@gkiely/safe-install 0.1.3 → 0.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +12 -2
- package/dist/index.js +6 -10
- package/package.json +2 -1
package/README.md
CHANGED
|
@@ -38,7 +38,7 @@ ignore-scripts=true
|
|
|
38
38
|
4. Find dependencies that declare install-time scripts:
|
|
39
39
|
|
|
40
40
|
```sh
|
|
41
|
-
npm run safe-install
|
|
41
|
+
npm run safe-install review-deps
|
|
42
42
|
```
|
|
43
43
|
|
|
44
44
|
5. Review the output, then add trusted packages to `package.json`. You can also
|
|
@@ -59,7 +59,7 @@ specifiers.
|
|
|
59
59
|
6. Use `safe-install` for future installs:
|
|
60
60
|
|
|
61
61
|
```sh
|
|
62
|
-
npm run safe-install
|
|
62
|
+
npm run safe-install
|
|
63
63
|
```
|
|
64
64
|
|
|
65
65
|
## What `safe-install` does
|
|
@@ -81,6 +81,16 @@ npm rebuild --ignore-scripts=false esbuild sharp
|
|
|
81
81
|
|
|
82
82
|
## Notes
|
|
83
83
|
|
|
84
|
+
Supports npm install flags:
|
|
85
|
+
|
|
86
|
+
```json
|
|
87
|
+
{
|
|
88
|
+
"scripts": {
|
|
89
|
+
"safe-install": "npx -y @gkiely/safe-install --no-audit --no-fund"
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
```
|
|
93
|
+
|
|
84
94
|
Only add a package to `trustedDependencies` after reviewing why it needs an
|
|
85
95
|
install script. This does not make dependency scripts safe; it makes the trust
|
|
86
96
|
decision explicit and version-controlled.
|
package/dist/index.js
CHANGED
|
@@ -154,23 +154,19 @@ export function installCommand(args = []) {
|
|
|
154
154
|
}
|
|
155
155
|
}
|
|
156
156
|
export function main(args = process.argv.slice(2)) {
|
|
157
|
-
|
|
157
|
+
if (args.includes("--help") || args.includes("-h")) {
|
|
158
|
+
printHelp();
|
|
159
|
+
return;
|
|
160
|
+
}
|
|
161
|
+
const command = args.find((arg) => arg !== "--" && !arg.startsWith("-"));
|
|
158
162
|
if (command === undefined) {
|
|
159
|
-
installCommand();
|
|
163
|
+
installCommand(args.filter((arg) => arg !== "--"));
|
|
160
164
|
return;
|
|
161
165
|
}
|
|
162
166
|
if (command === "review-deps") {
|
|
163
167
|
reviewDepsCommand();
|
|
164
168
|
return;
|
|
165
169
|
}
|
|
166
|
-
if (command === "--help" || command === "-h") {
|
|
167
|
-
printHelp();
|
|
168
|
-
return;
|
|
169
|
-
}
|
|
170
|
-
if (command.startsWith("-")) {
|
|
171
|
-
installCommand(args);
|
|
172
|
-
return;
|
|
173
|
-
}
|
|
174
170
|
throw new Error(`Unknown command: ${command}`);
|
|
175
171
|
}
|
|
176
172
|
if (process.argv[1] && realpathSync(fileURLToPath(import.meta.url)) === realpathSync(process.argv[1])) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@gkiely/safe-install",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.5",
|
|
4
4
|
"description": "Run npm installs with lifecycle scripts disabled, then rebuild explicitly trusted dependencies.",
|
|
5
5
|
"author": "Grant Kiely <grant@youneedawiki.com>",
|
|
6
6
|
"license": "MIT",
|
|
@@ -45,6 +45,7 @@
|
|
|
45
45
|
"build": "tsc -p tsconfig.build.json",
|
|
46
46
|
"prepack": "npm run build",
|
|
47
47
|
"prepublishOnly": "npm run typecheck && npm test",
|
|
48
|
+
"release": "npm run typecheck && npm test && npm version patch && npm publish --access public && git push --follow-tags",
|
|
48
49
|
"safe-install": "node dist/index.js",
|
|
49
50
|
"test": "node --test",
|
|
50
51
|
"typecheck": "tsc --noEmit"
|