feat: namespace install-script approval commands under npm install-scripts#9629
Merged
owlstronaut merged 5 commits intoJun 24, 2026
Merged
Conversation
owlstronaut
approved these changes
Jun 24, 2026
Contributor
|
This usually means the cherry-pick had conflicts. Please create a manual backport: git fetch origin release/v11
git checkout -b backport/v11/9629 origin/release/v11
git cherry-pick -x 0c4dd414f213971c82fe0d620bbf34d7fae25f0d
# resolve any conflicts, then:
git push origin backport/v11/9629Error details |
Contributor
Author
|
I will try creating a manual backport for this, but my guess is that it will be chaotic 😄 |
Contributor
thanks! I appreciate it. I started to but please do 😄 |
manzoorwanijk
added a commit
to manzoorwanijk/npm-cli
that referenced
this pull request
Jun 24, 2026
…ripts (npm#9629) Add a namespaced `npm install-scripts` command that groups the install-script approval operations, following npm's existing `npm cache <cmd>` / `npm token <cmd>` convention: - `npm install-scripts approve <pkg>... | --all` - `npm install-scripts deny <pkg>... | --all` - `npm install-scripts ls` (list packages with unreviewed install scripts) The shipped `npm approve-scripts` and `npm deny-scripts` commands keep working as aliases for `approve` and `deny`, so this is additive and backwards compatible. The shared `AllowScriptsCmd` base now dispatches through `runMode(mode, args)`; the standalone commands route through it via `static verb`. The `--allow-scripts-pending` flag is only honored by the commands that declare it, so the namespace lists exclusively through `ls`. Closes npm#9545 Follow-up from RFC npm/rfcs#868.
manzoorwanijk
added a commit
to manzoorwanijk/npm-cli
that referenced
this pull request
Jun 24, 2026
…ripts (npm#9629) Add a namespaced `npm install-scripts` command that groups the install-script approval operations, following npm's existing `npm cache <cmd>` / `npm token <cmd>` convention: - `npm install-scripts approve <pkg>... | --all` - `npm install-scripts deny <pkg>... | --all` - `npm install-scripts ls` (list packages with unreviewed install scripts) The shipped `npm approve-scripts` and `npm deny-scripts` commands keep working as aliases for `approve` and `deny`, so this is additive and backwards compatible. The shared `AllowScriptsCmd` base now dispatches through `runMode(mode, args)`; the standalone commands route through it via `static verb`. The `--allow-scripts-pending` flag is only honored by the commands that declare it, so the namespace lists exclusively through `ls`. Closes npm#9545 Follow-up from RFC npm/rfcs#868.
This was referenced Jun 24, 2026
manzoorwanijk
added a commit
to manzoorwanijk/npm-cli
that referenced
this pull request
Jun 24, 2026
…ripts (npm#9629) Add a namespaced `npm install-scripts` command that groups the install-script approval operations, following npm's existing `npm cache <cmd>` / `npm token <cmd>` convention: - `npm install-scripts approve <pkg>... | --all` - `npm install-scripts deny <pkg>... | --all` - `npm install-scripts ls` (list packages with unreviewed install scripts) The shipped `npm approve-scripts` and `npm deny-scripts` commands keep working as aliases for `approve` and `deny`, so this is additive and backwards compatible. The shared `AllowScriptsCmd` base now dispatches through `runMode(mode, args)`; the standalone commands route through it via `static verb`. The `--allow-scripts-pending` flag is only honored by the commands that declare it, so the namespace lists exclusively through `ls`. Closes npm#9545 Follow-up from RFC npm/rfcs#868.
owlstronaut
pushed a commit
that referenced
this pull request
Jun 24, 2026
…ripts (#9635) Backport of #9629 to `release/v11`. Adds the namespaced `npm install-scripts` command (`approve`, `deny`, `ls`), keeping `npm approve-scripts` / `npm deny-scripts` working as aliases, and points the install-time, rebuild, and strict-allow-scripts guidance at the new namespace. ## References Backports #9629
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a namespaced
npm install-scriptscommand that groups the install-script approval operations, following npm's existingnpm cache <cmd>/npm token <cmd>convention:npm install-scripts approve <pkg>... | --allnpm install-scripts deny <pkg>... | --allnpm install-scripts ls(list packages with unreviewed install scripts)The shipped
npm approve-scriptsandnpm deny-scriptscommands keep working as aliases forapproveanddeny, so this is additive and backwards compatible. The sharedAllowScriptsCmdbase now dispatches throughrunMode(mode, args); the standalone commands route through it viastatic verb. The--allow-scripts-pendingflag is only honored by the commands that declare it, so the namespace lists exclusively throughls.References
Closes #9545
Follow-up from RFC npm/rfcs#868.