chore: .npmrc supply-chain hardening + esbuild 0.19 upgrade (#238)

Author: rajathmr2000

.circleci/config.yml

@@ -55,6 +55,7 @@ jobs:
       - browser-tools-job
       - <<: *set_npm_auth
       - run: npm ci
+      - run: npm rebuild esbuild --ignore-scripts=false --foreground-scripts
       - run: npx browser-driver-manager install chromedriver --verbose
       - save_cache:
           key: v9-cache-unix-{{ checksum "package-lock.json" }}

.github/workflows/test.yml

@@ -18,6 +18,7 @@ jobs:
           node-version-file: .nvmrc
           cache: 'npm'
       - run: npm ci
+      - run: npm rebuild esbuild --ignore-scripts=false --foreground-scripts
       - run: npm run prepare
       - run: npm run build
       - uses: actions/upload-artifact@v4

.npmrc

@@ -1 +1,11 @@
-registry=https://registry.npmjs.org
+registry=https://registry.npmjs.org
+
+# Supply-chain hardening directives (AXE-3444). Public repo: access is left
+# unset (access=restricted applies to private repos only).
+# Do NOT add tokens or secrets here; this repo installs from the public registry.
+ignore-scripts=true
+strict-ssl=true
+save-exact=true
+audit-level=high
+engine-strict=true
+legacy-peer-deps=false

doc/developer-guide.md

@@ -34,6 +34,7 @@ Axe 3.0 supports open Shadow DOM: see our virtual DOM APIs and test utilities fo
 1. You must have Node.js version 22 or higher installed.
    If you have [nvm](https://github.com/nvm-sh/nvm) installed, simply do `nvm use` in the root of this repository.
 1. Install npm development dependencies. In the root folder of your axe-core repository, run `npm install`
+1. The committed `.npmrc` sets `ignore-scripts=true` for supply-chain hardening, so dependency lifecycle scripts do not run during install. After installing, run `npm run prepare` (applies dependency patches and installs git hooks) and `npm rebuild esbuild --ignore-scripts=false` (fetches the esbuild bundler binary) before building.
 
 ### Building axe.js