From 72cf9f2c375ae33b6ce5141bda0fa8c2b8649c26 Mon Sep 17 00:00:00 2001
From: Aleksandr Mezin <mezin.alexander@gmail.com>
Date: Sun, 3 May 2026 09:16:34 +0300
Subject: [PATCH] npm: allow git dependencies only in the root `package.json`

https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/

Git dependencies-direct or transitive-can include .npmrc files
that override the git executable path. This enables arbitrary
code execution during install even when using --ignore-scripts.
---
 .npmrc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.npmrc b/.npmrc
index c8a5ae8..c80da96 100644
--- a/.npmrc
+++ b/.npmrc
@@ -3,3 +3,4 @@
 # SPDX-License-Identifier: CC0-1.0
 
 ignore-scripts = true
+allow-git = root