# Block lifecycle scripts (preinstall/install/postinstall/prepare) from dependencies.
# This neutralizes the dominant npm supply-chain attack vector.
#
# Packages that legitimately need a build step (e.g. esbuild, chromedriver, tree-sitter)
# must be rebuilt explicitly:
#
#   npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json
ignore-scripts=true

# Fail fast if the active Node/npm doesn't match the "engines" field.
engine-strict=true

# Pin exact versions so `npm install <pkg>` writes "1.2.3" not "^1.2.3".
save-exact=true

# Surface CVE warnings during install; doesn't block.
audit=true

# Suppress funding banners.
fund=false