@gkiely/safe-install 0.1.2 → 0.1.4

package/README.md

@@ -25,18 +25,12 @@ behind a reviewed allowlist in `package.json`.
 ignore-scripts=true
 ```
 
-2. Install `safe-install` without running dependency scripts:
-
-```sh
-npm i --ignore-scripts -D safe-install
-```
-
-3. Add scripts to `package.json`:
+2. Add script to `package.json`:
 
 ```json
 {
   "scripts": {
-    "safe-install": "safe-install"
+    "safe-install": "npx -y @gkiely/safe-install -- --no-audit --no-fund"
   }
 }
 ```
@@ -81,7 +75,7 @@ remote tarball URL specifier.
 Equivalent manual flow:
 
 ```sh
-npm install --ignore-scripts
+npm install --ignore-scripts --no-audit --no-fund
 npm rebuild --ignore-scripts=false esbuild sharp
 ```
 

package/dist/index.d.ts

@@ -20,7 +20,8 @@ type SafeInstallConfig = {
 };
 export declare function getSafeInstallConfig(pkg: PackageJson): SafeInstallConfig;
 export declare function assertNoBlockedExoticSubdeps(config: SafeInstallConfig, packageLock: PackageLock): void;
+export declare function getInstallArgs(args?: readonly string[]): string[];
 export declare function reviewDepsCommand(): void;
-export declare function installCommand(): void;
+export declare function installCommand(args?: readonly string[]): void;
 export declare function main(args?: string[]): void;
 export {};

package/dist/index.js

@@ -115,11 +115,15 @@ function run(command, args) {
         process.exit(result.status ?? 1);
     }
 }
+export function getInstallArgs(args = []) {
+    return ["install", "--ignore-scripts", ...args];
+}
 function printHelp() {
     console.log(`safe-install
 
 Usage:
-  safe-install          Run npm install with scripts disabled, then rebuild trusted dependencies
+  safe-install [npm install flags]
+                        Run npm install with scripts disabled, then rebuild trusted dependencies
   safe-install review-deps
                         List dependencies that declare install-time scripts
 `);
@@ -137,11 +141,11 @@ export function reviewDepsCommand() {
     console.log("");
     console.log("Review these packages before adding them to trustedDependencies.");
 }
-export function installCommand() {
+export function installCommand(args = []) {
     const pkg = readPackageJson();
     const config = getSafeInstallConfig(pkg);
     const trustedDependencies = getTrustedDependencies(pkg);
-    run("npm", ["install", "--ignore-scripts"]);
+    run("npm", getInstallArgs(args));
     if (existsSync("package-lock.json")) {
         assertNoBlockedExoticSubdeps(config, readPackageLock());
     }
@@ -150,19 +154,19 @@ export function installCommand() {
     }
 }
 export function main(args = process.argv.slice(2)) {
-    const [command] = args;
+    if (args.includes("--help") || args.includes("-h")) {
+        printHelp();
+        return;
+    }
+    const command = args.find((arg) => arg !== "--" && !arg.startsWith("-"));
     if (command === undefined) {
-        installCommand();
+        installCommand(args.filter((arg) => arg !== "--"));
         return;
     }
     if (command === "review-deps") {
         reviewDepsCommand();
         return;
     }
-    if (command === "--help" || command === "-h") {
-        printHelp();
-        return;
-    }
     throw new Error(`Unknown command: ${command}`);
 }
 if (process.argv[1] && realpathSync(fileURLToPath(import.meta.url)) === realpathSync(process.argv[1])) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gkiely/safe-install",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Run npm installs with lifecycle scripts disabled, then rebuild explicitly trusted dependencies.",
   "author": "Grant Kiely <grant@youneedawiki.com>",
   "license": "MIT",