From 6dfb17c5753b27e7555eee4fb11bd6167101a0ae Mon Sep 17 00:00:00 2001
From: Johannes Ewald <johannes.ewald@peerigon.com>
Date: Mon, 8 Jun 2026 22:17:21 +0200
Subject: [PATCH] chore: Enforce strict peer deps to catch bad dependabot PRs

Adds strict-peer-deps=true to .npmrc so dependabot fails when generating
a lock file with peer dependency conflicts, preventing such PRs from being
created. Also adds --strict-peer-deps to npm ci in CI so any conflict that
slips through causes the workflow to fail.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/test.yml | 4 ++--
 .npmrc                     | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3417b06..4d0ab9d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # main
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # main
         with:
           persist-credentials: false
 
@@ -51,7 +51,7 @@ jobs:
       - name: 🔍 Install dependencies
         if: steps.cache-node_modules.outputs.cache-hit != 'true'
         run: |
-          npm ci --ignore-scripts --prefer-offline --no-audit
+          npm ci --ignore-scripts --prefer-offline --no-audit --strict-peer-deps
 
       - name: 🧪 Run tests
         env:
diff --git a/.npmrc b/.npmrc
index 6bc8caf..49727ff 100644
--- a/.npmrc
+++ b/.npmrc
@@ -8,3 +8,6 @@ allow-git=none
 
 # Security hardening: skip package versions published less than 7 days ago (based on CISA's guidance).
 min-release-age=7
+
+# Fail on peer dependency conflicts so dependabot PRs with broken peer deps are rejected.
+strict-peer-deps=true