From 0113f36c17eb9d1f71e1e07b0bb90323321f80c4 Mon Sep 17 00:00:00 2001
From: Gaurav Singh <gaurav.sin@browserstack.com>
Date: Mon, 8 Jun 2026 18:09:17 +0530
Subject: [PATCH] Add hardened .npmrc for supply-chain audit (PTAAA-436)

The repo failed the weekly supply-chain .npmrc audit (missing file).
Add .npmrc with the six required hardening directives: ignore-scripts,
strict-ssl, save-exact, audit-level=high, engine-strict, and
legacy-peer-deps=false. access=restricted is omitted since this is a
public repo.

engine-strict=true requires the installing Node version to satisfy
engines.node ("24.12.0"). The Pages deploy workflow hardcoded Node 18,
which would now fail npm ci with EBADENGINE, so switch it to read the
version from .nvmrc (v24.12.0) to stay in sync with the engine pin.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/static.yml |  3 ++-
 .npmrc                       | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 .npmrc

diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index 3ca3027..99a5a70 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -34,7 +34,8 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          # Read the version from .nvmrc so CI matches engines.node (engine-strict=true in .npmrc)
+          node-version-file: '.nvmrc'
 
       - name: Install dependencies
         run: |
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..d75228e
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,10 @@
+# Supply-chain security hardening
+# Required by the BrowserStack supply-chain .npmrc audit (Enigma / SC-12282).
+# See: https://browserstack.atlassian.net/wiki/spaces/ENG/pages/6091571922/Supply+Chain+Security+Enhancements+Tech+Spec
+
+ignore-scripts=true      # blocks malicious package lifecycle scripts
+strict-ssl=true          # enforces TLS for registry connections
+save-exact=true          # pins exact dependency versions
+audit-level=high         # fail on high+ severity advisories
+engine-strict=true       # refuse incompatible Node engines
+legacy-peer-deps=false   # preserve npm 7+ peer-dependency resolution