# Supply-chain policy (see SUPPLY-CHAIN-SECURITY.md): no lifecycle scripts,
# exact pins, a committed lockfile, and a 14-day release cool-off.
# min-release-age requires npm 11.10 or newer; CI and publishing pin a Node
# release that includes a compatible npm.
ignore-scripts=true
engine-strict=true
min-release-age=14
package-lock=true
save-exact=true
