Supply chain improvements

[dgreif]

Summary

• Added .npmrc with min-release-age=3 for npm installs.
• Updated Node CI to include Node 26 and pinned actions/checkout and actions/setup-node to full commit SHAs.
• Updated publish workflow to Node 26, pinned third-party actions, and switched npm publishing to OIDC provenance without NODE_AUTH_TOKEN.
• Refreshed npm lockfiles via npm audit fix where it could safely apply fixes.

Ecosystems detected

• npm / Node.js package with GitHub Actions CI and release publishing.

Recommendations applied

• npm minimum release age policy.
• Node 26 in CI and publishing.
• Full-SHA action pinning for third-party GitHub Actions.
• npm ci remains in CI and publish workflows.
• OIDC trusted publishing workflow shape with id-token: write and npm publish --provenance.

Not automatically applied

• Root npm audit still reports Mocha transitive advisories for diff and serialize-javascript. The current stable Mocha release remains affected; moving to Mocha 12 beta or forcing overrides could be breaking, so this PR leaves that for human review.
• npm-side trusted publishing may need to be configured before the publish workflow can release without a token.

Human review notes

• Confirm the npm package has trusted publishing configured for this workflow.
• Review whether adopting a Mocha pre-release or another mitigation is acceptable for the remaining root audit findings.

Validation

• npm audit fix run at the root and in the legacy example package.
• npm install completed, with remaining root audit findings noted above.
• npm ci completed, with remaining root audit findings noted above.
• npm test passed: 67 tests.
• npm audit still reports 3 root vulnerabilities through Mocha transitive dependencies, noted above.
• npm run test-examples:legacy fails on the existing plugin:github/browser config resolution issue.
• npm run test-examples:flat fails on expected lint violations in example source files.

[Copilot]

Pull request overview

This PR focuses on supply-chain hardening for this npm package by tightening dependency install policy, strengthening GitHub Actions workflow pinning, and modernizing the npm publish workflow to use OIDC provenance.

Changes:

• Added an .npmrc policy to enforce a minimum package release age (min-release-age=3) during installs.
• Updated CI and publishing workflows to test/publish on Node 26 and pinned actions/checkout / actions/setup-node to full commit SHAs.
• Refreshed root and legacy example package-lock.json dependency graphs via safe npm audit fix-style updates.

Show a summary per file

File	Description
.npmrc	Enforces a minimum package release age during npm installs to reduce exposure to freshly-published compromised packages.
.github/workflows/nodejs.yml	Adds Node 26 to the CI matrix and pins core actions to full SHAs for stronger workflow supply-chain integrity.
.github/workflows/publish.yml	Moves publishing to Node 26, pins actions, and switches to OIDC-based npm publish --provenance without an npm token secret.
package-lock.json	Updates resolved transitive dependencies (e.g., editorconfig toolchain and Mocha patch) consistent with supply-chain/audit refresh.
test-examples/legacy/package-lock.json	Updates legacy example lockfile transitive dependencies consistent with the audit/lockfile refresh.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files not reviewed (1)

• test-examples/legacy/package-lock.json: Language not supported

• Files reviewed: 3/5 changed files
• Comments generated: 0