Add an .npmrc config file

[dkotter]

What?

Adds in an .npmrc config file and updates our minimum node and npm versions.

Why?

Main reason here is to set a minimum release age required to install an npm package to help avoid the recent plethora of supply chain attacks. This can be done with the min-release-age config option in .npmrc. This option is only supported on newer versions of npm so this PR also bumps our minimum node version to 24 and npm version to 11.

Note this is set to match what was done in WordPress/gutenberg#78191

How?

• Add an .npmrc config file with a few config options set
• Remove package-lock.json and node_modules and re-run npm install to rebuild the lock file

Use of AI Tools

None

Testing Instructions

Ensure all tests pass on this PR. If desired, manual testing can be done of all existing features

Changelog Entry

Developer - Add an .npmrc config file.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: dkotter <dkotter@git.wordpress.org>
Co-authored-by: justlevine <justlevine@git.wordpress.org>
Co-authored-by: aduth <aduth@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.72%. Comparing base (27ac41f) to head (3eac712).

Additional details and impacted files

@@            Coverage Diff             @@
##             develop     #535   +/-   ##
==========================================
  Coverage      70.72%   70.72%           
  Complexity      1144     1144           
==========================================
  Files             67       67           
  Lines           5510     5510           
==========================================
  Hits            3897     3897           
  Misses          1613     1613           

Flag	Coverage Δ
unit	70.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[justlevine]

I'm worried about doing this before WordPress/gutenberg#72973 . In general those packages don't have the greatest release hygiene and now that we're using experimental (and fragile) packages like @wordpress/ui , I'd recommend increased care.

Related:

• Fix missing dependencies for packages gutenberg#74310 (comment)

[dkotter]

Fair point though two thoughts:

1. GitHub is switching to Node24 as the default June 2nd so this gets us ahead of that
2. Is a bit trickier having a newer node version but an older npm version though that's manageable. For instance, with this set to 22, if I run nvm use locally it will automatically pull in npm v10. With this set to 24, it will automatically pull in npm v11 (which is the npm version we want). So anyone developing locally will potentially have to manually install the right npm version

[justlevine]

GitHub is switching to Node24 as the default June 2nd so this gets us ahead of that

My understanding is this is only affects the runner (and actions themselves), but anything that uses our .nvmrc will still work as intended. (If it didn't we'd be seeing deprecation notices, but I thought we took care of them all in a previous sweep).

If I'm incorrect, then I assume it also will affect the gutenberg repo too though if they still cant hit the deadline, we can also update our workflows with ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true

So anyone developing locally will potentially have to manually install the right npm version

As someone who calls nvm use multiple times an hour this one gives me bigger pause. 🤔

@dkotter - waddya think about us reverting npm to >=10 too, and only committing the new .npmrc (new version props included) in this PR?

It would still allow contributors who are using v11 to benefit from min-release-age, although a better defence for the problem for all versions is to use npm ci unless you're intentionally trying to update the lockfile. And we get all the other .npmrc stuff immediately. It also looks like dependabot doesn't use .nvmrc anyway, so that should benefit from the min-release-age on transient deps immediately too.

Leaving it at >=10 would mean that contributors intentionally changing the lockfile still need to remember to npm i -g npm or nvm install ---latest-npm or whatever the notice says, but that's a much smaller surface area for us to police...🤔

[dkotter]

Reverted back to the existing node and npm versions. I then set my node version to 22.22.2 and npm version to 11.14.1 and re-built the lock file and pushed to this PR, so the only changes now are the new .npmrc file and lock file changes

[justlevine]

the .npmrc config LGTM, but I think we should just bump NPM and keep node as is.