Awesome
allow-scripts
Execute allowed npm install
lifecycle scripts.
tl;dr
- Whitelist packages that you trust in your
package.json
:"allowScripts": { "packageName": "1.x.x - 2.x.x" }
- Run
npm install --ignore-scripts
oryarn install --ignore-scripts
- Run
npx allow-scripts
Only the explicitly allowed [pre|post]install
scripts will be executed.
Usage
$ npx allow-scripts [--dry-run]
Running the command will scan the list of installed dependencies (using an existing package-lock.json
or npm-shrinkwrap.json
or by creating one on the fly). It will then execute the scripts for allowed dependencies that have them in the following order:
preinstall
in the main packagepreinstall
in dependenciesinstall
in dependenciespostinstall
in dependenciesinstall
in the main packagepostinstall
in the main packageprepublish
in the main packageprepare
in the main package
Configuration
"allowScripts": {
"fsevents": "*", # allow install scripts in all versions
"node-sass": false, # ignore install scripts for all versions
"webpack-cli": "3.x.x" # allow all minors for v3, ignore everything else
}
Allowed package list is configurable in package.json
by adding an allowScripts
property, with an object where the key is a package name and the value is one of:
- a string with a semver specifier for allowed versions
- non-matching versions will be ignored
true
- allow all versions (equivalent to'*'
semver specifier)false
- ignore all versions
If a package has a lifecycle script, but is neither allowed nor ignored, allow-scripts
will exit with an error.