Supply chain improvements

[dgreif]

Files changed

• .npmrc
• .github/workflows/nodejs.yml
• .github/workflows/publish.yml
• package.json
• package-lock.json
• vitest.config.js

Ecosystems detected

• npm package with lockfile
• GitHub Actions CI and publish workflows

Recommendations applied

• Added project npm release-age safeguard: min-release-age=3.
• Updated CI and publish workflows to Node 26.
• Switched CI dependency installation from npm install to npm ci.
• Updated and pinned actions/checkout and actions/setup-node to full commit SHAs for their current releases.
• Kept OIDC/provenance publishing and existing npm --ignore-scripts publish --provenance behavior.
• Updated Playwright to 1.60.0.
• Updated Vitest browser tooling to 4.1.7 and added the Vitest 4 Playwright provider package/config.
• Ran npm audit fix; audit reports 0 vulnerabilities.

Could not be applied automatically

• Vitest 4.1.8 was within the 3-day release-age window, so this uses 4.1.7.

Human review notes

• npm trusted publishing may still need npm-side setup for @github/remote-form.
• The package still has an existing postpublish script for GitHub Packages, but the publish workflow preserves --ignore-scripts.

Validation

• npm install passed.
• npm ci passed.
• npx playwright install chromium passed.
• npm run build --if-present passed.
• npm run check --if-present passed.
• CI=1 npm test passed, 9 tests.
• npm audit passed, 0 vulnerabilities.

Non-blocking warnings observed: npm currently warns that min-release-age is an unknown project config, and lint reports outdated Browserslist data.

[Copilot]

Pull request overview

This PR focuses on supply-chain hardening and dependency/CI modernization for the npm package by tightening CI install behavior, pinning Actions, and upgrading the Vitest browser + Playwright toolchain.

Changes:

• Added an .npmrc setting intended as a dependency “release-age” safeguard.
• Updated CI/publish workflows to Node 26, pinned actions/* to commit SHAs, and switched CI installs to npm ci.
• Upgraded Playwright and migrated Vitest browser configuration to the Vitest 4 Playwright provider.

Show a summary per file

File	Description
.npmrc	Adds a min-release-age configuration entry.
.github/workflows/nodejs.yml	Moves CI to Node 26, pins Actions by SHA, uses npm ci.
.github/workflows/publish.yml	Moves publish job to Node 26 and pins Actions by SHA.
package.json	Pins Vitest/browser and Playwright versions; adds Playwright provider package.
package-lock.json	Lockfile updates reflecting Vitest/Playwright/Vite transitive changes.
vitest.config.js	Updates Vitest browser config to use the Playwright provider API.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/6 changed files
• Comments generated: 4