chore: .npmrc security tweaks

[holloway]

this shouldn't be merged yet, it needs testing and more discussion.

chore

We use npm and yarn and there some flags that might help with supply chain security.

• min-release-age: gives community time to flag malicious publishes,
• allow-git: don't allow dependencies from github:user/repo, git+ssh://, git+https; instead preferring NPM which is more scrutinised,
• ignore-scripts: don't run preinstall/postinstall scripts as this is a common mechanism for compromised packages. So we should only enable if needed.

/.yarnrc.yml

Yarn supports ignore-scripts and yarn build and yarn legacy:build work so it seems we can enable this.

Yarn 3.2.2 doesn't support min-release-age or allow-git those were added in 4.10.0.

/playwright/.npmrc

Currently this uses Node 16 / NPM 8. ignore-scripts is supported, but we'd need to upgrade to use min-release-age and allow-git.

ignore-scripts: I'd guess that Chrome binaries are installed in a preinstall/postinstall script so this flag might break something.

/dev/coverage-action/.npmrc

Currently this uses Node 16 / NPM 8. ignore-scripts is supported, but we'd need to upgrade to use min-release-age and allow-git.

No testing done yet.

/dev/deploy-to-container/.npmrc

Currently this uses Node 16 / NPM 8. ignore-scripts is supported, but we'd need to upgrade to use min-release-age and allow-git.

No testing done yet.

/dev/k8s-get-deploy-name/.npmrc

Currently this uses Node 16 / NPM 8. ignore-scripts is supported, but we'd need to upgrade to use min-release-age and allow-git.

No testing done yet.