From b5ae777a4af8f308e5f631be1a69acf399e014b7 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@subzero.xyz>
Date: Fri, 15 May 2026 08:41:47 +0200
Subject: [PATCH] feat(home/js): deploy ~/.npmrc and ~/.bunfig.toml everywhere

New metacfg.cli-apps.js module (enabled by default) pins minimum
release ages for npm and bun across all home configurations, so the
mitigation against newly published malicious packages applies
uniformly rather than living as untracked dotfiles on one machine.
---
 config/js/bunfig.toml                |  2 ++
 config/js/npmrc                      |  3 +++
 modules/home/cli-apps/js/default.nix | 21 +++++++++++++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 config/js/bunfig.toml
 create mode 100644 config/js/npmrc
 create mode 100644 modules/home/cli-apps/js/default.nix

diff --git a/config/js/bunfig.toml b/config/js/bunfig.toml
new file mode 100644
index 0000000..08932ab
--- /dev/null
+++ b/config/js/bunfig.toml
@@ -0,0 +1,2 @@
+[install]
+minimumReleaseAge = 604800
diff --git a/config/js/npmrc b/config/js/npmrc
new file mode 100644
index 0000000..128242b
--- /dev/null
+++ b/config/js/npmrc
@@ -0,0 +1,3 @@
+min-release-age=7
+minimum-release-age=10080
+save-exact=true
diff --git a/modules/home/cli-apps/js/default.nix b/modules/home/cli-apps/js/default.nix
new file mode 100644
index 0000000..685daa8
--- /dev/null
+++ b/modules/home/cli-apps/js/default.nix
@@ -0,0 +1,21 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkIf;
+  inherit (lib.metacfg) mkBoolOpt;
+
+  cfg = config.metacfg.cli-apps.js;
+in
+{
+  options.metacfg.cli-apps.js = {
+    enable = mkBoolOpt true "Enable npm and bun config.";
+  };
+
+  config = mkIf cfg.enable {
+    home.file.".npmrc".source = ../../../../config/js/npmrc;
+    home.file.".bunfig.toml".source = ../../../../config/js/bunfig.toml;
+  };
+}