Skip to content

[pull] latest from npm:latest #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 2 commits into from
Jun 9, 2026
Merged

[pull] latest from npm:latest #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
357e8cd
docs: approve-scripts only throws EGLOBAL when run with -g
JamieMagee Jun 9, 2026
9b5c7b0
fix(config): strict-allow-scripts default blocks with a warning, not …
JamieMagee Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/lib/content/commands/npm-approve-scripts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ silently skip lifecycle scripts for any dependency that does not have a
matching entry in `allowScripts`, and end with a list of the packages
whose scripts were skipped so you can review them with this command.

This command only works inside a project that has a `package.json`. It does
not apply to global installs (`npm install -g`) or one-off executions
(`npm exec` / `npx`), which have no project `package.json` to write to and
will fail with an `EGLOBAL` error. To allow install scripts in those
This command only works inside a project that has a `package.json`. Running
it with `--global` (`-g`) fails with an `EGLOBAL` error, since global
installs (`npm install -g`) and one-off executions (`npm exec` / `npx`) have
no project `package.json` to write to. To allow install scripts in those
contexts, use the `--allow-scripts` flag at install time (for example
`npm install -g --allow-scripts=canvas,sharp`) or persist the setting with
`npm config set allow-scripts=canvas,sharp --location=user`.
Expand Down
20 changes: 10 additions & 10 deletions workspaces/config/lib/definitions/definitions.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2329,16 +2329,16 @@ const definitions = {
default: false,
type: Boolean,
description: `
If \`true\`, turn the install-script policy from a silent skip into a
hard error: any dependency with install scripts not covered by
\`allowScripts\` will fail the install instead of being silently
skipped.

By default, dependencies whose install scripts are not approved in
\`allowScripts\` are silently skipped; this setting promotes that
silent skip into a hard failure, which is the recommended posture
for CI. \`--ignore-scripts\` and \`--dangerously-allow-all-scripts\`
both override this setting.
If \`true\`, turn the install-script policy from a warning into a hard
error: any dependency with install scripts that is not covered by
\`allowScripts\` will fail the install instead of being blocked with a
warning.

Dependencies explicitly denied with \`false\` in \`allowScripts\` are
always silently skipped; this setting only affects unreviewed entries
(packages with install scripts that are neither approved nor denied).
\`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
override this setting.
`,
flatten,
}),
Expand Down
Loading