From 1dd4d3f6c353be9fcaff3f091201789bd78871f2 Mon Sep 17 00:00:00 2001
From: Julien <291750+roidelapluie@users.noreply.github.com>
Date: Fri, 29 May 2026 14:28:10 +0200
Subject: [PATCH] ui: add supply-chain hardening .npmrc (#18794)

Set ignore-scripts=true, allow-git=none, and min-release-age=3 to
harden npm installs against lifecycle script abuse, git-sourced
dependencies, and recently published packages.

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
---
 web/ui/.npmrc | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 web/ui/.npmrc

diff --git a/web/ui/.npmrc b/web/ui/.npmrc
new file mode 100644
index 0000000000..edefb840ae
--- /dev/null
+++ b/web/ui/.npmrc
@@ -0,0 +1,9 @@
+ignore-scripts=true
+# Prevent installing packages sourced directly from git. Such packages bypass
+# registry integrity checks and can ship their own .npmrc that re-enables
+# lifecycle scripts, silently defeating ignore-scripts above.
+allow-git=none
+# Require packages to be published for at least 3 days before they can be
+# installed. This mitigates transient supply-chain attacks where a malicious
+# package is published and quickly pulled in before the community can react.
+min-release-age=3