Skip to content

[pull] latest from npm:latest#173

Merged
pull[bot] merged 5 commits into
DavidLacombe46:latestfrom
npm:latest
Jun 3, 2026
Merged

[pull] latest from npm:latest#173
pull[bot] merged 5 commits into
DavidLacombe46:latestfrom
npm:latest

Conversation

@pull

@pull pull Bot commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

JamieMagee and others added 5 commits June 3, 2026 13:20
@JamieMagee
fix: suggest --allow-scripts for global installs in unreviewed-script…
6603b2c 
…s warnings (#9469)
@JamieMagee
fix: list pending scripts in approve-scripts when ignore-scripts is s…
6be874b 
…et (#9479)

`approve-scripts --allow-scripts-pending` returned nothing when
`ignore-scripts` was set, because the walker bailed out early. It now
lists pending packages. This only lists; scripts still don't run under
`ignore-scripts`.

## References

#9450
@JamieMagee
feat: allowScripts tooling and inBundle hardening (#9480)
64e3f79 
Pulls the non-behavioral pieces out of #9424 so they can land on v11:
the `collectUnreviewedScripts`/`strictAllowScriptsError` helpers, the
`inBundle` fixes, and an opt-in libnpmexec preflight. Nothing changes by
default here, install scripts still run. The default-deny flip stays in
#9424 for v12.


## References

#9424
@JamieMagee @owlstronaut
feat: default-deny install scripts (allowScripts opt-in) [v12]
5cd5150 
Phase 2 of the RFC #868 install-script policy: flip the default so
unreviewed lifecycle scripts are blocked unless covered by allowScripts.

Stacked on the behavior-neutral tooling PR; this commit carries ONLY the
v12-only default flip:

- arborist: gate preinstall/install/postinstall/prepare in rebuild on
  the allowScripts policy (default-deny)
- user-facing "blocked because not covered by allowScripts" wording in
  rebuild/reify-output/allow-scripts-cmd
- config definition docs + approve/deny command docs + snapshots
- flip tests
@manzoorwanijk @owlstronaut
fix(arborist): clean up orphaned scoped store entries in linked strategy
275bc69
@pull pull Bot locked and limited conversation to collaborators Jun 3, 2026
@pull pull Bot added the ⤵️ pull label Jun 3, 2026
@pull pull Bot merged commit 275bc69 into DavidLacombe46:latest Jun 3, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JamieMagee @manzoorwanijk