From 3d7f7f0f2a919ba0ff297f11281e0f4d54efe115 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 10:36:38 -0700
Subject: [PATCH 1/4] Add .npmrc to harden npm install against supply-chain
 risk

Sets `ignore-scripts = true` to block lifecycle scripts from dependencies,
and `save-exact = true` so new installs pin exact versions. Also includes
a commented-out `min-release-age = 7` to be enabled once the project's
minimum npm version is raised to 11+.

Because `ignore-scripts` also skips this repo's own `prepare` script,
contributors must now run `npm run prepare` once after install to wire up
husky. This is documented in the Performance Lab handbook.

Additionally aligns with the wordpress-develop and Gutenberg `.npmrc`
defaults: `engine-strict`, `legacy-peer-deps`, `lockfile-version = 3`,
and `prefer-dedupe`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .npmrc | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000000..da7d409f3b
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,21 @@
+# Block lifecycle scripts (preinstall/install/postinstall/prepare) from
+# dependencies. Mitigates supply-chain attacks that rely on install scripts.
+# Note: this also skips this project's own `prepare` script, so the husky
+# git hooks must be installed manually (see CONTRIBUTING.md).
+ignore-scripts = true
+
+# Refuse to install package versions younger than this many days. Mitigates
+# fast-pulled malicious releases. Requires npm >= 11; uncomment once the
+# project's minimum npm version (and/or .nvmrc Node version) is raised to
+# ship npm 11+ by default.
+# See https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age
+# min-release-age = 7
+
+# Pin exact versions when installing new packages instead of using ^/~ ranges.
+save-exact = true
+
+# WordPress ecosystem defaults (matching wordpress-develop and Gutenberg).
+engine-strict = true
+legacy-peer-deps = true
+lockfile-version = 3
+prefer-dedupe = true

From 3484824c65925cfd0bcbc0daaf1f7fc3ca40a28a Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 11:06:10 -0700
Subject: [PATCH 2/4] Comment out engine-strict pending Node version bump

`engine-strict = true` correctly surfaced a latent inconsistency: the
recent Dependabot bump to `lint-staged@17.0.2` requires Node >= 22.22.1,
but `engines.node` is `>=20.19.0` and `.nvmrc` pins Node 20.19. CI
consequently fails to `npm ci`.

Comment it out for now with the same treatment as `min-release-age`:
re-enable once the project's minimum Node version is raised to match
current dep requirements (or the offending dep is downgraded).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .npmrc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.npmrc b/.npmrc
index da7d409f3b..d5cabe76ee 100644
--- a/.npmrc
+++ b/.npmrc
@@ -14,8 +14,13 @@ ignore-scripts = true
 # Pin exact versions when installing new packages instead of using ^/~ ranges.
 save-exact = true
 
+# Hard-enforce the `engines` field in package.json so contributors and CI
+# fail fast on too-old Node/npm. Uncomment once the project's minimum Node
+# version is raised; with the current floor (`engines.node >= 20.19.0`),
+# enabling this breaks on lint-staged@17, which requires Node >= 22.22.1.
+# engine-strict = true
+
 # WordPress ecosystem defaults (matching wordpress-develop and Gutenberg).
-engine-strict = true
 legacy-peer-deps = true
 lockfile-version = 3
 prefer-dedupe = true

From 805ba4a02a4c11f2369889aa6a7ca6bece36cd1d Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 11:11:24 -0700
Subject: [PATCH 3/4] Remove `legacy-peer-deps = true` from .npmrc

Co-authored-by: thelovekesh <lovekesh.kumar@rtcamp.com>
---
 .npmrc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.npmrc b/.npmrc
index d5cabe76ee..5f02eabe3f 100644
--- a/.npmrc
+++ b/.npmrc
@@ -21,6 +21,5 @@ save-exact = true
 # engine-strict = true
 
 # WordPress ecosystem defaults (matching wordpress-develop and Gutenberg).
-legacy-peer-deps = true
 lockfile-version = 3
 prefer-dedupe = true

From 3fe12657409c403e64f83e93cce4215045f99f99 Mon Sep 17 00:00:00 2001
From: Weston Ruter <weston@ruter.net>
Date: Thu, 14 May 2026 11:12:27 -0700
Subject: [PATCH 4/4] Explain why legacy-peer-deps is missing

---
 .npmrc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.npmrc b/.npmrc
index 5f02eabe3f..14662c5d7a 100644
--- a/.npmrc
+++ b/.npmrc
@@ -20,6 +20,7 @@ save-exact = true
 # enabling this breaks on lint-staged@17, which requires Node >= 22.22.1.
 # engine-strict = true
 
-# WordPress ecosystem defaults (matching wordpress-develop and Gutenberg).
+# WordPress ecosystem defaults (matching wordpress-develop and Gutenberg),
+# except for the unnecessary `legacy-peer-deps = true`.
 lockfile-version = 3
 prefer-dedupe = true