Home

Awesome

allow-scripts

Execute allowed npm install lifecycle scripts.

tl;dr

Only the explicitly allowed [pre|post]install scripts will be executed.

Usage

$ npx allow-scripts [--dry-run]

Running the command will scan the list of installed dependencies (using an existing package-lock.json or npm-shrinkwrap.json or by creating one on the fly). It will then execute the scripts for allowed dependencies that have them in the following order:

Configuration

  "allowScripts": {
    "fsevents": "*",        # allow install scripts in all versions
    "node-sass": false,     # ignore install scripts for all versions
    "webpack-cli": "3.x.x"  # allow all minors for v3, ignore everything else
  }

Allowed package list is configurable in package.json by adding an allowScripts property, with an object where the key is a package name and the value is one of:

If a package has a lifecycle script, but is neither allowed nor ignored, allow-scripts will exit with an error.