Add .npmrc ignore-scripts=true (Miasma install-hook mitigation)

[dbutts29]

Description of the change

Adds a repo-local .npmrc containing ignore-scripts=true so npm does not auto-execute dependency lifecycle scripts (preinstall/install/postinstall) on npm install. This blocks the execution mechanism used by the Miasma / Shai-Hulud npm supply-chain worm.

Config-only change. Explicit npm run <script> invocations are unaffected; only automatic install-time lifecycle scripts are suppressed. Part of a fleet-wide rollout tracked in Linear PLA-1580 (one PR per repo).

Type of change

• Maintenance

Related issues

• PLA-1580 (Linear): https://linear.app/rollbar-inc/issue/PLA-1580

Checklists

Development

• N/A — configuration-only change, no code or tests affected

Code review

• This pull request has a descriptive title and information useful to a reviewer
• Issue from task tracker has a link to this pull request

[linear-code]

PLA-1580

[Copilot]

Pull request overview

Adds a repository-local npm configuration to disable automatic execution of dependency lifecycle scripts during installs, mitigating the install-hook mechanism used by the Miasma / Shai-Hulud npm supply-chain worm (PLA-1580 fleet rollout).

Changes:

• Add .npmrc with ignore-scripts=true to suppress preinstall/install/postinstall lifecycle scripts during npm install/npm ci.
• Preserve the ability to run explicit scripts via npm run <script> (no change to package scripts).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.