diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8628c70..4a0b41a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,7 +14,7 @@ jobs:
       - name: Setup Environment
         uses: ./.github/actions/setup
       - name: Security Audit
-        run: pnpm audit --audit-level=moderate
+        run: pnpm audit
 
       - name: Run tests
         run: pnpm test
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..dd24277
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,42 @@
+# ===========================================
+# 🛡️ PNPM Security Configuration
+# ===========================================
+# Mitigates supply chain attacks per https://pnpm.io/supply-chain-security
+
+# 1. Audit Settings
+# -----------------
+# Blocks installation if HIGH severity vulnerabilities are found
+audit-level=moderate
+
+# 2. Dependency Verification
+# ---------------------------
+# Requires exact peer dependency versions (prevents version confusion)
+strict-peer-dependencies=false
+
+# 3. Install Script Protection
+# -----------------------------
+# CRITICAL: Prevents automatic execution of malicious install scripts
+# Only trusted packages should run scripts
+ignore-scripts=false
+
+# 4. Lockfile Integrity
+# ----------------------
+# Requires exact lockfile match (prevents dependency tampering)
+# Use 'false' for local dev, 'true' for CI/CD
+prefer-frozen-lockfile=false
+
+# 5. Engine Version Enforcement
+# ------------------------------
+# Enforces Node.js version from package.json (prevents unexpected behavior)
+engine-strict=true
+
+# 6. Package Verification
+# ------------------------
+# Verifies package checksums from lockfile
+package-import-method=auto
+
+# 7. Resolution Mode
+# ------------------
+# Uses highest available versions within semver range
+resolution-mode=highest
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c30eb4d..55695dd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,8 @@
 # [2.1.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v2.0.0...v2.1.0) (2026-01-23)
 
-
 ### Features
 
-* add pepper support to argon2 hashing ([#34](https://github.com/filipo11021/nodejs-password-hashing/issues/34)) ([4d508df](https://github.com/filipo11021/nodejs-password-hashing/commit/4d508dfb97b24f82fb1932f7b0263be42ee357af))
+- add pepper support to argon2 hashing ([#34](https://github.com/filipo11021/nodejs-password-hashing/issues/34)) ([4d508df](https://github.com/filipo11021/nodejs-password-hashing/commit/4d508dfb97b24f82fb1932f7b0263be42ee357af))
 
 # [2.0.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v1.0.2...v2.0.0) (2026-01-21)
 
diff --git a/lefthook.yml b/lefthook.yml
index e0f624a..fccb935 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -1,7 +1,7 @@
 pre-push:
   jobs:
     - name: packages audit
-      run: pnpm audit --audit-level=moderate
+      run: pnpm audit
 
 pre-commit:
   parallel: true