diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..9e14e0b
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,6 @@
+# Supply chain protection
+# - save-exact: pin to exact versions instead of semver ranges
+# - min-release-age: quarantine newly published packages for 7 days
+#   (blocks typosquatting & fast-publish supply chain attacks like axios@1.14.1)
+save-exact=true
+min-release-age=7