# =============================================================================
# npm Security Configuration for Postman Tests
# =============================================================================
#
# This file configures npm with security-focused settings to reduce the risk
# of supply chain attacks (like the tunnel-agent compromise).
#
# =============================================================================

# CRITICAL: Block postinstall attacks
# This prevents malicious packages from running scripts during installation
ignore-scripts=true

# Lock dependencies to exact versions
# Ensures reproducible builds and prevents version drift attacks
package-lock=true
save-exact=true

# Use official npm registry with SSL
# Prevents man-in-the-middle attacks and package tampering
registry=https://registry.npmjs.org/
strict-ssl=true

# Run security audit on install
# Automatically checks for known CVEs in dependencies
audit=true
audit-level=high

# Verify package signatures (npm 8.4+)
# Ensures packages haven't been tampered with after publishing
audit-signatures=true
