build: add lightweight npm supply chain guardrails

[julian-risch]

Related Issues

• Follows on from build: add uv exclude-newer, pip uploaded-prior-to and Dependabot cooldown as supply chain guardrails #11170 which added supply chain guardrails for pip/uv.

Changes

check_api_ref.yml — pin npx docusaurus-mdx-checker to @3.0.0:

• Previously npx fetched the latest version on every run with no version pin, so a compromised release could land in CI immediately. Now pinned to the current latest (3.0.0). Updates can be applied deliberately when needed.
• There aren't frequent releases: https://www.npmjs.com/package/docusaurus-mdx-checker?activeTab=versions

docs_search_sync.yml — add --ignore-scripts to npm install, then explicitly rebuild sharp:

• npm install --ignore-scripts blocks preinstall/install/postinstall lifecycle hooks across all packages which is a common supply chain attack vectors. Risk here is that there are any hooks that are required and this change will make them fail. We'll see.
• We add one exception: npm rebuild sharp then re-runs only sharp's install script. Sharp is a native module (libvips bindings) that downloads a platform-specific prebuilt binary in its install script — without it, @docusaurus/plugin-ideal-image and other Docusaurus image code would fail at build time.

.github/dependabot.yml — add npm ecosystem entry:

• Adds an npm entry for /docs-website on a daily cadence with cooldown.default-days: 1, matching what we use for GitHub actions and pip. Dependabot will open bump PRs for direct dependencies in package.json.

Notes for the reviewer

I chose to not commit docs-website/package-lock.json or switch to npm ci. The lockfile is ~900KB and would generate frequent Dependabot bumps touching it because that would include all transitive dependencies. Not just direct dependencies.

Checklist

• I have read the contributors guidelines and the code of conduct.
• I have updated the related issue with new insights and changes.
• I have added unit tests and updated the docstrings.
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test: and added ! in case the PR includes breaking changes.
• I have documented my code.
• I have added a release note file, following the contributors guidelines.
• I have run pre-commit hooks and fixed any issue.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
haystack-docs	Ignored	Preview	May 21, 2026 11:32am

[github-actions]

Coverage report

This PR does not seem to contain any modification to coverable code.

[sjrl]

@julian-risch I think this looks good. Did you have a chance to test to see if this build works or will we see next time the docs website is rebuilt?

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[julian-risch]

@julian-risch I think this looks good. Did you have a chance to test to see if this build works or will we see next time the docs website is rebuilt?

I reproduced the workflow steps locally, particularly the npm install --ignore-scripts part and the npm rebuild sharp. Looks good to me. Can't rule out any surprises in the CI but I am confident it will work fine.