diff --git a/web/ui/.npmrc b/web/ui/.npmrc
new file mode 100644
index 0000000000..edefb840ae
--- /dev/null
+++ b/web/ui/.npmrc
@@ -0,0 +1,9 @@
+ignore-scripts=true
+# Prevent installing packages sourced directly from git. Such packages bypass
+# registry integrity checks and can ship their own .npmrc that re-enables
+# lifecycle scripts, silently defeating ignore-scripts above.
+allow-git=none
+# Require packages to be published for at least 3 days before they can be
+# installed. This mitigates transient supply-chain attacks where a malicious
+# package is published and quickly pulled in before the community can react.
+min-release-age=3