diff --git a/.github/workflows/label-merge-conflicts.yml b/.github/workflows/label-merge-conflicts.yml
index afbcda0a1e5d..ebb380a9adfc 100644
--- a/.github/workflows/label-merge-conflicts.yml
+++ b/.github/workflows/label-merge-conflicts.yml
@@ -7,6 +7,7 @@ on:
   push:
     branches:
       - main
+  # TODO(supply-chain-security): Human review: this workflow uses pull_request_target; keep permissions minimal and do not check out or run untrusted PR code here.
   pull_request_target:
 
 
diff --git a/.github/workflows/sync.yaml b/.github/workflows/sync.yaml
index 52a41a63cf64..6e50f218adb0 100644
--- a/.github/workflows/sync.yaml
+++ b/.github/workflows/sync.yaml
@@ -1,6 +1,7 @@
 name: 'Upstream Sync'
 
 permissions:
+  # TODO(supply-chain-security): Human review: confirm this scheduled sync still requires contents: write and narrow if the sync action supports lower privileges.
   contents: write
 
 on:
@@ -12,6 +13,7 @@ on:
 jobs:
   sync_latest_from_upstream:
     permissions:
+        # TODO(supply-chain-security): Human review: confirm this job still requires contents: write for upstream sync.
         contents: write
     runs-on: ubuntu-latest
     name: Sync latest commits from upstream repo
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 000000000000..ec9e05d8a7bf
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+min-release-age=3
diff --git a/.travis.yml b/.travis.yml
index 259f683661a7..d4399bf7352c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,4 +5,6 @@ cache:
   directories:
     - "node_modules"
 
+install: npm ci
+
 script: npm run-script build