diff --git a/.circleci/config.yml b/.circleci/config.yml
index 63acb7fc..fce6e4a4 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -55,6 +55,7 @@ jobs:
       - browser-tools-job
       - <<: *set_npm_auth
       - run: npm ci
+      - run: npm rebuild esbuild --ignore-scripts=false --foreground-scripts
       - run: npx browser-driver-manager install chromedriver --verbose
       - save_cache:
           key: v9-cache-unix-{{ checksum "package-lock.json" }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fb7ba06a..bf8d43fc 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,6 +18,7 @@ jobs:
           node-version-file: .nvmrc
           cache: 'npm'
       - run: npm ci
+      - run: npm rebuild esbuild --ignore-scripts=false --foreground-scripts
       - run: npm run prepare
       - run: npm run build
       - uses: actions/upload-artifact@v4
diff --git a/.npmrc b/.npmrc
index 0453efcd..829ddb75 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,11 @@
-registry=https://registry.npmjs.org
\ No newline at end of file
+registry=https://registry.npmjs.org
+
+# Supply-chain hardening directives (AXE-3444). Public repo: access is left
+# unset (access=restricted applies to private repos only).
+# Do NOT add tokens or secrets here; this repo installs from the public registry.
+ignore-scripts=true
+strict-ssl=true
+save-exact=true
+audit-level=high
+engine-strict=true
+legacy-peer-deps=false
diff --git a/doc/developer-guide.md b/doc/developer-guide.md
index 0c6b12d3..c884c2d3 100644
--- a/doc/developer-guide.md
+++ b/doc/developer-guide.md
@@ -34,6 +34,7 @@ Axe 3.0 supports open Shadow DOM: see our virtual DOM APIs and test utilities fo
 1. You must have Node.js version 22 or higher installed.
    If you have [nvm](https://github.com/nvm-sh/nvm) installed, simply do `nvm use` in the root of this repository.
 1. Install npm development dependencies. In the root folder of your axe-core repository, run `npm install`
+1. The committed `.npmrc` sets `ignore-scripts=true` for supply-chain hardening, so dependency lifecycle scripts do not run during install. After installing, run `npm run prepare` (applies dependency patches and installs git hooks) and `npm rebuild esbuild --ignore-scripts=false` (fetches the esbuild bundler binary) before building.
 
 ### Building axe.js
 
diff --git a/package.json b/package.json
index 6a64f517..7bf234ef 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
   ],
   "standard-version": {
     "scripts": {
-      "postbump": "npm ci && npm run sri-update && git add doc/rule-descriptions.md"
+      "postbump": "npm ci && npm rebuild esbuild --ignore-scripts=false --foreground-scripts && npm run sri-update && git add doc/rule-descriptions.md"
     },
     "skip": {
       "tag": true