diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000000..14662c5d7a
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,26 @@
+# Block lifecycle scripts (preinstall/install/postinstall/prepare) from
+# dependencies. Mitigates supply-chain attacks that rely on install scripts.
+# Note: this also skips this project's own `prepare` script, so the husky
+# git hooks must be installed manually (see CONTRIBUTING.md).
+ignore-scripts = true
+
+# Refuse to install package versions younger than this many days. Mitigates
+# fast-pulled malicious releases. Requires npm >= 11; uncomment once the
+# project's minimum npm version (and/or .nvmrc Node version) is raised to
+# ship npm 11+ by default.
+# See https://docs.npmjs.com/cli/v11/using-npm/config#min-release-age
+# min-release-age = 7
+
+# Pin exact versions when installing new packages instead of using ^/~ ranges.
+save-exact = true
+
+# Hard-enforce the `engines` field in package.json so contributors and CI
+# fail fast on too-old Node/npm. Uncomment once the project's minimum Node
+# version is raised; with the current floor (`engines.node >= 20.19.0`),
+# enabling this breaks on lint-staged@17, which requires Node >= 22.22.1.
+# engine-strict = true
+
+# WordPress ecosystem defaults (matching wordpress-develop and Gutenberg),
+# except for the unnecessary `legacy-peer-deps = true`.
+lockfile-version = 3
+prefer-dedupe = true