@gkiely/safe-install 0.1.8 → 0.1.11

package/README.md

@@ -23,8 +23,14 @@ behind a reviewed allowlist in `package.json`.
 
 ```txt
 ignore-scripts=true
+allow-git=root
+allow-remote=root
 ```
 
+`allow-git=root` and `allow-remote=root` let your project use direct Git or
+remote tarball dependencies when you intentionally declare them, while blocking
+transitive packages from pulling in those sources.
+
 2. Add script to `package.json`:
 
 ```json
@@ -42,9 +48,9 @@ npm run safe-install -- review-deps
 ```
 
 5. Review the output, then add trusted packages to `package.json`. You can also
-enable `blockExoticSubDeps` to fail installs when transitive dependencies point
-outside the npm registry with `git:`, `file:`, `link:`, or remote tarball URL
-specifiers.
+enable `blockExoticSubDeps` as a lockfile-level backstop for transitive
+dependencies that point outside the npm registry with `git:`, `file:`, `link:`,
+or remote tarball URL specifiers.
 
 ```json
 {

package/dist/index.js

@@ -129,8 +129,12 @@ export function parseCommand(args) {
         args[0] === "review-deps") {
         return { kind: "review-deps" };
     }
-    if (args[0] === "--" && args[1] === "update") {
-        return { kind: "update", args: args.slice(2) };
+    if ((args[0] === "--" && args[1] === "update") ||
+        args[0] === "update") {
+        return {
+            kind: "update",
+            args: args[0] === "--" ? args.slice(2) : args.slice(1),
+        };
     }
     return { kind: "install", args: args.filter((arg) => arg !== "--") };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gkiely/safe-install",
-  "version": "0.1.8",
+  "version": "0.1.11",
   "description": "Run npm installs with lifecycle scripts disabled, then rebuild explicitly trusted dependencies.",
   "author": "Grant Kiely <grant@youneedawiki.com>",
   "license": "MIT",
@@ -53,5 +53,8 @@
   "devDependencies": {
     "@types/node": "^25.7.0",
     "typescript": "latest"
+  },
+  "volta": {
+    "node": "24.14.0"
   }
 }