change: update npm policies

.github/workflows/ci-js.yml

@@ -31,7 +31,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Run JavaScript tests
         env:
           JEST_JUNIT_OUTPUT_DIR: ${{ env.REPORT_DIR }}
@@ -54,7 +54,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Run JavaScript tests
         run: npm run test:coverage -- --reporter=default --reporter=junit --outputFile=${{ env.REPORT_DIR }}/test-report.xml
       - name: Submit test coverage to codecov.io
@@ -79,7 +79,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Cache ESLint
         uses: actions/cache@v5
         with:
@@ -112,7 +112,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Run TypeScript typecheck
         run: npm run type-check
 
@@ -131,7 +131,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Check if translations need an update
         id: check
         run: npm run i18n-extract -- --ci
@@ -155,7 +155,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
       - name: Install dependencies
-        run: npm install
+        run: npm ci
       - name: Check code formatting
         id: check
         run: |

.github/workflows/codeql-analysis.yml

@@ -1,10 +1,10 @@
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
-    branches: [ main, stable, oldstable ]
+    branches: [main, stable, oldstable]
   pull_request:
-    branches: [ main, stable, oldstable ]
+    branches: [main, stable, oldstable]
     paths-ignore:
       - '**/*.md'
       - '**/*.txt'
@@ -13,7 +13,7 @@ on:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true 
+  cancel-in-progress: true
 
 jobs:
   analyze:
@@ -27,22 +27,22 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
+        language: ['javascript']
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@v6
 
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
-      with:
-        languages: ${{ matrix.language }}
-      # build between init and analyze ...
-    - name: Install node
-      uses: actions/setup-node@v6
-      with:
-        cache: "npm"
-    - name: Install dependencies
-      run: npm install
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+        # build between init and analyze ...
+      - name: Install node
+        uses: actions/setup-node@v6
+        with:
+          cache: 'npm'
+      - name: Install dependencies
+        run: npm ci
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4

.github/workflows/release.yml

@@ -18,7 +18,7 @@ on:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true 
+  cancel-in-progress: true
 
 jobs:
   release:
@@ -96,7 +96,7 @@ jobs:
           node-version: '22'
           cache: 'npm'
       - name: Install npm dependencies
-        run: npm install
+        run: npm ci
       - name: Build dist files
         run: npm run build
       - name: Create tarballs

.npmrc

@@ -0,0 +1,10 @@
+# Hardening direct dependencies: pinned versions are saved instead of ranges (^/~)
+save-exact=true
+
+# Supply Chain Quarantine: Blocks packages released within the last 7 days to mitigate "zero-day" compromises.
+# NOTE: To pull an urgent security patch released today, temporarily lower this value or comment it out.
+min-release-age=7
+
+# Malware Mitigation: Strictly blocks all post-install lifecycle scripts from dependencies.
+# NOTE: If a trusted package breaks because it requires scripts, you may need to run its script manually.
+ignore-scripts=true

package.json

@@ -13,7 +13,7 @@
     "type": "git",
     "url": "https://github.com/greenbone/gsa/"
   },
-  "author": "Bj\u00f6rn Ricks <bjoern.ricks@greenbone.net>",
+  "author": "Björn Ricks <bjoern.ricks@greenbone.net>",
   "license": "AGPL-3.0+",
   "type": "module",
   "scripts": {
@@ -30,10 +30,11 @@
     "i18n-extract": "i18next-cli extract",
     "type-check": "tsc --noEmit",
     "type-check:watch": "tsc --noEmit --watch",
-    "clear:node_modules": "rm -rf node_modules && npm install"
+    "clear:node_modules": "rm -rf node_modules && npm ci"
   },
   "engines": {
-    "node": ">=22.0"
+    "node": ">=22.0",
+    "npm": ">=11.0"
   },
   "dependencies": {
     "@dnd-kit/helpers": "^0.3.2",
@@ -119,4 +120,4 @@
     "vite-plugin-svgr": "^5.2.0",
     "vitest": "^4.0.17"
   }
-}
+}