chore: add npmrc file with ignore-scripts. yes, and offline configuration

[tommasini]

Description

The .npmrc file configures npm's behavior for this project. Here's what each line does:

ignore-scripts = true Prevents npm from automatically running lifecycle scripts (like preinstall, postinstall, prepare, etc.) defined in package.json of installed dependencies. This is a security measure — it stops potentially malicious packages from executing arbitrary code during installation. The tradeoff is that some packages that rely on build scripts (like native modules) won't set themselves up automatically, which is why this project uses yarn setup instead of a plain install.

yes = false Disables automatic "yes" responses to prompts. This ensures npm will actually pause and ask for confirmation on interactive prompts rather than silently accepting defaults — useful to avoid unintended actions during scripted environments.

offline = true Forces npm to only use the local cache and never hit the network. If a package isn't already cached, the install fails rather than fetching it. This is a reproducibility and security measure — it ensures installs are deterministic and prevents supply-chain attacks from packages being silently swapped on the registry.

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Adds a repo-wide .npmrc that changes dependency-install behavior (disables lifecycle scripts and forces offline/cache-only installs), which can break installs in CI/dev environments if assumptions differ.

Overview
Adds a committed .npmrc configuring npm to ignore-scripts, disable auto-yes, and run in offline mode.

Updates .gitignore to stop excluding .npmrc, so these npm defaults are versioned and applied consistently across the project.

^{Reviewed by Cursor Bugbot for commit d54246b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 97%

click to see 🤖 AI reasoning details

E2E Test Selection:
The two changed files are purely npm/git configuration:

1. .gitignore: Removed the entry that excluded .npmrc from version control. This is a meta-change allowing .npmrc to be tracked in git.

2. .npmrc: A new committed npm configuration file with three settings:

   • ignore-scripts = true: Prevents lifecycle scripts during npm install (security hardening)
   • yes = false: Disables auto-confirmation
   • offline = true: Forces use of cached packages

These changes affect only the npm package management behavior and have zero impact on:

• Application source code or business logic
• UI components, screens, or user flows
• Controllers, Engine, or state management
• E2E test infrastructure or test code
• Performance-sensitive code paths

No E2E tests need to run for these changes. They are purely developer tooling/configuration changes with no user-facing or test-facing impact.

Performance Test Selection:
The changes are limited to npm and git configuration files (.npmrc and .gitignore). These have no impact on app rendering, data loading, state management, or any performance-sensitive code paths. No performance tests are warranted.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Gudahtt]

LGTM!