# Supply-chain hardening for the npm workspace (dashboard + desktop).
# save-exact: `npm install <pkg>` writes an exact version, never a ^ range,
#   so a casual install can't reintroduce a floating dependency.
# package-lock: always maintain package-lock.json (the integrity-hashed,
#   transitively-pinned source of truth). Installs in CI use `npm ci`, which
#   fails if package.json and the lockfile disagree.
save-exact=true
package-lock=true
