diff --git a/.npmrc b/.npmrc
new file mode 100644
index 000000000..315db498d
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 DB Systel GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# If set to false, then ignore package-lock.json files when installing. This will also prevent writing package-lock.json if save is true. source: https://docs.npmjs.com/cli/v11/using-npm/config
+package-lock=true
+# If true, npm does not run scripts specified in package.json files. source: https://docs.npmjs.com/cli/v11/using-npm/config#ignore-scripts
+ignore-scripts=true
+# Dependencies saved to package.json will be configured with an exact version rather than using npm's default semver range operator. source: https://docs.npmjs.com/cli/v11/using-npm/config#save-exact
+save-exact=true
+# If set to true, then npm will stubbornly refuse to install (or even consider installing) any package that claims to not be compatible with the current Node.js version. source: https://docs.npmjs.com/cli/v11/using-npm/config#engine-strict
+engine-strict=true
diff --git a/package.json b/package.json
index 92c9e4b8d..eafa03021 100644
--- a/package.json
+++ b/package.json
@@ -73,5 +73,8 @@
     "registry": "https://registry.npmjs.org/",
     "access": "public"
   },
-  "homepage": "https://db-ui.github.io/base/"
+  "homepage": "https://db-ui.github.io/base/",
+  "engines": {
+    "node": ">= 22"
+  }
 }