.10+; older npms warn
# and ignore it, the lockfile still pins resolution).
ignore-scripts=true
save-exact=true
package-lock=true
min-release-age=14
