# DeBros canonical .npmrc — drop-in supply-chain defense baseline.
#
# Adopt this file at the root of every npm/pnpm/yarn project.
# See https://github.com/DeBrosDAO/rules/blob/main/compliance/javascript-typescript.md
# for the full rationale.

# -------------------------------------------------------------------
# CRITICAL: block install-time scripts.
#
# Postinstall / preinstall / install lifecycle scripts are the #1
# supply-chain attack vector for npm. A compromised package can
# silently exfiltrate secrets, modify host files, or install a
# backdoor — all before any of your code runs.
#
# Packages that *genuinely* need to run install scripts (esbuild,
# sharp, sqlite native bindings) must be explicitly listed in
# package.json under `pnpm.onlyBuiltDependencies` (pnpm) or you must
# selectively enable them another way.
# -------------------------------------------------------------------
ignore-scripts=true

# -------------------------------------------------------------------
# Audit baseline: fail on moderate+ severity findings.
# -------------------------------------------------------------------
audit-level=moderate

# -------------------------------------------------------------------
# Don't auto-install peer dependencies — explicit is better than
# magic, and surprise installs change the lockfile shape.
# -------------------------------------------------------------------
auto-install-peers=false

# -------------------------------------------------------------------
# Strict peer dependencies: error (don't silently skip) when a peer
# range is unsatisfied. Catches real bugs early.
# -------------------------------------------------------------------
strict-peer-dependencies=true

# -------------------------------------------------------------------
# Prefer offline cache when available — same install on the same
# lockfile = byte-identical node_modules. Reproducibility.
# -------------------------------------------------------------------
prefer-offline=true

# -------------------------------------------------------------------
# Don't allow lockfile mutation during install. CI sets this
# explicitly via --frozen-lockfile too; defense in depth.
# -------------------------------------------------------------------
# (pnpm reads this from the lockfile mode; enforce via CI command flag)

# -------------------------------------------------------------------
# Save exact versions — no ^1.2.3 ranges. With Renovate handling
# upgrades, ranges only invite confusion. Lockfile is the source of
# truth either way.
# -------------------------------------------------------------------
save-exact=true

# -------------------------------------------------------------------
# Disable npm's update-notifier — clutters CI output, no value
# in non-interactive shells.
# -------------------------------------------------------------------
fund=false
update-notifier=false