Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions deps/npm/docs/content/commands/npm-approve-scripts.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,14 @@ the command cannot infer. Existing `false` entries always win;
`approve-scripts` will not silently re-allow a package you previously
denied.

If a registry dependency has no `resolved` URL in your `package-lock.json`
(for example, an older lockfile or one written with
`omit-lockfile-registry-resolved`), npm cannot verify a trusted version for
it and cannot pin it: a `pkg@1.2.3` entry never matches, so the package
keeps appearing under `--allow-scripts-pending`. `approve-scripts` approves
these by name (`pkg: true`) and warns when it does. To restore pinning,
refresh the lockfile with `npm install`.

### Examples

```bash
Expand Down
16 changes: 14 additions & 2 deletions deps/npm/docs/content/commands/npm-ci.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
deps at top-level. linked: (experimental) install in node_modules/.store,
link in place, unhoisted.
deps at top-level. linked: install in node_modules/.store, link in place,
unhoisted.

We recommend that package authors use `--install-strategy=linked` during
development to catch undeclared ("phantom") dependencies before publishing:
the isolated layout only exposes a package's declared dependencies, so an
`import` of a package that was never added to `package.json` can fail
instead of resolving by accident and shipping broken. See [Catching
undeclared ("phantom")
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).



Expand Down Expand Up @@ -298,6 +306,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.

Optional dependencies that cannot be installed on the current platform or
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
their install scripts never run.



#### `dangerously-allow-all-scripts`
Expand Down
12 changes: 10 additions & 2 deletions deps/npm/docs/content/commands/npm-dedupe.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
deps at top-level. linked: (experimental) install in node_modules/.store,
link in place, unhoisted.
deps at top-level. linked: install in node_modules/.store, link in place,
unhoisted.

We recommend that package authors use `--install-strategy=linked` during
development to catch undeclared ("phantom") dependencies before publishing:
the isolated layout only exposes a package's declared dependencies, so an
`import` of a package that was never added to `package.json` can fail
instead of resolving by accident and shipping broken. See [Catching
undeclared ("phantom")
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).



Expand Down
4 changes: 4 additions & 0 deletions deps/npm/docs/content/commands/npm-exec.md
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.

Optional dependencies that cannot be installed on the current platform or
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
their install scripts never run.



#### `dangerously-allow-all-scripts`
Expand Down
12 changes: 10 additions & 2 deletions deps/npm/docs/content/commands/npm-find-dupes.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
deps at top-level. linked: (experimental) install in node_modules/.store,
link in place, unhoisted.
deps at top-level. linked: install in node_modules/.store, link in place,
unhoisted.

We recommend that package authors use `--install-strategy=linked` during
development to catch undeclared ("phantom") dependencies before publishing:
the isolated layout only exposes a package's declared dependencies, so an
`import` of a package that was never added to `package.json` can fail
instead of resolving by accident and shipping broken. See [Catching
undeclared ("phantom")
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).



Expand Down
16 changes: 14 additions & 2 deletions deps/npm/docs/content/commands/npm-install-ci-test.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
deps at top-level. linked: (experimental) install in node_modules/.store,
link in place, unhoisted.
deps at top-level. linked: install in node_modules/.store, link in place,
unhoisted.

We recommend that package authors use `--install-strategy=linked` during
development to catch undeclared ("phantom") dependencies before publishing:
the isolated layout only exposes a package's declared dependencies, so an
`import` of a package that was never added to `package.json` can fail
instead of resolving by accident and shipping broken. See [Catching
undeclared ("phantom")
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).



Expand Down Expand Up @@ -251,6 +259,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.

Optional dependencies that cannot be installed on the current platform or
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
their install scripts never run.



#### `dangerously-allow-all-scripts`
Expand Down
166 changes: 166 additions & 0 deletions deps/npm/docs/content/commands/npm-install-scripts.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
---
title: npm-install-scripts
section: 1
description: Manage install-script approvals for dependencies
---

### Synopsis

```bash
npm install-scripts approve <pkg> [<pkg> ...]
npm install-scripts approve --all
npm install-scripts deny <pkg> [<pkg> ...]
npm install-scripts deny --all
npm install-scripts ls
npm install-scripts prune
```

Note: This command is unaware of workspaces.

### Description

Manages the `allowScripts` field in your project's `package.json`, which
records which of your dependencies are permitted to run install scripts
(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
sources). This is the recommended way to maintain that field.

Dependency install scripts are blocked by default. Install commands
silently skip lifecycle scripts for any dependency that does not have a
matching entry in `allowScripts`, and end with a list of the packages
whose scripts were skipped so you can review them here.

This command only works inside a project that has a `package.json`. Running
it with `--global` (`-g`) fails with an `EGLOBAL` error, since global
installs (`npm install -g`) and one-off executions (`npm exec` / `npx`) have
no project `package.json` to write to. To allow install scripts in those
contexts, use the `--allow-scripts` flag at install time (for example
`npm install -g --allow-scripts=canvas,sharp`) or persist the setting with
`npm config set allow-scripts=canvas,sharp --location=user`.

There are four subcommands:

```bash
npm install-scripts approve <pkg> [<pkg> ...]
npm install-scripts approve --all
npm install-scripts deny <pkg> [<pkg> ...]
npm install-scripts deny --all
npm install-scripts ls
npm install-scripts prune
```

`approve` allows install scripts for the named packages. `<pkg>` matches
every installed version of that package. By default it writes pinned entries
(`pkg@1.2.3`), which keep their approval narrowed to the specific version you
reviewed. Pass `--no-allow-scripts-pin` to write name-only entries that allow
any future version. `--all` approves every package with unreviewed install
scripts in one go.

`deny` records an explicit denial for the named packages (a name-only `false`
entry), which survives `npm install-scripts approve --all` and excludes the
package from any future blanket approval. `--all` denies every package with
unreviewed install scripts.

`ls` is read-only: it lists every package whose install scripts are not yet
covered by `allowScripts`, without modifying `package.json`.

`prune` removes `allowScripts` entries that no longer match an installed
package with an install script, either because the package is no longer
installed (a transitive dependency changed, or a pinned `pkg@1.2.3` was
upgraded) or because it no longer has an install script. Both approvals
(`true`) and denials (`false`) are removed. It edits only the `allowScripts`
field in `package.json`, never `.npmrc` or `--allow-scripts`. Pass `--dry-run`
to preview without writing. Unparseable keys are left alone.

`approve` honours the asymmetric pin rule: if you re-approve a package whose
installed version has changed, the existing pin is rewritten to track the new
installed version. Multi-version statements (`pkg@1 || 2`) are left alone,
since they likely capture intent that the command cannot infer. Existing
`false` entries always win; `approve` will not silently re-allow a package you
previously denied.

The standalone commands [`npm approve-scripts`](/commands/npm-approve-scripts)
and [`npm deny-scripts`](/commands/npm-deny-scripts) are aliases for
`npm install-scripts approve` and `npm install-scripts deny`.

### Examples

```bash
# Approve all currently-installed install scripts after reviewing them
npm install-scripts approve --all

# Approve specific packages, pinned to their installed version
npm install-scripts approve canvas sharp

# Deny a package so it stays blocked
npm install-scripts deny telemetry-pkg

# Preview which packages still need review
npm install-scripts ls

# Preview stale allowScripts entries, then remove them
npm install-scripts prune --dry-run
npm install-scripts prune
```

### Configuration

#### `all`

* Default: false
* Type: Boolean

Show or act on all packages, not just the ones your project directly depends
on. For `npm outdated` and `npm ls` this lists every outdated or installed
package. For `npm approve-scripts` and `npm deny-scripts` it selects every
package with pending install scripts.



#### `allow-scripts-pin`

* Default: true
* Type: Boolean

Write pinned (`pkg@version`) entries when approving install scripts. Set to
`false` to write name-only entries that allow any version. Has no effect on
`npm deny-scripts`, which always writes name-only entries regardless of this
setting.



#### `dry-run`

* Default: false
* Type: Boolean

Indicates that you don't want npm to make any changes and that it should
only report what it would have done. This can be passed into any of the
commands that modify your local installation, eg, `install`, `update`,
`dedupe`, `uninstall`, as well as `pack` and `publish`.

Note: This is NOT honored by other network related commands, eg `dist-tags`,
`owner`, etc.



#### `json`

* Default: false
* Type: Boolean

Whether or not to output JSON data, rather than the normal output.

* In `npm pkg set` it enables parsing set values with JSON.parse() before
saving them to your `package.json`.

Not supported by all npm commands.



### See Also

* [npm approve-scripts](/commands/npm-approve-scripts)
* [npm deny-scripts](/commands/npm-deny-scripts)
* [npm install](/commands/npm-install)
* [npm rebuild](/commands/npm-rebuild)
* [package.json](/configuring-npm/package-json)
26 changes: 24 additions & 2 deletions deps/npm/docs/content/commands/npm-install-test.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
deps at top-level. linked: (experimental) install in node_modules/.store,
link in place, unhoisted.
deps at top-level. linked: install in node_modules/.store, link in place,
unhoisted.

We recommend that package authors use `--install-strategy=linked` during
development to catch undeclared ("phantom") dependencies before publishing:
the isolated layout only exposes a package's declared dependencies, so an
`import` of a package that was never added to `package.json` can fail
instead of resolving by accident and shipping broken. See [Catching
undeclared ("phantom")
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).



Expand Down Expand Up @@ -328,6 +336,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.

Optional dependencies that cannot be installed on the current platform or
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
their install scripts never run.



#### `dangerously-allow-all-scripts`
Expand Down Expand Up @@ -375,6 +387,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.

As with `min-release-age`, when this cutoff blocks a fix that `npm audit
fix` would install, npm keeps the vulnerable version, warns, and exits with
a non-zero code.

Packages whose names match `min-release-age-exclude` are exempt from this
filter.

Expand All @@ -397,6 +413,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.

When this window stops `npm audit fix` from installing a patched version
(because the fix was published too recently), npm keeps the package at its
vulnerable version, warns that the fix was blocked, and exits with a
non-zero code. To install the fix, add the package to
`min-release-age-exclude`, or relax `min-release-age` or `before`.

Packages whose names match `min-release-age-exclude` are exempt from this
filter.

Expand Down
26 changes: 24 additions & 2 deletions deps/npm/docs/content/commands/npm-install.md
Original file line number Diff line number Diff line change
Expand Up @@ -410,8 +410,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
deps at top-level. linked: (experimental) install in node_modules/.store,
link in place, unhoisted.
deps at top-level. linked: install in node_modules/.store, link in place,
unhoisted.

We recommend that package authors use `--install-strategy=linked` during
development to catch undeclared ("phantom") dependencies before publishing:
the isolated layout only exposes a package's declared dependencies, so an
`import` of a package that was never added to `package.json` can fail
instead of resolving by accident and shipping broken. See [Catching
undeclared ("phantom")
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).



Expand Down Expand Up @@ -670,6 +678,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.

Optional dependencies that cannot be installed on the current platform or
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
their install scripts never run.



#### `dangerously-allow-all-scripts`
Expand Down Expand Up @@ -717,6 +729,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.

As with `min-release-age`, when this cutoff blocks a fix that `npm audit
fix` would install, npm keeps the vulnerable version, warns, and exits with
a non-zero code.

Packages whose names match `min-release-age-exclude` are exempt from this
filter.

Expand All @@ -739,6 +755,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.

When this window stops `npm audit fix` from installing a patched version
(because the fix was published too recently), npm keeps the package at its
vulnerable version, warns that the fix was blocked, and exits with a
non-zero code. To install the fix, add the package to
`min-release-age-exclude`, or relax `min-release-age` or `before`.

Packages whose names match `min-release-age-exclude` are exempt from this
filter.

Expand Down
Loading
Loading