From d11a9c7d506fbc262c383630706516bbceae2fe8 Mon Sep 17 00:00:00 2001
From: jinhyoo-mp <95310256+jinhyoo-mp@users.noreply.github.com>
Date: Tue, 2 Jun 2026 22:00:59 -0700
Subject: [PATCH] Add yes=false to .npmrc to prevent npx auto-install

DEV-376: defense-in-depth alongside the CI policy in DEV-375.
Equivalent to passing --no to every npx invocation.

Linear: https://linear.app/mixpanel/issue/DEV-376
---
 .npmrc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.npmrc b/.npmrc
index e542392f..f0549c63 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1,2 +1,5 @@
 # Prevent supply chain attacks
 min-release-age=7
+# Stop `npx` from silently downloading packages not in node_modules.
+# Equivalent to passing `--no` to every `npx` invocation.
+yes=false