@gkiely/safe-install 0.1.4 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +17 -1
- package/dist/index.d.ts +9 -0
- package/dist/index.js +15 -10
- package/package.json +2 -1
package/README.md
CHANGED
|
@@ -30,7 +30,7 @@ ignore-scripts=true
|
|
|
30
30
|
```json
|
|
31
31
|
{
|
|
32
32
|
"scripts": {
|
|
33
|
-
"safe-install": "npx -y @gkiely/safe-install
|
|
33
|
+
"safe-install": "npx -y @gkiely/safe-install"
|
|
34
34
|
}
|
|
35
35
|
}
|
|
36
36
|
```
|
|
@@ -62,6 +62,12 @@ specifiers.
|
|
|
62
62
|
npm run safe-install
|
|
63
63
|
```
|
|
64
64
|
|
|
65
|
+
You can pass npm install args through:
|
|
66
|
+
|
|
67
|
+
```sh
|
|
68
|
+
npm run safe-install left-pad@latest
|
|
69
|
+
```
|
|
70
|
+
|
|
65
71
|
## What `safe-install` does
|
|
66
72
|
|
|
67
73
|
`safe-install` runs npm install with scripts blocked, then runs install scripts only for packages listed in
|
|
@@ -81,6 +87,16 @@ npm rebuild --ignore-scripts=false esbuild sharp
|
|
|
81
87
|
|
|
82
88
|
## Notes
|
|
83
89
|
|
|
90
|
+
Supports npm install flags:
|
|
91
|
+
|
|
92
|
+
```json
|
|
93
|
+
{
|
|
94
|
+
"scripts": {
|
|
95
|
+
"safe-install": "npx -y @gkiely/safe-install --no-audit --no-fund"
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
```
|
|
99
|
+
|
|
84
100
|
Only add a package to `trustedDependencies` after reviewing why it needs an
|
|
85
101
|
install script. This does not make dependency scripts safe; it makes the trust
|
|
86
102
|
decision explicit and version-controlled.
|
package/dist/index.d.ts
CHANGED
|
@@ -13,6 +13,14 @@ type LockPackage = {
|
|
|
13
13
|
type PackageLock = {
|
|
14
14
|
packages?: Record<string, LockPackage>;
|
|
15
15
|
};
|
|
16
|
+
type ParsedCommand = {
|
|
17
|
+
kind: "install";
|
|
18
|
+
args: string[];
|
|
19
|
+
} | {
|
|
20
|
+
kind: "review-deps";
|
|
21
|
+
} | {
|
|
22
|
+
kind: "help";
|
|
23
|
+
};
|
|
16
24
|
export declare function getTrustedDependencies(pkg: PackageJson): string[];
|
|
17
25
|
export declare function findInstallScriptDependencies(packageLock: PackageLock, trustedDependencies?: readonly string[]): string[];
|
|
18
26
|
type SafeInstallConfig = {
|
|
@@ -21,6 +29,7 @@ type SafeInstallConfig = {
|
|
|
21
29
|
export declare function getSafeInstallConfig(pkg: PackageJson): SafeInstallConfig;
|
|
22
30
|
export declare function assertNoBlockedExoticSubdeps(config: SafeInstallConfig, packageLock: PackageLock): void;
|
|
23
31
|
export declare function getInstallArgs(args?: readonly string[]): string[];
|
|
32
|
+
export declare function parseCommand(args: readonly string[]): ParsedCommand;
|
|
24
33
|
export declare function reviewDepsCommand(): void;
|
|
25
34
|
export declare function installCommand(args?: readonly string[]): void;
|
|
26
35
|
export declare function main(args?: string[]): void;
|
package/dist/index.js
CHANGED
|
@@ -118,13 +118,22 @@ function run(command, args) {
|
|
|
118
118
|
export function getInstallArgs(args = []) {
|
|
119
119
|
return ["install", "--ignore-scripts", ...args];
|
|
120
120
|
}
|
|
121
|
+
export function parseCommand(args) {
|
|
122
|
+
if (args.includes("--help") || args.includes("-h")) {
|
|
123
|
+
return { kind: "help" };
|
|
124
|
+
}
|
|
125
|
+
if (args[0] === "--" && args[1] === "review-deps") {
|
|
126
|
+
return { kind: "review-deps" };
|
|
127
|
+
}
|
|
128
|
+
return { kind: "install", args: args.filter((arg) => arg !== "--") };
|
|
129
|
+
}
|
|
121
130
|
function printHelp() {
|
|
122
131
|
console.log(`safe-install
|
|
123
132
|
|
|
124
133
|
Usage:
|
|
125
|
-
safe-install [npm install
|
|
134
|
+
safe-install [npm install args]
|
|
126
135
|
Run npm install with scripts disabled, then rebuild trusted dependencies
|
|
127
|
-
safe-install review-deps
|
|
136
|
+
safe-install -- review-deps
|
|
128
137
|
List dependencies that declare install-time scripts
|
|
129
138
|
`);
|
|
130
139
|
}
|
|
@@ -154,20 +163,16 @@ export function installCommand(args = []) {
|
|
|
154
163
|
}
|
|
155
164
|
}
|
|
156
165
|
export function main(args = process.argv.slice(2)) {
|
|
157
|
-
|
|
166
|
+
const command = parseCommand(args);
|
|
167
|
+
if (command.kind === "help") {
|
|
158
168
|
printHelp();
|
|
159
169
|
return;
|
|
160
170
|
}
|
|
161
|
-
|
|
162
|
-
if (command === undefined) {
|
|
163
|
-
installCommand(args.filter((arg) => arg !== "--"));
|
|
164
|
-
return;
|
|
165
|
-
}
|
|
166
|
-
if (command === "review-deps") {
|
|
171
|
+
if (command.kind === "review-deps") {
|
|
167
172
|
reviewDepsCommand();
|
|
168
173
|
return;
|
|
169
174
|
}
|
|
170
|
-
|
|
175
|
+
installCommand(command.args);
|
|
171
176
|
}
|
|
172
177
|
if (process.argv[1] && realpathSync(fileURLToPath(import.meta.url)) === realpathSync(process.argv[1])) {
|
|
173
178
|
try {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@gkiely/safe-install",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.6",
|
|
4
4
|
"description": "Run npm installs with lifecycle scripts disabled, then rebuild explicitly trusted dependencies.",
|
|
5
5
|
"author": "Grant Kiely <grant@youneedawiki.com>",
|
|
6
6
|
"license": "MIT",
|
|
@@ -45,6 +45,7 @@
|
|
|
45
45
|
"build": "tsc -p tsconfig.build.json",
|
|
46
46
|
"prepack": "npm run build",
|
|
47
47
|
"prepublishOnly": "npm run typecheck && npm test",
|
|
48
|
+
"release": "npm run typecheck && npm test && npm version patch && npm publish --access public && git push --follow-tags",
|
|
48
49
|
"safe-install": "node dist/index.js",
|
|
49
50
|
"test": "node --test",
|
|
50
51
|
"typecheck": "tsc --noEmit"
|