Skip to content
This repository has been archived by the owner on Aug 18, 2024. It is now read-only.

Latest commit

 

History

History
49 lines (34 loc) · 1.65 KB

README.md

File metadata and controls

49 lines (34 loc) · 1.65 KB

allow-scripts

Execute allowed npm install lifecycle scripts.

tl;dr

  • Whitelist packages that you trust in your package.json: "allowScripts": { "packageName": "1.x.x - 2.x.x" }
  • Run npm install --ignore-scripts or yarn install --ignore-scripts
  • Run npx allow-scripts

Only the explicitly allowed [pre|post]install scripts will be executed.

Usage

$ npx allow-scripts [--dry-run]

Running the command will scan the list of installed dependencies (using an existing package-lock.json or npm-shrinkwrap.json or by creating one on the fly). It will then execute the scripts for allowed dependencies that have them in the following order:

  • preinstall in the main package
  • preinstall in dependencies
  • install in dependencies
  • postinstall in dependencies
  • install in the main package
  • postinstall in the main package
  • prepublish in the main package
  • prepare in the main package

Configuration

  "allowScripts": {
    "fsevents": "*",        # allow install scripts in all versions
    "node-sass": false,     # ignore install scripts for all versions
    "webpack-cli": "3.x.x"  # allow all minors for v3, ignore everything else
  }

Allowed package list is configurable in package.json by adding an allowScripts property, with an object where the key is a package name and the value is one of:

  • a string with a semver specifier for allowed versions
    • non-matching versions will be ignored
  • true - allow all versions (equivalent to '*' semver specifier)
  • false - ignore all versions

If a package has a lifecycle script, but is neither allowed nor ignored, allow-scripts will exit with an error.