From ef28fa9108829d9b028e2243011e06b5d01ca5aa Mon Sep 17 00:00:00 2001 From: erik1o6 <2449138+erik1o6@users.noreply.github.com> Date: Tue, 12 May 2026 01:32:00 +0200 Subject: [PATCH 1/2] chore: supply-chain hardening top-up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - .npmrc: add audit-level=high, engine-strict=true, fund=false (already had save-exact + min-release-age=7) - .nvmrc (24) — matches CI setup-node version Already strong: packageManager npm@11.10.0, exact-pinned deps, dependabot with cooldown + groups + ignore-major, scheduled npm audit workflow. --- .npmrc | 3 +++ .nvmrc | 1 + 2 files changed, 4 insertions(+) create mode 100644 .nvmrc diff --git a/.npmrc b/.npmrc index 8419bc301..aefafef1e 100644 --- a/.npmrc +++ b/.npmrc @@ -1,2 +1,5 @@ save-exact=true min-release-age=7 +audit-level=high +engine-strict=true +fund=false diff --git a/.nvmrc b/.nvmrc new file mode 100644 index 000000000..a45fd52cc --- /dev/null +++ b/.nvmrc @@ -0,0 +1 @@ +24 From 682b115b0d18425bfd840eaa6c262010c384eb5b Mon Sep 17 00:00:00 2001 From: VictorSB Date: Thu, 14 May 2026 20:23:42 +0200 Subject: [PATCH 2/2] chore: disable persisted checkout credentials --- .github/workflows/npm-audit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml index c93965132..57c2fc002 100644 --- a/.github/workflows/npm-audit.yml +++ b/.github/workflows/npm-audit.yml @@ -13,6 +13,8 @@ jobs: issues: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: