Supply chain improvements

[dgreif]

Files changed

• .npmrc
• .node-version
• .github/workflows/nodejs.yml
• .github/workflows/publish.yml
• package.json
• package-lock.json
• vitest.config.ts

Ecosystems detected

• npm package with GitHub Actions CI and npm publish workflow.

Recommendations applied

• Added min-release-age=3 to project .npmrc.
• Updated the existing Node version file to Node 26 and kept workflows on node-version-file.
• Switched CI install from npm install to npm ci.
• Updated actions/checkout to v6.0.3 and actions/setup-node to v6.4.0, pinned to full commit SHAs.
• Removed NODE_AUTH_TOKEN based npm publishing and kept contents: read plus id-token: write for trusted publishing.
• Preserved the existing npm --ignore-scripts publish --provenance publishing style.
• Updated Vitest to 4.1.7, the latest stable version outside the 3-day release-age window, and added the Vitest Playwright browser provider package/config required by Vitest 4.
• Updated Playwright to 1.60.0.
• Ran npm audit fix and resolved reported vulnerabilities.

Could not apply automatically

• Vitest 4.1.8 is current, but it is inside the 3-day release-age window, so this uses 4.1.7.

Human review notes

• npm trusted publishing may still need to be configured on the npm package before the release workflow can publish without NODE_AUTH_TOKEN.
• No pull_request_target workflows were found.
• Workflow permissions remain narrow: contents: read, plus id-token: write only for publishing.
• The package still has a postpublish script for GitHub Packages, but the release workflow keeps --ignore-scripts for the npmjs publish step.

Validation

• npm install passed.
• npm ci passed.
• npx playwright install chromium --only-shell passed.
• npm run build --if-present passed.
• npm run check --if-present passed; no check script is defined.
• npm run lint --if-present passed with existing TypeScript support and Browserslist warnings.
• CI=1 npm test passed: 14 tests.
• npm audit passed: 0 vulnerabilities.

[Copilot]

Pull request overview

This PR tightens the project’s JavaScript supply-chain posture by hardening npm and GitHub Actions usage, updating the Node toolchain baseline, and upgrading the Vitest/Playwright browser testing stack to newer major versions.

Changes:

• Enforced dependency “release age” gating via .npmrc and bumped the project’s Node version to 26.
• Hardened GitHub Actions by pinning actions/checkout and actions/setup-node to full commit SHAs and switching CI installs to npm ci.
• Upgraded Vitest to v4, added the Vitest Playwright browser provider, and updated Playwright accordingly.

Show a summary per file

File	Description
.npmrc	Adds a supply-chain control to avoid installing very recently published packages.
.node-version	Updates the repo’s Node baseline used by CI/release workflows.
.github/workflows/nodejs.yml	Pins core actions by SHA and uses npm ci for deterministic installs.
.github/workflows/publish.yml	Pins actions by SHA and shifts publishing auth model toward trusted publishing.
package.json	Bumps Vitest/Playwright dependencies and adds the Vitest Playwright browser provider.
package-lock.json	Locks updated dependency graph consistent with the upgraded tooling and audit fixes.
vitest.config.ts	Updates Vitest browser configuration to use the Playwright provider API.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/7 changed files
• Comments generated: 1