chore: add .npmrc to mitigate supply chain attack

[Vritra4]

Summary by CodeRabbit

• Chores
  • Updated npm configuration to enforce a minimum release age for packages, enhancing supply-chain security by preventing installation of very recently published packages.

[coderabbitai]

Walkthrough

A .npmrc configuration file is added with min-release-age=1 setting to enforce a minimum one-day release age for packages installed from npm registry, with comments documenting the supply-chain mitigation intent.

Changes

Cohort / File(s)	Summary
NPM Configuration .npmrc	Added min-release-age=1 setting with documentation comments to enforce minimum package release age for supply-chain security.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A new .npmrc hops into place,
Packages must age before embrace!
One day of time guards the supply,
Fresh deps with caution, no need to rush by! 📦✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: adding a .npmrc file to mitigate supply chain attacks, which matches the actual modification in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-npmrc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 5f755b3.

Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

🧹 Nitpick comments (1)

.npmrc (1)

1-4: Consider complementary security measures and enforce npm version requirement.

While min-release-age=1 adds a valuable security layer, consider these complementary approaches:

1. Enforce npm version: Add an engines field to package.json to ensure developers use npm 10.x+:

   "engines": {
     "npm": ">=10.0.0",
     "node": ">=24.0.0"
   }

2. Enable package-lock.json integrity: Ensure package-lock.json is committed and used in CI (already using npm ci in workflows, which is good).

3. Add npm audit: Consider adding npm audit checks to CI workflows to catch known vulnerabilities.

4. Consider stricter registry settings: For additional security, you could also add:

   prefer-offline=true
   audit=true
   

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.npmrc around lines 1 - 4, Update project configuration to enforce npm/node
versions and strengthen npm security: add an "engines" field to package.json
requiring npm >=10.0.0 and node >=24.0.0; ensure package-lock.json is committed
and CI uses npm ci (verify the workflow file runs npm ci); add an npm audit step
in CI to fail on high/critical findings; and optionally add prefer-offline=true
and audit=true to .npmrc to tighten registry behavior. Reference package.json
("engines"), package-lock.json, the CI workflow file (where npm commands run),
and .npmrc when making these changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.npmrc:
- Around line 1-4: Update project configuration to enforce npm/node versions and
strengthen npm security: add an "engines" field to package.json requiring npm
>=10.0.0 and node >=24.0.0; ensure package-lock.json is committed and CI uses
npm ci (verify the workflow file runs npm ci); add an npm audit step in CI to
fail on high/critical findings; and optionally add prefer-offline=true and
audit=true to .npmrc to tighten registry behavior. Reference package.json
("engines"), package-lock.json, the CI workflow file (where npm commands run),
and .npmrc when making these changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c757945-3ab9-46b6-91fd-5da725d329fd

📥 Commits

Reviewing files that changed from the base of the PR and between 2adda84 and 5f755b3.

📒 Files selected for processing (1)

• .npmrc