UNPKG

npm

Version:

a package manager for JavaScript

docs.npmjs.com

npm/cli

110 lines (71 loc) 2.78 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
--- title: npm-deny-scripts section: 1 description: Deny install scripts for specific dependencies --- ### Synopsis ```bash npm deny-scripts <pkg> [<pkg> ...] npm deny-scripts --all ``` Note: This command is unaware of workspaces. ### Description The companion command to [`npm approve-scripts`](/commands/npm-approve-scripts). Writes `false` entries into the `allowScripts` field of your project's `package.json`, recording that a dependency must not run install scripts even if a future version would otherwise be eligible. In the current release, install scripts still run by default, so `deny-scripts` only affects how installs of denied packages are reported. A future release will block unreviewed install scripts and respect deny entries at install time. ```bash npm deny-scripts <pkg> [<pkg> ...] npm deny-scripts --all ``` `<pkg>` matches every installed version of that package. Denies are always written name-only (`"pkg": false`), regardless of `--allow-scripts-pin`. Pinning a deny to a specific version would silently re-allow scripts for any other version of the same package, which defeats the purpose; the command picks the safer default for you. `--all` denies every package with unreviewed install scripts. If a `true` (pinned or name-only) entry exists for a package and you then deny it, the existing allow entries are removed so the name-only deny is unambiguous. ### Examples ```bash # Deny a specific package outright npm deny-scripts telemetry-pkg # Deny everything that has install scripts and isn't already approved npm deny-scripts --all ``` ### Configuration #### `all` * Default: false * Type: Boolean When running `npm outdated` and `npm ls`, setting `--all` will show all outdated or installed packages, rather than only those directly depended upon by the current project. #### `allow-scripts-pending` * Default: false * Type: Boolean List packages with install scripts that are not yet covered by the `allowScripts` policy, without modifying `package.json`. Only meaningful for `npm approve-scripts`. #### `allow-scripts-pin` * Default: true * Type: Boolean Write pinned (`pkg@version`) entries when approving install scripts. Set to `false` to write name-only entries that allow any version. Has no effect on `npm deny-scripts`, which always writes name-only entries regardless of this setting. #### `json` * Default: false * Type: Boolean Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. ### See Also * [npm approve-scripts](/commands/npm-approve-scripts) * [npm install](/commands/npm-install) * [package.json](/configuring-npm/package-json)