# DaloyJS supply-chain hardening defaults.
#
# See the DaloyJS "Supply chain" docs and the 2026-05-11 TanStack incident
# postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
# for context on why every line below is on by default.

auto-install-peers=true
strict-peer-dependencies=true
prefer-frozen-lockfile=true
verify-store-integrity=true

# Wait 24h before resolving a freshly published version. Most npm worm
# campaigns are detected and unpublished within hours; this window keeps
# you off the early-installer hot path. Set to 0 only for a real hotfix.
minimum-release-age=1440

# postinstall / preinstall / prepare hooks from transitive deps are the
# main execution channel used by chalk/debug, node-ipc, and Shai-Hulud
# malware. If you later adopt pnpm's build-script allowlist, keep it in
# pnpm-workspace.yaml instead of turning this off.
ignore-scripts=true
