From 357e8cdcb8f44326a50cee2539219a91d8bfbbe5 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Tue, 9 Jun 2026 10:12:56 -0700
Subject: [PATCH 1/2] docs: approve-scripts only throws EGLOBAL when run with
 -g

---
 docs/lib/content/commands/npm-approve-scripts.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/lib/content/commands/npm-approve-scripts.md b/docs/lib/content/commands/npm-approve-scripts.md
index cd2b371b54f35..11a71f23bdc61 100644
--- a/docs/lib/content/commands/npm-approve-scripts.md
+++ b/docs/lib/content/commands/npm-approve-scripts.md
@@ -20,10 +20,10 @@ silently skip lifecycle scripts for any dependency that does not have a
 matching entry in `allowScripts`, and end with a list of the packages
 whose scripts were skipped so you can review them with this command.
 
-This command only works inside a project that has a `package.json`. It does
-not apply to global installs (`npm install -g`) or one-off executions
-(`npm exec` / `npx`), which have no project `package.json` to write to and
-will fail with an `EGLOBAL` error. To allow install scripts in those
+This command only works inside a project that has a `package.json`. Running
+it with `--global` (`-g`) fails with an `EGLOBAL` error, since global
+installs (`npm install -g`) and one-off executions (`npm exec` / `npx`) have
+no project `package.json` to write to. To allow install scripts in those
 contexts, use the `--allow-scripts` flag at install time (for example
 `npm install -g --allow-scripts=canvas,sharp`) or persist the setting with
 `npm config set allow-scripts=canvas,sharp --location=user`.

From 9b5c7b0c8ea47823156111d27800aa6e741c7a2c Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamie.magee@gmail.com>
Date: Tue, 9 Jun 2026 10:21:07 -0700
Subject: [PATCH 2/2] fix(config): strict-allow-scripts default blocks with a
 warning, not silently

---
 .../config/lib/definitions/definitions.js     | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/workspaces/config/lib/definitions/definitions.js b/workspaces/config/lib/definitions/definitions.js
index 25f7682073317..b8ac97779c339 100644
--- a/workspaces/config/lib/definitions/definitions.js
+++ b/workspaces/config/lib/definitions/definitions.js
@@ -2329,16 +2329,16 @@ const definitions = {
     default: false,
     type: Boolean,
     description: `
-      If \`true\`, turn the install-script policy from a silent skip into a
-      hard error: any dependency with install scripts not covered by
-      \`allowScripts\` will fail the install instead of being silently
-      skipped.
-
-      By default, dependencies whose install scripts are not approved in
-      \`allowScripts\` are silently skipped; this setting promotes that
-      silent skip into a hard failure, which is the recommended posture
-      for CI. \`--ignore-scripts\` and \`--dangerously-allow-all-scripts\`
-      both override this setting.
+      If \`true\`, turn the install-script policy from a warning into a hard
+      error: any dependency with install scripts that is not covered by
+      \`allowScripts\` will fail the install instead of being blocked with a
+      warning.
+
+      Dependencies explicitly denied with \`false\` in \`allowScripts\` are
+      always silently skipped; this setting only affects unreviewed entries
+      (packages with install scripts that are neither approved nor denied).
+      \`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
+      override this setting.
     `,
     flatten,
   }),