From a0408e52b0ec85c228aae050c8347e0eefefc8c2 Mon Sep 17 00:00:00 2001
From: Tom King <mobilemind@users.noreply.github.com>
Date: Fri, 30 Jan 2026 10:35:01 -0800
Subject: [PATCH] docs: update SECURITY.md

---
 SECURITY.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index a653a9a..0b4a9cb 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -118,6 +118,9 @@ To ensure the integrity of published packages and repository security:
   vulnerabilities, plus weekly version update checks
 - **Lockfile Integrity:** npm ci validates package-lock.json integrity (fails
   if corrupted or mismatched)
+- **Lifecycle Script Blocking:** Automatic npm lifecycle scripts (preinstall,
+  postinstall, prepare) are blocked via `ignore-scripts=true` in `.npmrc` to
+  prevent supply chain attacks from malicious packages
 - **SBOM Generation:** Software Bill of Materials attached to every release for
   supply chain transparency
 
@@ -202,7 +205,7 @@ npm run build
 npm sbom --sbom-format=cyclonedx --omit=dev > sbom.json
 
 # Run security audit
-npm audit --audit-level=moderate
+npm audit --audit-level=high
 
 # Test bookmarklets manually in target browsers
 ```