Supply chain improvements

[dgreif]

Files changed

• .npmrc
• .github/actions/setup/action.yml
• .github/workflows/nodejs.yml
• .github/workflows/publish.yml
• .github/workflows/release.yml
• .travis.yml
• package.json
• package-lock.json
• tsconfig.json
• vitest.config.js

Ecosystems detected

• npm package with package-lock
• GitHub Actions CI, release, and publish workflows
• Travis CI config

Recommendations applied

• Added npm release-age guard: min-release-age=3.
• Updated CI/release/publish Node usage to Node 26 where applicable.
• Switched CI dependency installation to npm ci.
• Pinned third-party GitHub Actions to full commit SHAs.
• Kept npm publishing on OIDC/provenance and avoided token-based publishing.
• Updated Vitest browser tooling to Vitest 4-compatible packages/config.
• Updated Playwright to the latest installable/current version.
• Ran npm audit fix; no vulnerabilities remained.

Could not apply automatically

• Vitest 4.1.8 is the current latest, but it was published 2026-06-01 and is still inside the 3-day release-age window, so this uses 4.1.7.

Human review notes

• npm trusted publishing may still need to be configured on the npm package side before the publish workflows can publish with OIDC.
• release.yml keeps contents: write because it pushes tags and creates GitHub releases.
• release.yml still uses the repository GITHUB_TOKEN for GitHub release creation.

Validation

• npm install ✅
• npm audit fix ✅, found 0 vulnerabilities
• npm ci ✅
• npm run build --if-present ✅
• npm run check --if-present ✅
• CI=1 npm test ✅, 9 tests passed
• npm audit ✅, found 0 vulnerabilities

Warnings observed: npm 11.6.0 reports min-release-age as an unknown project config in this local environment; validation still passed.

[Copilot]

Pull request overview

This PR hardens the project’s Node/npm supply chain posture by updating CI/release tooling, modernizing the Vitest browser setup, and pinning GitHub Actions to immutable SHAs.

Changes:

• Updated Vitest to v4 and switched browser provider configuration to @vitest/browser-playwright.
• Standardized CI/release/publish workflows on newer Node versions, using npm ci, and pinned third-party actions by commit SHA.
• Added a min-release-age entry to .npmrc intended as a release-age guard.

Show a summary per file

File	Description
.npmrc	Adds a release-age guard configuration (currently not honored by npm).
.github/actions/setup/action.yml	Updates the shared setup action to use Node 26.x and npm ci.
.github/workflows/nodejs.yml	Updates CI matrix and pins checkout/setup-node actions.
.github/workflows/publish.yml	Updates publish job to Node 26 and pins actions.
.github/workflows/release.yml	Pins actions to SHAs for release flow hardening.
.travis.yml	Updates Travis to Node 26 and uses npm ci.
package.json	Bumps Vitest tooling and Playwright to support Vitest v4 browser testing.
package-lock.json	Lockfile updates reflecting dependency upgrades (Vitest/Playwright ecosystem).
tsconfig.json	Sets moduleResolution to node for more compatible TS module resolution.
vitest.config.js	Updates browser provider configuration for Vitest v4.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 8/10 changed files
• Comments generated: 2