Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
I run npm 11.17.0
I have added this to package.json:
"allowScripts": {
"esbuild@0.21.5": true,
"@sap/hana-client@2.23.27": true,
"esbuild@0.25.0": true,
"protobufjs@8.4.2": true,
"mbt@1.2.27": true,
"protobufjs@7.6.1": true,
"sqlite3@5.1.7": true,
"xsd-schema-validator@0.11.0": true
}
The output of "--allow-scripts-pending" is:
$ npm approve-scripts --allow-scripts-pending
5 packages have install scripts not yet covered by allowScripts:
@sap/hana-client@2.23.27 (install: node checkbuild.js)
esbuild@0.25.0 (postinstall: node install.js)
mbt@1.2.27 (install: node install cloud-mta-build-tool)
sqlite3@5.1.7 (install: node-gyp rebuild)
xsd-schema-validator@0.11.0 (postinstall: node ./lib/post-install.js)
Run `npm approve-scripts <pkg>` to allow, or `npm deny-scripts <pkg>` to deny.
The same output appears for "npm install" or "npm ci".
When I remove the allowScripts section and run npm approve-scripts --all, only three packages are added to package.json:
$ npm approve-scripts --all
Approved esbuild:
added esbuild@0.21.5
Approved protobufjs:
added protobufjs@8.4.2
added protobufjs@7.6.1
This is in a workspace root. For the omitted dependencies I can see no clear picture: devDependencies from root, devDependencies from workspaces, prod dependencies from workspaces.
Expected Behavior
npm approve-scripts --allow-scripts-pending should not list already approved dependenciesnpm approve-scripts --all should add all listed dependencies to allowScripts in package.json
Environment
- npm: 11.17.0
- Node.js: 22.21.1
- OS Name: Linux
- System Model Name: x86_64 GNU/Linux
- npm config:
; "project" config from /home/wsl/git/redacted/.npmrc
engine-strict = true
min-release-age = 3
; node bin location = /home/wsl/.local/share/fnm/node-versions/v22.21.1/installation/bin/node
; node version = v22.21.1
; npm local prefix = /home/wsl/git/sol24c-main
; npm version = 11.17.0
; cwd = /home/wsl/git/redacted
; HOME = /home/wsl
; Run `npm config ls -l` to show all defaults.
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
I run npm 11.17.0
I have added this to package.json:
The output of "--allow-scripts-pending" is:
The same output appears for "npm install" or "npm ci".
When I remove the
allowScriptssection and runnpm approve-scripts --all, only three packages are added to package.json:This is in a workspace root. For the omitted dependencies I can see no clear picture: devDependencies from root, devDependencies from workspaces, prod dependencies from workspaces.
Expected Behavior
npm approve-scripts --allow-scripts-pendingshould not list already approved dependenciesnpm approve-scripts --allshould add all listed dependencies to allowScripts in package.jsonEnvironment