npm - @gkiely/safe-install - Versions diffs - 0.1.9 → 0.1.11 - Mend

@gkiely/safe-install 0.1.9 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +9 -3
package/package.json +4 -1

package/README.md CHANGED Viewed

@@ -23,8 +23,14 @@ behind a reviewed allowlist in `package.json`.
 ```txt
 ignore-scripts=true
+allow-git=root
+allow-remote=root
 ```
+`allow-git=root` and `allow-remote=root` let your project use direct Git or
+remote tarball dependencies when you intentionally declare them, while blocking
+transitive packages from pulling in those sources.
 2. Add script to `package.json`:
 ```json
@@ -42,9 +48,9 @@ npm run safe-install -- review-deps
 ```
 5. Review the output, then add trusted packages to `package.json`. You can also
-enable `blockExoticSubDeps` to fail installs when transitive dependencies point
-outside the npm registry with `git:`, `file:`, `link:`, or remote tarball URL
-specifiers.
+enable `blockExoticSubDeps` as a lockfile-level backstop for transitive
+dependencies that point outside the npm registry with `git:`, `file:`, `link:`,
+or remote tarball URL specifiers.
 ```json
 {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gkiely/safe-install",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Run npm installs with lifecycle scripts disabled, then rebuild explicitly trusted dependencies.",
   "author": "Grant Kiely <grant@youneedawiki.com>",
   "license": "MIT",
@@ -53,5 +53,8 @@
   "devDependencies": {
     "@types/node": "^25.7.0",
     "typescript": "latest"
+  },
+  "volta": {
+    "node": "24.14.0"
   }
 }