From 090b3e3960b70fb350f40b59a8c21e3ab021baa5 Mon Sep 17 00:00:00 2001
From: Erik Arvidsson <erik.arvidsson@gmail.com>
Date: Tue, 19 May 2026 17:29:57 +0200
Subject: [PATCH 1/2] ci: add 7-day npm release-age cooldown (.npmrc
 min-release-age)

npm has no default cooldown (unlike pnpm@11). Set min-release-age=7
so resolution only picks versions published >=7 days ago, giving
time for malicious releases to be caught/yanked before install.
CI already uses --ignore-scripts and package-lock=false, so this
gates every resolve. Per the TanStack/Snyk supply-chain advisory.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .npmrc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.npmrc b/.npmrc
index 43c97e71..28ff7907 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,6 @@
 package-lock=false
+
+# Supply-chain hardening: only install npm versions published >=7 days ago,
+# so freshly-compromised releases are likely caught/yanked before we pull them.
+# https://snyk.io/blog/tanstack-npm-packages-compromised/
+min-release-age=7

From cdd809ee00a916d35818a277cb25020e27ad0bb2 Mon Sep 17 00:00:00 2001
From: Erik Arvidsson <erik.arvidsson@gmail.com>
Date: Wed, 20 May 2026 09:48:19 +0200
Subject: [PATCH 2/2] ci: block git-URL deps (.npmrc allow-git=none)

Git dependencies can ship a .npmrc that overrides the git executable
path, enabling arbitrary code execution at install (the actual
TanStack attack vector). npm CLI 11.10+ supports allow-git=none, and
v12 is expected to make it the default. No current dep uses a git URL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .npmrc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.npmrc b/.npmrc
index 28ff7907..10602dcf 100644
--- a/.npmrc
+++ b/.npmrc
@@ -4,3 +4,9 @@ package-lock=false
 # so freshly-compromised releases are likely caught/yanked before we pull them.
 # https://snyk.io/blog/tanstack-npm-packages-compromised/
 min-release-age=7
+
+# Block git-URL dependencies entirely (npm CLI v11.10+). Git deps can ship
+# their own .npmrc and override the git executable path, enabling arbitrary
+# code execution during install (the actual TanStack attack vector). No
+# current dep needs this and npm v12 is expected to make none the default.
+allow-git=none