ignore-scripts=true
# Prevent installing packages sourced directly from git. Such packages bypass
# registry integrity checks and can ship their own .npmrc that re-enables
# lifecycle scripts, silently defeating ignore-scripts above.
allow-git=none
# Require packages to be published for at least 3 days before they can be
# installed. This mitigates transient supply-chain attacks where a malicious
# package is published and quickly pulled in before the community can react.
min-release-age=3
