[pull] latest from npm:latest#176
Merged
Merged
Conversation
## Summary - Recognize local directory link targets by their incoming link source when matching `allowScripts` policy entries. - Reuse that source identity when `approve-scripts`/`deny-scripts` derive file dependency policy keys. - Add coverage for reviewed local `file:` dependency link targets. Fixes #9488 ## Testing - `node node_modules/tap/bin/run.js --no-coverage workspaces/arborist/test/script-allowed.js workspaces/arborist/test/unreviewed-scripts.js test/lib/utils/allow-scripts-writer.js test/lib/utils/check-allow-scripts.js test/lib/utils/resolve-allow-scripts.js` - `node node_modules/eslint/bin/eslint.js lib/utils/allow-scripts-writer.js test/lib/utils/allow-scripts-writer.js workspaces/arborist/lib/script-allowed.js workspaces/arborist/test/script-allowed.js workspaces/arborist/test/unreviewed-scripts.js` - `git diff --check` - Manual repro: local `file:` dependency with `allowScripts: { "file:../testdep": false }` no longer emits an `allow-scripts` warning; `npm approve-scripts --all` writes `file:../testdep`. --------- Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
npm run passes script-shell to @npmcli/run-script, but the three runScript() calls in publish.js for prepublishOnly, publish, and postpublish never did. On Windows, where users set script-shell to bash in .npmrc, those lifecycle hooks still ran under cmd.exe while explicit npm run calls used the configured shell. Reads script-shell from config in #publish() and passes it to all three calls, matching the existing pattern in run.js. Adds script-shell to static params so it appears in npm help publish. Fixes #9477
…d strategy (#9495) In continuation of our exploration of using `install-strategy=linked` in the [Gutenberg monorepo](WordPress/gutenberg#75814), which powers the WordPress Block Editor. Under `install-strategy=linked`, a fresh install fails with `EALLOWREMOTE` on ordinary registry dependencies whose lockfile `resolved` is a full registry tarball URL, even though `allow-remote=none` is meant to permit registry-mediated tarballs. The standard (hoisted) reifier installs the same dependency fine; only the linked strategy rejects it. ``` npm error code EALLOWREMOTE npm error Fetching packages of type "remote" have been disabled npm error Refusing to fetch "minimatch@https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz" ``` ## Why Both strategies extract through the same `pacote.extract` in `reify.js`, which exempts registry tarballs from the allow-remote gate via `#isRegistryResolvedTarball`. That check first requires `node.isRegistryDependency`. In the linked strategy, store nodes are `IsolatedNode` instances — a standalone class that emulates `lib/node.js` but has no `isRegistryDependency` getter and no edges to recompute it from. So `node.isRegistryDependency` was `undefined`, the exemption short-circuited to `false`, the `allowRemote: 'all'` override was never applied, and pacote rejected the same-origin registry tarball. This is the second half of the allow-remote registry-tarball handling: the URL-matching half was hardened previously (origin + registry-path-prefix); this fixes the `isRegistryDependency` half for the linked path. The origin/path security check still runs unchanged on the linked path — a tampered lockfile pointing at a foreign host is still blocked. ## How Carry the registry-dependency flag from the source tree node onto the store node, rather than weakening the guard: 1. `IsolatedNode` gains an `isRegistryDependency` field (default `false`), settable from constructor options. 2. `#externalProxy` copies `node.isRegistryDependency` from the real tree node onto the proxy. 3. `#generateChild` passes it through to the store `IsolatedNode`. This preserves exact parity with the hoisted reifier: registry deps are exempt, user-pinned off-registry URLs are not. It also makes the linked strategy's `isScriptAllowed` matching more accurate — store nodes now carry the trustworthy edge-based flag instead of falling back to guessing registry-ness from the resolved URL. ## References Fixes #9494
#9401) For now, `npm outdated`'s document shows `wanted` field for global `npm outdated` is always the same as `current` field, but the runtime behavior shows `npm outdated` prints `wanted` as latest version. Considering `npm update`'s behavior, it should be a document issue. This PR fixes it by saying `the latest version` instead of `currently-installed version`. ## References Close #3612
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )