Supply chain improvements

[dgreif]

Summary

• update CI and publish automation to current pinned GitHub Actions and Node 26
• add the requested npm release-age policy and refresh the lockfile with npm audit fix

What changed

• added project-level .npmrc with min-release-age=3
• updated actions/checkout to v6.0.3 and actions/setup-node to v6.4.0, pinned to full SHAs
• moved the main CI workflow from Node 22 to Node 26
• moved the publish workflow from Node 24 to Node 26
• kept npm ci in CI and publish workflows
• kept npm publishing on OIDC trusted publishing; this repo was already using npm publish --provenance with id-token: write and no NODE_AUTH_TOKEN
• ran npm audit fix and refreshed package-lock.json

Files changed

• .npmrc
• .github/workflows/nodejs.yml
• .github/workflows/publish.yml
• package-lock.json

Ecosystems detected

• npm
• GitHub Actions

Applied recommendations

• deterministic npm installs in CI via npm ci
• install-time npm release-age controls via .npmrc
• pinned third-party GitHub Actions to full SHAs and updated stale action versions
• Node 26 used in CI and publish automation
• OIDC-based npm publishing retained
• audit fixes applied with checks passing afterward

Could not be applied automatically

• none

Human review notes

• no pull_request_target workflows were found
• workflow permissions remain narrow: contents: read in CI and contents: read plus id-token: write for publish
• npm 11 emits a warning that min-release-age is an unknown project config in this environment, even though installs/build/tests continue to pass

Validation

• npm install
• npm ci
• npm run build
• CI=1 npm test
• npm audit (0 vulnerabilities)

[Copilot]

Pull request overview

This pull request applies supply-chain oriented maintenance updates across GitHub Actions workflows and npm configuration, aiming to harden CI/publishing and refresh dependency resolutions without changing the existing Dependabot setup.

Changes:

• Added a project .npmrc with a minimum package release age policy (min-release-age=3).
• Updated CI and publish workflows to use pinned SHAs for actions/checkout and actions/setup-node, and bumped automation to Node 26.
• Refreshed package-lock.json via npm audit fix (transitive dependency updates/removals).

Show a summary per file

File	Description
.npmrc	Introduces npm release-age policy configuration intended to reduce supply-chain risk.
.github/workflows/nodejs.yml	Pins third-party actions to SHAs and moves CI to Node 26.
.github/workflows/publish.yml	Pins third-party actions to SHAs and moves publish pipeline to Node 26.
package-lock.json	Updates resolved dependency versions to incorporate audit fixes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/4 changed files
• Comments generated: 3