fix(security): add .npmrc with ignore-scripts=true (#1083)

yogeshchoudhary147 · web-flow · commit 658bfcae7810 · 2026-04-10T19:37:09.000+05:30
This prevents malicious postinstall scripts from running during `npm
install`, both in CI and locally.

### Changes

- Added `.npmrc` with `ignore-scripts=true`
- Removed `.npmrc` from `.gitignore` (auth tokens belong in `~/.npmrc`,
not project-level)
- Added explicit `npx cypress install` in integration workflow (Cypress
needs its binary downloaded via postinstall)
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -51,6 +51,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Install Cypress binary
+        run: npx cypress install
+
       - name: Build SDK
         run: npm run build
 
diff --git a/.gitignore b/.gitignore
@@ -107,5 +107,4 @@ dist
 test-results
 
 cypress/screenshots
-cypress/videos
-.npmrc
+cypress/videos
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+ignore-scripts=true
