Security maintenance (#595)

fraxken · web-flow · commit b18f6bca4192 · 2025-11-06T18:42:52.000+01:00
* chore(dependabot): cool-down to 5 days

* chore: ignore NPM scripts &amp; add save-exact to pin deps by default
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: /
     schedule:
       interval: monthly
+    cooldown:
+      default-days: 5
     groups:
       github-actions:
         patterns:
@@ -14,6 +16,8 @@ updates:
     versioning-strategy: widen
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 5
     groups:
       dependencies:
         dependency-type: "production"
diff --git a/.github/workflows/cache.yml b/.github/workflows/cache.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
-        run: npm install
+        run: npm install --ignore-scripts
       - name: Build
         run: npm run build:all
       - name: Run tests
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
-        run: npm install
+        run: npm install --ignore-scripts
       - name: Build
         run: npm run build --ws --if-present
       - name: Run tests
diff --git a/.github/workflows/npm-provenance.yml b/.github/workflows/npm-provenance.yml
@@ -20,7 +20,7 @@ jobs:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'
       - run: npm install -g npm
-      - run: npm install
+      - run: npm install --ignore-scripts
       - run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
-        run: npm install
+        run: npm install --ignore-scripts
       - name: Build
         run: npm run build:all
       - name: Run tests
diff --git a/.github/workflows/size-satisfies.yml b/.github/workflows/size-satisfies.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
-        run: npm install
+        run: npm install --ignore-scripts
       - name: Build
         run: npm run build:all
       - name: Run tests
diff --git a/.github/workflows/vis-network.yml b/.github/workflows/vis-network.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
-        run: npm i
+        run: npm install --ignore-scripts
       - name: Build
         run: npm run build:all
       - name: Run tests
diff --git a/.npmrc b/.npmrc
@@ -1,2 +1,4 @@
 package-lock=false
 provenance=true
+save-exact=true
+ignore-scripts=true
