Skip to content

[BUG] "npm ci" with "strict-allow-scripts" rejects package that "approve-scripts" cannot see #9562

Open
Open
[BUG] "npm ci" with "strict-allow-scripts" rejects package that "approve-scripts" cannot see#9562
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@SilverPreeceSOF

Description

@SilverPreeceSOF
SilverPreeceSOF
opened on Jun 17, 2026

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

Trying to lock down my projects/CI pipelines and only run scripts when they are in allowScripts, block all others. NPM highlighted three dependencies that needed whitelisting:

$ npm approve-scripts --allow-scripts-pending
3 packages have install scripts not yet covered by allowScripts:
  @swc/core@1.3.100 (postinstall: node postinstall.js)
  protobufjs@7.5.4 (postinstall: node scripts/postinstall)
  sharp@0.34.5 (install: node install/check.js || npm run build)

These were whitelisted and appear in my package.json file as expected. However, after clearing node_modules, setting strict-allow-scripts globally and attempting an npm ci run to test, I got this error:

$ npm ci
npm error code ESTRICTALLOWSCRIPTS
npm error --strict-allow-scripts: 1 package(s) have install scripts not covered by allowScripts:
npm error   fsevents@2.3.3 (install: (install scripts present))
npm error Approve them with `npm approve-scripts`, deny them with `npm deny-scripts`, or bypass this check with `--dangerously-allow-all-scripts`.

fsevents package does not appear in the review list, with or without strict-allow-scripts switched on, but it clearly shows as having a script in my package-lock.json file:

"node_modules/fsevents": {
  "version": "2.3.3",
  "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
  "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
  "dev": true,
  "hasInstallScript": true,
  "optional": true,
  "os": [
    "darwin"
  ],
  "engines": {
    "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
  }
}

I have a feeling this has to do with this being an optional dependency. One command tells me it does not need to be whitelisted, another command tells me I cannot install dependencies unless it is whitelisted. This may not necessarily be a bug but it's certainly unclear messaging.

Expected Behavior

The npm approve-scripts --allow-scripts-pending command should list all packages that npm ci --strict-allow-scripts will reject when not allowed.

Steps To Reproduce

  1. Initialise an empty Next.JS project (should give the dependencies required for the test).
  2. Run npm approve-scripts --allow-scripts-pending in the project folder and observe the three packages reported as having scripts.
  3. Add @swc/core, protobufjs and sharp to allowScripts using npm approve-scripts.
  4. Turn on strict-allow-scripts globally: npm config set --global strict-allow-scripts true.
  5. Delete the node_modules folder.
  6. Run npm ci in the project folder.
  7. See error described above.

Environment

Kubuntu 26.04, amd64

; "global" config from /home/silver/.nvm/versions/node/v24.16.0/etc/npmrc

min-release-age = 1
save-exact = true
save-prefix = ""
strict-allow-scripts = false

; "user" config from /home/silver/.npmrc

; node bin location = /home/silver/.nvm/versions/node/v24.16.0/bin/node
; node version = v24.16.0
; npm local prefix =
; npm version = 11.17.0
; cwd =
; HOME = /home/silver
; Run npm config ls -l to show all defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions