Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dominykas/allow-scripts

Execute allowed `npm install` lifecycle scripts
https://github.com/dominykas/allow-scripts

Last synced: 1 day ago
JSON representation

Execute allowed `npm install` lifecycle scripts

Host: GitHub
URL: https://github.com/dominykas/allow-scripts
Owner: dominykas
Created: 2019-01-24T21:09:45.000Z (almost 6 years ago)
Default Branch: master
Last Pushed: 2023-10-20T16:43:26.000Z (about 1 year ago)
Last Synced: 2024-05-14T00:34:56.083Z (6 months ago)
Language: JavaScript
Homepage:
Size: 139 KB
Stars: 12
Watchers: 3
Forks: 3
Open Issues: 7
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-nodejs-security - allowed-scripts

README

        # allow-scripts

Execute allowed `npm install` lifecycle scripts. 

## tl;dr

- Whitelist packages that you trust in your `package.json`: `"allowScripts": { "packageName": "1.x.x - 2.x.x" }`

- Run `npm install --ignore-scripts` or `yarn install --ignore-scripts`

- Run `npx allow-scripts`

Only the explicitly allowed `[pre|post]install` scripts will be executed.

## Usage

```

$ npx allow-scripts [--dry-run]

```

Running the command will scan the list of installed dependencies (using an existing `package-lock.json` or `npm-shrinkwrap.json` or by creating one on the fly). It will then execute the scripts for allowed dependencies that have them in the following order:

- `preinstall` in the main package

- `preinstall` in dependencies

- `install` in dependencies

- `postinstall` in dependencies

- `install` in the main package

- `postinstall` in the main package

- `prepublish` in the main package

- `prepare` in the main package

### Configuration

```

  "allowScripts": {

    "fsevents": "*",        # allow install scripts in all versions

    "node-sass": false,     # ignore install scripts for all versions

    "webpack-cli": "3.x.x"  # allow all minors for v3, ignore everything else

  }

```

Allowed package list is configurable in `package.json` by adding an `allowScripts` property, with an object where the key is a package name and the value is one of:

* a string with a semver specifier for allowed versions

  - non-matching versions will be ignored

* `true` - allow all versions (equivalent to `'*'` semver specifier)

* `false` - ignore all versions

If a package has a lifecycle script, but is neither allowed nor ignored, `allow-scripts` will exit with an error.