Supply chain improvements

[dgreif]

Summary

• Added project .npmrc with min-release-age=3 for npm installs.
• Updated .github/workflows/nodejs.yml to run Node 26, use npm ci, and pin third-party actions to full commit SHAs.
• Updated .github/workflows/publish.yml to run Node 26 and pin third-party actions to full commit SHAs.
• Updated Mocha so the test runner is compatible with Node 26 CI.

Ecosystems detected

• npm package with package-lock.
• GitHub Actions CI and npm publish workflows.

Recommendations applied

• CI now uses Node 26 and npm ci.
• Publish workflow keeps OIDC/provenance publishing with id-token: write and no token-based publish.
• Third-party Actions are pinned to current full SHAs.
• Ran npm audit fix; no changes were needed before the CI fix.

Not applied

• Vitest and Playwright updates were not applicable; this repo uses Mocha and has no Playwright dependency.

Human review notes

• Confirm the npm package has trusted publishing configured for this workflow before the next release.
• npm audit --audit-level=moderate passes; npm reports two low-severity advisories in Mocha's diff dependency with no non-breaking fix currently available.

Validation

• npm install --save-dev mocha@^11.7.6
• npm ci
• npm run build --if-present
• npm test
• npm audit --audit-level=moderate
• npx -y -p node@26 -c 'node -v && npm run build --if-present && npm test'

[Copilot]

Pull request overview

This PR focuses on supply-chain hardening for the project’s npm and CI/release workflows by updating the test toolchain and tightening CI installation/pinning practices.

Changes:

• Upgraded Mocha to a Node 26–compatible version and refreshed the lockfile accordingly.
• Added a project .npmrc to enforce a minimum package release age during installs.
• Updated GitHub Actions workflows to use Node 26, prefer npm ci, and pin actions to full commit SHAs.

Show a summary per file

File	Description
package.json	Bumps Mocha to a newer major version to support newer Node in CI.
package-lock.json	Updates resolved dependency graph to match the Mocha upgrade.
.npmrc	Adds a minimum release age policy for npm installs (supply-chain control).
.github/workflows/nodejs.yml	Pins actions, moves CI to Node 26, switches install to npm ci.
.github/workflows/publish.yml	Pins actions and moves publishing workflow to Node 26.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/5 changed files
• Comments generated: 1