chore(security): harden install, build, & ci

.github/workflows/publish.yml

@@ -53,7 +53,7 @@ jobs:
         run: |
           # OIDC trusted publishing requires npm 11.5.1+
           # Node.js 22.x ships with npm 10.x, so we need to upgrade explicitly
-          npm install -g npm@latest
+          npm install -g npm@latest --ignore-scripts
           # Verify we have npm 11.5.1 or later for OIDC support
           NPM_VERSION=$(npm --version)
           echo "npm version: $NPM_VERSION"

.npmrc

@@ -6,5 +6,17 @@ engine-strict=true
 # Always use https for registry
 registry=https://registry.npmjs.org/
 
+# Configure audit checks during install
+audit-level=high
+
+# security: block automatic lifecycle scripts (preinstall, postinstall, & prepare)
+ignore-scripts=true
+
+# Speed up CI by preferring cache
+prefer-offline=true
+
+# Reduce noise in CI logs
+progress=false
+
 # Timeout settings (1 min v 5 min)
 fetch-timeout=60000

LICENSE-MIT

@@ -1,4 +1,4 @@
-Copyright (c) 2012-2025 Tom King
+Copyright (c) 2012-2026 Tom King
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation

README.md

@@ -198,7 +198,7 @@ allow use of 1.00 and beyond
 
 ## License
 
-Copyright (c) 2012-2025 Tom King.
+Copyright (c) 2012-2026 Tom King.
 Licensed under the MIT license.
 
 <!-- reference URLs -->

SECURITY.md

@@ -53,6 +53,7 @@ To ensure the integrity of published packages:
 - **Dependency Monitoring:** Dependabot enabled to monitor for any future dependencies or peerDependency issues
 - **OIDC Authentication:** npm publishing uses OpenID Connect for authentication, eliminating token management overhead
 - **Lockfile Integrity:** npm ci validates package-lock.json integrity (fails if corrupted or mismatched)
+- **Script Protection:** npm lifecycle scripts (preinstall, postinstall, prepare) are disabled via `.npmrc` to prevent supply chain attacks from compromised dependencies
 
 ### Branch Protection Rules
 

package.json

@@ -28,7 +28,7 @@
   "main": "Gruntfile.js",
   "name": "text2datauri",
   "peerDependencies": {
-    "grunt": ">=1.6.1"
+    "grunt": "1.6.1"
   },
   "publishConfig": {
     "access": "public",
@@ -41,8 +41,8 @@
   },
   "scripts": {
     "test": "node --test test/text2datauri*.js",
-    "audit": "npm audit --omit=dev --audit-level=moderate",
+    "audit": "npm audit --omit=dev --audit-level=high",
     "audit:fix": "npm audit fix --omit=dev"
   },
-  "version": "1.12.1"
+  "version": "1.12.2"
 }