chore: supply-chain hardening top-up

[erik1o6]

Already-strong posture. Adds audit-level/engine-strict/fund to .npmrc and .nvmrc (24).

Summary by CodeRabbit

• Chores
  • Updated Node.js version requirement to 24.
  • Enabled stricter npm audit (audit-level=high), enforced engine matching (engine-strict=true), and disabled funding prompts (fund=false).
  • CI checkout now avoids persisting GitHub credentials after checkout.

[railway-app]

🚅 Deployed to the euler-lite-pr-421 environment in euler-lite

Service	Status	Web	Updated (UTC)
dev-build	✅ Success (View Logs)	Web	Jun 23, 2026 at 9:51 pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: euler-xyz/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ea7abdbc-a71d-4afb-84d8-f9a928870e96

📥 Commits

Reviewing files that changed from the base of the PR and between ef28fa9 and 682b115.

📒 Files selected for processing (1)

• .github/workflows/npm-audit.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/npm-audit.yml

---

📝 Walkthrough

Walkthrough

Node.js version pinned to 24 via .nvmrc; .npmrc adds audit-level=high, engine-strict=true, and fund=false; GitHub Actions checkout is set with persist-credentials: false.

Changes

Development Environment Configuration

Layer / File(s)	Summary
Node.js Version Specification .nvmrc	Node.js version is pinned to 24.
NPM Package and Audit Settings .npmrc	npm audit severity level set to high, engine-strict=true enforced, and fund=false to disable funding prompts.
CI checkout credential persistence .github/workflows/npm-audit.yml	actions/checkout@v4 step configured with persist-credentials: false to avoid persisting GitHub credentials after checkout.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• euler-xyz/euler-lite#326: Also modifies .npmrc with overlapping npm configuration changes.
• euler-xyz/euler-lite#145: Related changes to .npmrc and npm-audit CI toolchain.

Suggested reviewers

• Seranged
• kasperpawlowski

Poem

🐰 I hopped in to tweak the dev nest,
Pinned Node to twenty-four — all set for the test,
Audits run high, engines kept strict,
Funding prompts off, no prompts to conflict,
CI now checks out clean — hop, hop, and rest.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: supply-chain hardening top-up' directly describes the main changes: adding npm security configurations and Node version specification for supply-chain hardening.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/repo-hardening-2026-05-12

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.npmrc:
- Around line 3-5: The .npmrc sets engine-strict=true but package.json lacks an
engines field; either remove engine-strict=true from .npmrc or add an "engines"
entry to package.json (e.g., engines.node and engines.npm) to match the declared
packageManager (packageManager: "npm@11.10.0"); update the engines values to the
intended Node and npm versions and commit that change so npm install will not
fail due to missing engines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: euler-xyz/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 09d2b0b9-4221-476c-9800-13e5e3b5677e

📥 Commits

Reviewing files that changed from the base of the PR and between da94b19 and ef28fa9.

📒 Files selected for processing (2)

• .npmrc
• .nvmrc

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify package.json engines field matches .nvmrc and documented npm version

# Check if package.json exists and extract engines field
if [ -f "package.json" ]; then
  echo "=== package.json engines field ==="
  jq '.engines' package.json
  
  echo -e "\n=== Checking Node version compatibility ==="
  node_version=$(jq -r '.engines.node // "not specified"' package.json)
  echo "engines.node: $node_version"
  
  echo -e "\n=== Checking npm version ==="
  npm_version=$(jq -r '.engines.npm // "not specified"' package.json)
  echo "engines.npm: $npm_version"
  
  echo -e "\n=== Checking packageManager field ==="
  package_manager=$(jq -r '.packageManager // "not specified"' package.json)
  echo "packageManager: $package_manager"
else
  echo "ERROR: package.json not found"
  exit 1
fi

Repository: euler-xyz/euler-lite

Length of output: 301

---

engine-strict=true requires missing engines field in package.json.

The engine-strict=true setting will fail on npm install because package.json does not define the engines field. While packageManager is set to npm@11.10.0, this does not satisfy engine-strict=true, which specifically requires the engines.node and engines.npm fields.

Either add the engines field to package.json specifying Node and npm versions, or remove engine-strict=true from .npmrc. The other settings (audit-level=high and fund=false) are acceptable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.npmrc around lines 3 - 5, The .npmrc sets engine-strict=true but
package.json lacks an engines field; either remove engine-strict=true from
.npmrc or add an "engines" entry to package.json (e.g., engines.node and
engines.npm) to match the declared packageManager (packageManager:
"npm@11.10.0"); update the engines values to the intended Node and npm versions
and commit that change so npm install will not fail due to missing engines.

[Seranged]

@erik1o6 thoughts on coderabbit review