# DaloyJS supply-chain hardening defaults — see the "Supply chain" docs.

auto-install-peers=true
strict-peer-dependencies=true
prefer-frozen-lockfile=true
verify-store-integrity=true

# 24h cooldown on freshly published versions. Drops you off the hot path
# of npm worm campaigns, which are typically detected and unpublished
# within hours.
minimum-release-age=1440

# Block postinstall/preinstall/prepare hooks from transitive deps —
# the primary execution channel for chalk/debug, node-ipc, Shai-Hulud.
# If you later adopt pnpm's build-script allowlist, keep it in
# pnpm-workspace.yaml instead of turning this off.
ignore-scripts=true
