diff --git a/.npmrc b/.npmrc
index 43c97e7..10602dc 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,12 @@
 package-lock=false
+
+# Supply-chain hardening: only install npm versions published >=7 days ago,
+# so freshly-compromised releases are likely caught/yanked before we pull them.
+# https://snyk.io/blog/tanstack-npm-packages-compromised/
+min-release-age=7
+
+# Block git-URL dependencies entirely (npm CLI v11.10+). Git deps can ship
+# their own .npmrc and override the git executable path, enabling arbitrary
+# code execution during install (the actual TanStack attack vector). No
+# current dep needs this and npm v12 is expected to make none the default.
+allow-git=none