@npmcli/arborist 9.6.0 → 9.8.0

package/lib/arborist/build-ideal-tree.js

@@ -24,6 +24,7 @@ const PlaceDep = require('../place-dep.js')
 const debug = require('../debug.js')
 const fromPath = require('../from-path.js')
 const calcDepFlags = require('../calc-dep-flags.js')
+const { isReleaseAgeExcluded, trustedSpecName } = require('../release-age-exclude.js')
 const Shrinkwrap = require('../shrinkwrap.js')
 const { defaultLockfileVersion } = Shrinkwrap
 const Node = require('../node.js')
@@ -533,7 +534,11 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       // look up the names of file/directory/git specs
       if (!spec.name || isTag) {
         const _isRoot = tree.isProjectRoot || tree.isWorkspace
-        const mani = await pacote.manifest(spec, { ...this.options, _isRoot })
+        const mani = await pacote.manifest(spec, {
+          ...this.options,
+          _isRoot,
+          before: this.#releaseAgeBefore(spec),
+        })
         if (isTag) {
           // translate tag to a version
           spec = npa(`${mani.name}@${mani.version}`)
@@ -777,6 +782,7 @@ This is a one-time fix-up, please be patient...
             resolved: resolved,
             integrity: integrity,
             fullMetadata: false,
+            before: this.#releaseAgeBefore(spec),
           })
           node.package = { ...mani, _id: `${mani.name}@${mani.version}` }
         } catch (er) {
@@ -875,7 +881,7 @@ This is a one-time fix-up, please be patient...
 
         if (hasShrinkwrap) {
           await new Arborist({ ...this.options, path })
-            .loadVirtual({ root: node })
+            .loadVirtual({ root: node, subtreeOnly: true })
         }
 
         if (hasBundle) {
@@ -1279,6 +1285,19 @@ This is a one-time fix-up, please be patient...
     return problems
   }
 
+  // The effective `before` filter for a package, applying `min-release-age-exclude`.
+  // Returns null (no age filter) for an exempted package, otherwise the
+  // configured `before`. The exemption is keyed on the spec's trusted registry
+  // identity (alias targets are unwrapped) so an `npm:` alias key cannot disable
+  // the filter for the package it actually resolves to.
+  #releaseAgeBefore (spec) {
+    const { before, minReleaseAgeExclude } = this.options
+    if (!before) {
+      return before
+    }
+    return isReleaseAgeExcluded(trustedSpecName(spec), minReleaseAgeExclude) ? null : before
+  }
+
   async #fetchManifest (spec, parent, edge) {
     // Enforce allow-* gates before consulting the manifest cache so a cached entry from a different edge cannot bypass the policy.
     this.#checkAllow(spec, edge)
@@ -1286,6 +1305,7 @@ This is a one-time fix-up, please be patient...
       ...this.options,
       avoid: this.#avoidRange(spec.name),
       fullMetadata: true,
+      before: this.#releaseAgeBefore(spec),
       _isRoot: !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace),
     }
     // get the intended spec and stored metadata from yarn.lock file,

package/lib/arborist/index.js

@@ -100,8 +100,10 @@ class Arborist extends Base {
       nodeVersion: process.version,
       ...options,
       Arborist: this.constructor,
+      allowScripts: options.allowScripts ?? null,
       binLinks: 'binLinks' in options ? !!options.binLinks : true,
       cache: options.cache || `${homedir()}/.npm/_cacache`,
+      dangerouslyAllowAllScripts: !!options.dangerouslyAllowAllScripts,
       dryRun: !!options.dryRun,
       formatPackageLock: 'formatPackageLock' in options ? !!options.formatPackageLock : true,
       force: !!options.force,

package/lib/arborist/isolated-reifier.js

@@ -4,6 +4,7 @@ const { join } = require('node:path')
 const { depth } = require('treeverse')
 const crypto = require('node:crypto')
 const { IsolatedNode, IsolatedLink } = require('../isolated-classes.js')
+const nameFromFolder = require('@npmcli/name-from-folder')
 
 // generate short hash key based on the dependency tree starting at this node
 const getKey = (startNode) => {
@@ -39,9 +40,12 @@ module.exports = cls => class IsolatedReifier extends cls {
   #processedEdges = new Set()
   #workspaceProxies = new Map()
 
-  #generateChild (node, location, pkg, isInStore, root) {
+  #generateChild (node, location, pkg, isInStore, root, inBundle = false) {
     const newChild = new IsolatedNode({
       isInStore,
+      inBundle,
+      isRegistryDependency: node.isRegistryDependency,
+      isRootDependency: node.isRootDependency,
       location,
       name: node.packageName || node.name,
       optional: node.optional,
@@ -151,11 +155,14 @@ module.exports = cls => class IsolatedReifier extends cls {
     this.#externalProxies.set(node, result)
     await this.#assignCommonProperties(node, result, !node.hasShrinkwrap)
     if (node.hasShrinkwrap) {
+      // strip any path traversal from package.json name fields before they hit path.join below
+      /* istanbul ignore next - packageName is always set for real packages */
+      const safeName = nameFromFolder(node.packageName || node.path)
       const dir = join(
         node.root.path,
         'node_modules',
         '.store',
-        `${node.packageName}@${node.version}`
+        `${safeName}@${node.version}`
       )
       mkdirSync(dir, { recursive: true })
       // TODO this approach feels wrong and shouldn't be necessary for shrinkwraps
@@ -189,6 +196,13 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.optional = node.optional
     result.resolved = node.resolved
     result.version = node.version
+    // Carry the source node's registry-dependency flag so the store node retains it.
+    // IsolatedNode has no edges to recompute it from, and reify's registry-tarball allow-remote exemption depends on it.
+    result.isRegistryDependency = node.isRegistryDependency
+    // Same reasoning for allow-remote=root: the store node has no edgesIn, so capture from the source node whether it satisfies a valid edge from the project root or a workspace.
+    result.isRootDependency = [...node.edgesIn].some(e =>
+      e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
+    )
     return result
   }
 
@@ -198,7 +212,8 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.id = this.counter++
     /* istanbul ignore next - packageName is always set for real packages */
     result.name = result.isWorkspace ? (node.packageName || node.name) : node.name
-    result.packageName = node.packageName || node.name
+    // strip any path traversal from package.json name fields before they hit path.join below
+    result.packageName = nameFromFolder(node.packageName || node.path)
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
@@ -253,6 +268,22 @@ module.exports = cls => class IsolatedReifier extends cls {
     // local `file:` deps (non-workspace fsChildren) should be treated as local dependencies, not external, so they get symlinked directly instead of being extracted into the store.
     const isLocal = (n) => n.isWorkspace || node.fsChildren?.has(n)
     const optionalDeps = edges.filter(edge => edge.optional).map(edge => edge.to.target)
+
+    // Optional peers declared only in peerDependenciesMeta (e.g. `@types/react`) have no edge, so the materialization above misses them.
+    // Resolve each from the tree and link it; if nobody provides it, node.resolve finds nothing and it stays omitted.
+    const peerMeta = node.package.peerDependenciesMeta
+    if (peerMeta) {
+      const resolvedNames = new Set([...nonOptionalDeps, ...optionalDeps].map(n => n.name))
+      for (const peerName in peerMeta) {
+        if (!peerMeta[peerName]?.optional || resolvedNames.has(peerName)) {
+          continue
+        }
+        const resolved = node.resolve(peerName)?.target
+        if (resolved && resolved !== node && !resolved.inert && !isLocal(resolved)) {
+          optionalDeps.push(resolved)
+        }
+      }
+    }
     result.localDependencies = await Promise.all(nonOptionalDeps.filter(isLocal).map(n => this.#workspaceProxy(n)))
     result.externalDependencies = await Promise.all(nonOptionalDeps.filter(n => !isLocal(n) && !n.inert).map(n => this.#externalProxy(n)))
     result.externalOptionalDependencies = await Promise.all(optionalDeps.filter(n => !n.inert).map(n => this.#externalProxy(n)))
@@ -335,7 +366,8 @@ module.exports = cls => class IsolatedReifier extends cls {
       root.inventory.set(workspace.location, workspace)
       root.workspaces.set(wsName, workspace.path)
 
-      // Create workspace Link. For root declared deps, link at root node_modules/. For undeclared deps, link at the workspace's own node_modules/ (self-link).
+      // Declared workspaces are symlinked at root node_modules/.
+      // Undeclared workspaces get a tree-only Link kept for diff/filter participation but not materialized on disk.
       const isDeclared = this.#rootDeclaredDeps.has(wsName)
       const wsLink = new IsolatedLink({
         location: isDeclared ? join('node_modules', wsName) : join(c.localLocation, 'node_modules', wsName),
@@ -348,7 +380,7 @@ module.exports = cls => class IsolatedReifier extends cls {
         target: workspace,
       })
       if (!isDeclared) {
-        workspace.children.set(wsName, wsLink)
+        wsLink.isUndeclaredWorkspaceLink = true
       }
       root.children.set(wsName, wsLink)
       root.inventory.set(wsLink.location, wsLink)
@@ -366,7 +398,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     })
 
     bundledTree.nodes.forEach(node => {
-      this.#generateChild(node, node.location, node.pkg, false, root)
+      this.#generateChild(node, node.location, node.pkg, false, root, true)
     })
 
     bundledTree.edges.forEach(edge => {

package/lib/arborist/load-virtual.js

@@ -1,4 +1,4 @@
-const { resolve } = require('node:path')
+const { isAbsolute, resolve } = require('node:path')
 // mixin providing the loadVirtual method
 const mapWorkspaces = require('@npmcli/map-workspaces')
 const PackageJson = require('@npmcli/package-json')
@@ -17,6 +17,8 @@ const setWorkspaces = Symbol.for('setWorkspaces')
 
 module.exports = cls => class VirtualLoader extends cls {
   #rootOptionProvided
+  // when true, lockfile entries must stay inside `this.path`
+  #subtreeOnly = false
 
   // public method
   async loadVirtual (options = {}) {
@@ -28,6 +30,8 @@ module.exports = cls => class VirtualLoader extends cls {
     // XXX: deprecate separate reify() options object.
     options = { ...this.options, ...options }
 
+    this.#subtreeOnly = !!options.subtreeOnly
+
     if (options.root && options.root.meta) {
       await this.#loadFromShrinkwrap(options.root.meta, options.root)
       return treeCheck(this.virtualTree)
@@ -166,12 +170,40 @@ module.exports = cls => class VirtualLoader extends cls {
     }
   }
 
+  // throw if the resolved path is outside `base`, only in subtreeOnly mode
+  #assertContained (base, resolvedPath, location) {
+    if (!this.#subtreeOnly) {
+      return
+    }
+    if (isAbsolute(location)) {
+      throw Object.assign(
+        new Error(`invalid lockfile entry: "${location}" must be a relative location`),
+        { code: 'EINVALIDLOCATION', location, base }
+      )
+    }
+    const rel = relpath(base, resolvedPath)
+    if (
+      rel === '..' ||
+      rel.startsWith('../') ||
+      isAbsolute(rel) ||
+      // non-root key that collapses back to base (e.g. 'node_modules/..')
+      (rel === '' && location !== '')
+    ) {
+      throw Object.assign(
+        new Error(`invalid lockfile entry: "${location}" resolves outside of "${base}"`),
+        { code: 'EINVALIDLOCATION', location, base, resolvedPath }
+      )
+    }
+  }
+
   // links is the set of metadata, and nodes is the map of non-Link nodes
   // Set the targets to nodes in the set, if we have them (we might not)
   // XXX build-ideal-tree also has a #resolveLinks, is there overlap?
   async #resolveLinks (links, nodes) {
     for (const [location, meta] of links.entries()) {
       const targetPath = resolve(this.path, meta.resolved)
+      // check before nodes.get so we surface EINVALIDLOCATION instead of EMISSINGTARGET
+      this.#assertContained(this.path, targetPath, meta.resolved || location)
       const targetLoc = relpath(this.path, targetPath)
       const target = nodes.get(targetLoc)
 
@@ -230,6 +262,7 @@ To fix:
   #loadNode (location, sw, loadOverrides) {
     const p = this.virtualTree ? this.virtualTree.realpath : this.path
     const path = resolve(p, location)
+    this.#assertContained(p, path, location)
     // shrinkwrap doesn't include package name unless necessary
     if (!sw.name) {
       sw.name = nameFromFolder(path)
@@ -259,6 +292,7 @@ To fix:
 
   #loadLink (location, targetLoc, target) {
     const path = resolve(this.path, location)
+    this.#assertContained(this.path, path, location)
     const link = new Link({
       installLinks: this.installLinks,
       legacyPeerDeps: this.legacyPeerDeps,

package/lib/arborist/rebuild.js

@@ -12,6 +12,7 @@ const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp'
 const { promiseRetry } = require('@gar/promise-retry')
 const { log, time } = require('proc-log')
 const { resolve } = require('node:path')
+const { isScriptAllowed } = require('../script-allowed.js')
 
 const boolEnv = b => b ? '1' : ''
 const sortNodes = (a, b) => (a.depth - b.depth) || localeCompare(a.path, b.path)
@@ -225,6 +226,18 @@ module.exports = cls => class Builder extends cls {
       return
     }
 
+    // Phase 1 allowScripts gate: a `false` verdict from the policy matcher
+    // means the user explicitly denied install scripts for this node, so skip
+    // it. `true` and `null` (unreviewed) both fall through to the existing
+    // detection logic — unreviewed nodes still run their scripts in Phase 1
+    // and are surfaced via the post-reify advisory warning. The global
+    // --ignore-scripts kill switch in #build() still takes precedence, and
+    // --dangerously-allow-all-scripts bypasses this gate entirely.
+    if (!this.options.dangerouslyAllowAllScripts &&
+        isScriptAllowed(node, this.options.allowScripts) === false) {
+      return
+    }
+
     if (this.#oldMeta === null) {
       const { root: { meta } } = node
       this.#oldMeta = meta && meta.loadedFromDisk &&

package/lib/arborist/reify.js

@@ -239,7 +239,7 @@ module.exports = cls => class Reifier extends cls {
     this.actualTree = this.idealTree
     this.idealTree = null
 
-    if (!this.options.global) {
+    if (!this.options.global && !this.options.dryRun) {
       await this.actualTree.meta.save()
       const ignoreScripts = !!this.options.ignoreScripts
       // if we aren't doing a dry run or ignoring scripts and we actually made changes to the dep
@@ -642,7 +642,7 @@ module.exports = cls => class Reifier extends cls {
       .then(nodes => promiseAllRejectLate(nodes.map(node => new Arborist({
         ...this.options,
         path: node.path,
-      }).loadVirtual({ root: node }))))
+      }).loadVirtual({ root: node, subtreeOnly: true }))))
       // reload the diff and sparse tree because the ideal tree changed
       .then(() => this[_diffTrees]())
       .then(() => this[_createSparseTree]())
@@ -744,7 +744,8 @@ module.exports = cls => class Reifier extends cls {
         integrity: node.integrity,
         // A node counts as "root" for allow-* enforcement if it satisfies at least one valid dependency edge declared by the project root or a workspace.
         // node.parent is unsafe here: after hoisting, transitive packages can have the project root as their tree parent.
-        _isRoot: [...node.edgesIn].some(e =>
+        // In the linked strategy the store node has no edgesIn, so isolated-reifier precomputes isRootDependency from the source node's edges.
+        _isRoot: node.isRootDependency || [...node.edgesIn].some(e =>
           e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
         ),
         // pacote's npa re-parses our `name@URL` spec as type=remote, so allowRemote would mis-fire on registry tarballs.
@@ -760,6 +761,12 @@ module.exports = cls => class Reifier extends cls {
     }
 
     // node.isLink
+
+    // Tree-only Link: present in the tree for diff/filter participation, never materialized on disk.
+    if (node.isUndeclaredWorkspaceLink) {
+      return
+    }
+
     await rm(node.path, { recursive: true, force: true })
 
     // symlink
@@ -875,17 +882,18 @@ module.exports = cls => class Reifier extends cls {
 
   // When extracting a registry-resolved package, the spec we hand to pacote is name@URL.
   // pacote re-parses that with npa and gets spec.type === 'remote', so without an override the allow-remote gate would fire on every registry tarball (both =none and =root mis-fire).
-  // Returns true only when we are confident this is a registry-mediated install: the node's inbound edges must all be registry-typed (no exotic spec smuggled the URL in) AND the resolved URL's host must match the registry npm-registry-fetch selected for this spec, so a tampered lockfile pointing at an attacker host still hits the gate.
+  // Returns true only when we are confident this is a registry-mediated install.
   #isRegistryResolvedTarball (node) {
     if (!node.resolved || !node.isRegistryDependency) {
       return false
     }
     try {
-      // Hostnames are case-insensitive; lowercase both sides for safety even though WHATWG URL already normalizes.
-      const resolvedHost = new URL(node.resolved).hostname.toLowerCase()
+      const resolved = new URL(node.resolved)
       // pickRegistry only consults spec.scope, so a bare-name (tag) parse is sufficient and avoids a node.version dependency.
-      const registryHost = new URL(pickRegistry(npa(node.name), this.options)).hostname.toLowerCase()
-      return resolvedHost === registryHost
+      const registry = new URL(pickRegistry(npa(node.name), this.options))
+      const registryPath = registry.pathname.replace(/\/?$/, '/')
+      return resolved.origin === registry.origin &&
+        (registryPath === '/' || resolved.pathname.startsWith(registryPath))
     } catch {
       return false
     }
@@ -1356,9 +1364,27 @@ module.exports = cls => class Reifier extends cls {
     const nmDir = resolve(this.path, 'node_modules')
     const storeDir = resolve(nmDir, '.store')
 
+    // Enumerate on-disk store entries as full keys, descending one level into each @scope directory because scoped keys nest as .store/@scope/pkg@version-hash.
     let entries
     try {
-      entries = await readdir(storeDir)
+      const topLevel = await readdir(storeDir, { withFileTypes: true })
+      entries = []
+      for (const ent of topLevel) {
+        if (ent.name.startsWith('@')) {
+          let scoped
+          try {
+            scoped = await readdir(resolve(storeDir, ent.name))
+          } catch {
+            /* istanbul ignore next -- readdir of an entry we just listed should not fail */
+            continue
+          }
+          for (const name of scoped) {
+            entries.push(`${ent.name}/${name}`)
+          }
+        } else {
+          entries.push(ent.name)
+        }
+      }
     } catch {
       entries = null
     }
@@ -1374,13 +1400,20 @@ module.exports = cls => class Reifier extends cls {
     for (const child of this.idealTree.children.values()) {
       const loc = child.location.replace(/\\/g, '/')
       if (child.isInStore) {
-        const key = loc.split('/')[2]
+        // Store location is node_modules/.store/{key}/node_modules/{pkg}.
+        // For a scoped package the key is @scope/pkg@version-hash, which spans two path segments, so reconstruct both instead of taking only the scope.
+        const parts = loc.split('/')
+        const key = parts[2].startsWith('@') ? `${parts[2]}/${parts[3]}` : parts[2]
         validKeys.add(key)
         continue
       }
       if (!child.isLink) {
         continue
       }
+      // Tree-only Links never exist on disk; skipping them lets the sweep remove any stale self-link left by an older npm version.
+      if (child.isUndeclaredWorkspaceLink) {
+        continue
+      }
       const nmIdx = loc.lastIndexOf(NM_PREFIX)
       if (nmIdx === -1 || loc.includes(STORE_MARKER)) {
         continue
@@ -1452,6 +1485,23 @@ module.exports = cls => class Reifier extends cls {
                 er => log.warn('cleanup', `Failed to remove orphaned store entry ${e}`, er))
           )
         )
+        // Removing the last scoped orphan under a scope leaves an empty @scope directory behind, so prune any scope directory that is now empty.
+        const scopes = new Set(
+          orphaned.filter(e => e.startsWith('@')).map(e => e.split('/')[0])
+        )
+        await promiseAllRejectLate(
+          [...scopes].map(async scope => {
+            const scopeDir = resolve(storeDir, scope)
+            try {
+              const remaining = await readdir(scopeDir)
+              if (!remaining.length) {
+                await rm(scopeDir, { recursive: true, force: true })
+              }
+            } catch {
+              /* istanbul ignore next -- readdir of a scope dir we just listed should not fail */
+            }
+          })
+        )
       }
     }
 

package/lib/dep-valid.js

@@ -9,6 +9,27 @@ const npa = require('npm-package-arg')
 const { relative } = require('node:path')
 const fromPath = require('./from-path.js')
 
+// A named ref (tag or branch) resolves to a commit hash, so look up the
+// committish recorded for this edge in the lockfile to detect spec changes.
+const lockedGitCommittish = (child, requestor) => {
+  const lock = requestor.root?.meta?.data?.packages?.[requestor.location]
+  const spec = lock && (
+    lock.dependencies?.[child.name] ||
+    lock.optionalDependencies?.[child.name] ||
+    lock.devDependencies?.[child.name] ||
+    lock.peerDependencies?.[child.name]
+  )
+  if (!spec) {
+    return null
+  }
+  try {
+    const parsed = npa.resolve(child.name, spec, requestor.realpath)
+    return parsed.type === 'git' ? parsed.gitCommittish || '' : null
+  } catch {
+    return null
+  }
+}
+
 const depValid = (child, requested, requestor) => {
   // NB: we don't do much to verify 'tag' type requests.
   // Just verify that we got a remote resolution.  Presumably, it
@@ -94,6 +115,14 @@ const depValid = (child, requested, requestor) => {
         }
       }
       if (!requested.gitRange) {
+        // a named ref can't be verified against the resolved commit offline,
+        // so re-resolve if it differs from the committish in the lockfile
+        if (!reqCommit) {
+          const locked = lockedGitCommittish(child, requestor)
+          if (locked !== null && locked !== (requested.gitCommittish || '')) {
+            return false
+          }
+        }
         return true
       }
       return semver.satisfies(child.package.version, requested.gitRange, {

package/lib/install-scripts.js

@@ -0,0 +1,114 @@
+const { isNodeGypPackage } = require('@npmcli/node-gyp')
+const PackageJson = require('@npmcli/package-json')
+
+// Returns the install-relevant lifecycle scripts that would run for a
+// given arborist Node, or `{}` if there are none.
+//
+// Includes:
+//   - explicit preinstall/install/postinstall
+//   - prepare, but only for non-registry sources (git, file, link, remote)
+//   - synthetic `node-gyp rebuild`, when `binding.gyp` is present on disk
+//     and the package does not opt out via `gypfile: false` or define its
+//     own install / preinstall script
+
+// Lifecycle-script enumeration boundary.
+//
+// IMPORTANT: this helper decides whether `prepare` should be included
+// in the enumerated install scripts (true for non-registry sources only).
+// It is NOT a policy-matching predicate. The policy matcher in
+// script-allowed.js uses `isRegistryNode`, which is strictly tied to
+// versionFromTgz(node.resolved). The two helpers exist separately on
+// purpose:
+//
+//   - `hasNonRegistryShape` (here): "should we consider running prepare
+//     on this node?" — a yes/no for what to enumerate.
+//   - `isRegistryNode` (script-allowed.js): "do we trust this node's
+//     identity enough to apply a policy entry?" — a security check.
+//
+// The looser fallback here (treating unknown-resolved nodes as registry,
+// thus skipping `prepare`) is the safer default for enumeration: we'd
+// rather omit a script we should have run than synthesise one for a
+// non-registry source we couldn't confirm. The policy matcher's stricter
+// behaviour is correct for its boundary; the two helpers must not be
+// merged.
+const hasNonRegistryShape = (node) => {
+  if (typeof node.isRegistryDependency === 'boolean') {
+    return !node.isRegistryDependency
+  }
+  if (!node.resolved) {
+    return false
+  }
+  return !/^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
+}
+
+const getInstallScripts = async (node) => {
+  /* istanbul ignore next: arborist Nodes always carry a `package` object;
+     defensive fallbacks for non-arborist callers. */
+  const pkg = node.package || {}
+  /* istanbul ignore next */
+  const scripts = pkg.scripts || {}
+  const collected = {}
+
+  if (scripts.preinstall) {
+    collected.preinstall = scripts.preinstall
+  }
+  if (scripts.install) {
+    collected.install = scripts.install
+  }
+  if (scripts.postinstall) {
+    collected.postinstall = scripts.postinstall
+  }
+  if (scripts.prepare && hasNonRegistryShape(node)) {
+    collected.prepare = scripts.prepare
+  }
+
+  const hasExplicitGypGate = !!(collected.preinstall || collected.install)
+  if (
+    !hasExplicitGypGate &&
+    pkg.gypfile !== false &&
+    await isNodeGypPackage(node.path).catch(() => false)
+  ) {
+    collected.install = 'node-gyp rebuild'
+  }
+
+  // Lockfile-only nodes carry `hasInstallScript: true` but no enumerated
+  // scripts: the lockfile records the presence flag, not the script bodies,
+  // so `node.package.scripts` is empty on a lockfile-driven install (`npm ci`,
+  // a repeat `npm install`). Before giving up, read the installed
+  // package.json from disk to recover the real script bodies. Builder#addToBuildSet
+  // does the same disk read to decide what to run, but unlike that path this
+  // one is read-only: we never mutate `node.package`.
+  if (Object.keys(collected).length === 0 && node.hasInstallScript === true) {
+    const { content } = await PackageJson.normalize(node.path)
+      .catch(() => ({ content: {} }))
+    /* istanbul ignore next: normalize resolves to an object with a scripts
+       object, or our catch fallback returns {}; defensive guard only. */
+    const diskScripts = content?.scripts || {}
+
+    if (diskScripts.preinstall) {
+      collected.preinstall = diskScripts.preinstall
+    }
+    if (diskScripts.install) {
+      collected.install = diskScripts.install
+    }
+    if (diskScripts.postinstall) {
+      collected.postinstall = diskScripts.postinstall
+    }
+    if (diskScripts.prepare && hasNonRegistryShape(node)) {
+      collected.prepare = diskScripts.prepare
+    }
+
+    // Still nothing. The package isn't on disk yet (e.g. `npm ci` before
+    // reify) or its package.json is unreadable. Emit a sentinel so the
+    // advisory and the strict-allow-scripts preflight still surface that
+    // install scripts are present.
+    if (Object.keys(collected).length === 0) {
+      collected.install = '(install scripts present)'
+    }
+  }
+
+  return collected
+}
+
+module.exports = getInstallScripts
+module.exports.getInstallScripts = getInstallScripts

package/lib/isolated-classes.js

@@ -20,6 +20,9 @@ class IsolatedNode {
   integrity = null
   inventory = new IsolatedInventory()
   isInStore = false
+  inBundle = false
+  isRegistryDependency = false
+  isRootDependency = false
   linksIn = new Set()
   meta = { loadedFromDisk: false }
   optional = false
@@ -47,6 +50,15 @@ class IsolatedNode {
     if (options.isInStore) {
       this.isInStore = true
     }
+    if (options.inBundle) {
+      this.inBundle = true
+    }
+    if (options.isRegistryDependency) {
+      this.isRegistryDependency = true
+    }
+    if (options.isRootDependency) {
+      this.isRootDependency = true
+    }
     if (options.optional) {
       this.optional = true
     }
@@ -104,6 +116,11 @@ class IsolatedNode {
     return !!(hasInstallScript || install || preinstall || postinstall)
   }
 
+  /* istanbul ignore next -- emulate lib/node.js */
+  get packageName () {
+    return this.package.name || null
+  }
+
   get version () {
     return this.package.version
   }

package/lib/query-selector-all.js

@@ -9,6 +9,7 @@ const npa = require('npm-package-arg')
 const pacote = require('pacote')
 const semver = require('semver')
 const npmFetch = require('npm-registry-fetch')
+const { isReleaseAgeExcluded } = require('./release-age-exclude.js')
 
 // handle results for parsed query asts, results are stored in a map that has a
 // key that points to each ast selector node and stores the resulting array of
@@ -889,8 +890,9 @@ const getPackageVersions = async (name, opts) => {
   let candidates = Object.keys(packument.versions).sort(semver.compare)
 
   // if the packument has a time property, and the user passed a before flag, then
-  // we filter this list down to only those versions that existed before the specified date
-  if (packument.time && opts.before) {
+  // we filter this list down to only those versions that existed before the specified date.
+  // packages matching `min-release-age-exclude` are exempt from this filter.
+  if (packument.time && opts.before && !isReleaseAgeExcluded(name, opts.minReleaseAgeExclude)) {
     candidates = candidates.filter((version) => {
       // this version isn't found in the times at all, drop it
       if (!packument.time[version]) {

package/lib/release-age-exclude.js

@@ -0,0 +1,45 @@
+// Determine whether a package name is exempt from the `min-release-age` /
+// `before` release-age filter, based on the `min-release-age-exclude` config.
+//
+// Patterns are exact package names or `minimatch` globs (e.g. `@myorg/*`), and
+// match against the package name only. This is a "named-only" exemption: a
+// matched package's own dependencies still follow the filter unless they match
+// a pattern too.
+//
+// Callers must match against the resolved registry identity of a package, not
+// the self-reported alias or dependency-edge name. For `npm:` aliases the
+// fetched package is the alias target, so run specs through `trustedSpecName`
+// first; otherwise an alias key could match an exclude pattern and turn the
+// filter off for the unrelated package it resolves to.
+const { minimatch } = require('minimatch')
+
+// This list only ever widens the exemption (turns the security filter off for a
+// package), so disable pattern features that could silently turn it into a
+// match-all: `nonegate` keeps a leading `!` literal (so a stray `!foo` exempts
+// nothing instead of everything-but-foo), `nocomment` keeps a leading `#`
+// literal, and `noext` disables extglobs.
+const minimatchOptions = { nonegate: true, nocomment: true, noext: true }
+
+const isReleaseAgeExcluded = (name, patterns) => {
+  if (!name || !Array.isArray(patterns) || patterns.length === 0) {
+    return false
+  }
+  return patterns.some(pattern =>
+    name === pattern || minimatch(name, pattern, minimatchOptions))
+}
+
+// Resolve the trusted registry name for an npa spec. For `npm:` aliases (e.g.
+// `"x": "npm:other@1"`) the installed/fetched package is the alias target
+// (`subSpec`), not the alias key, so the exemption must be keyed on the
+// underlying package name. Mirrors `nameFromEdges` in script-allowed.js.
+const trustedSpecName = (spec) => {
+  if (!spec) {
+    return undefined
+  }
+  if (spec.type === 'alias' && spec.subSpec && spec.subSpec.registry) {
+    return spec.subSpec.name
+  }
+  return spec.name
+}
+
+module.exports = { isReleaseAgeExcluded, trustedSpecName }

package/lib/script-allowed.js

@@ -0,0 +1,372 @@
+const npa = require('npm-package-arg')
+const semver = require('semver')
+const versionFromTgz = require('./version-from-tgz.js')
+
+// Identity matcher for the allowScripts policy.
+//
+// Returns:
+//   - true: at least one allow entry matches and no deny entry matches
+//   - false: at least one deny entry matches (deny wins on conflict)
+//   - null: no entry matches (unreviewed)
+//
+// `policy` is a flat object of `spec-key -> boolean`, where spec-key is
+// anything `npm-package-arg` can parse. `node` is an arborist Node.
+//
+// Identity rules (see RFC npm/rfcs#868):
+//   - registry deps match by the name+version parsed from the lockfile's
+//     resolved URL, NOT by `node.packageName` / `node.version`. Those two
+//     getters return `node.package.name` / `node.package.version`, which
+//     come from the tarball's own package.json and are therefore
+//     attacker-controlled. A package can publish a tarball claiming any
+//     name; the only trusted name is the one baked into the registry URL.
+//   - tarball / file / link / remote: exact match on node.resolved
+//   - git: match on hosted.ssh() plus a short-SHA prefix of the
+//     resolved committish
+
+const isScriptAllowed = (node, policy) => {
+  // Bundled dependencies never run their install scripts and cannot be
+  // allowlisted. Matching by name@version from the bundled tarball would
+  // reintroduce manifest confusion (a bundled tarball can claim any name
+  // and version). Returning null marks them as not-allowed regardless of
+  // any policy entry, so their install scripts are blocked by the
+  // install-time gate. A package that needs a bundled dep's script must
+  // forward it as one of its own lifecycle scripts.
+  if (node.inBundle) {
+    return null
+  }
+
+  if (!policy || typeof policy !== 'object') {
+    return null
+  }
+
+  let anyAllow = false
+  let anyDeny = false
+
+  for (const [key, value] of Object.entries(policy)) {
+    if (!matches(node, key)) {
+      continue
+    }
+    if (value === false) {
+      anyDeny = true
+      continue
+    }
+    /* istanbul ignore else: policy values are strictly true/false;
+       defensive guard against unexpected coercions. */
+    if (value === true) {
+      anyAllow = true
+    }
+  }
+
+  if (anyDeny) {
+    return false
+  }
+  if (anyAllow) {
+    return true
+  }
+  return null
+}
+
+const matches = (node, key) => {
+  let parsed
+  try {
+    parsed = npa(key)
+  } catch {
+    return false
+  }
+
+  switch (parsed.type) {
+    case 'tag':
+    case 'range':
+    case 'version':
+      return matchRegistry(node, parsed)
+    case 'git':
+      return matchGit(node, parsed)
+    case 'file':
+    case 'directory':
+      return matchFileOrDir(node, parsed)
+    case 'remote':
+      return matchRemote(node, parsed)
+    case 'alias':
+      // Disallowed: aliases as policy keys do not match anything.
+      // The user has to address the real package name.
+      return false
+    /* istanbul ignore next: switch above covers every npa type we expect;
+       defensive fallback for future npa types. */
+    default:
+      return false
+  }
+}
+
+const resolvedSourceSpecs = (node) => {
+  const specs = []
+  const seen = new Set()
+  const add = (spec) => {
+    if (typeof spec !== 'string' || spec === '' || seen.has(spec)) {
+      return
+    }
+    seen.add(spec)
+    specs.push(spec)
+  }
+
+  add(node?.resolved)
+
+  if (!node?.resolved && node?.linksIn && typeof node.linksIn[Symbol.iterator] === 'function') {
+    let hasIncomingLink = false
+    for (const link of node.linksIn) {
+      hasIncomingLink = true
+      add(link.resolved)
+    }
+
+    if (hasIncomingLink) {
+      // Link targets for local directory deps are separate inventory nodes
+      // whose own `resolved` is null. The incoming Link carries the saved spec
+      // (for example `file:../pkg`, relative to node_modules), while policy
+      // entries written by hand often use the dependency spec from package.json
+      // (for example `file:pkg`, resolved by npa to this target path). Include
+      // the real target paths so both forms can match the same local dep.
+      add(node.realpath)
+      add(node.path)
+    }
+  }
+
+  return specs
+}
+
+const matchRegistry = (node, parsed) => {
+  // If this node is not a registry dep, refuse the match. A registry-style
+  // key (`pkg`, `pkg@1`, `pkg@1 || 2`) must not match a tarball or git node
+  // even if their names happen to coincide.
+  if (!isRegistryNode(node)) {
+    return false
+  }
+
+  // Derive the trusted name+version from the lockfile's resolved URL.
+  // Never use `node.packageName` / `node.version` here: those read from
+  // the tarball's own package.json and can be forged by a malicious
+  // publisher to bypass an allowScripts entry.
+  const trusted = getTrustedRegistryIdentity(node)
+  if (!trusted || trusted.name !== parsed.name) {
+    return false
+  }
+
+  // `tag` covers `pkg@latest`. Rejected up front by validatePolicy in
+  // resolve-allow-scripts.js because tags look like a pin but can't be
+  // verified at install time. Defense-in-depth: if one slips through
+  // (e.g. arborist invoked directly without the resolver), don't match.
+  if (parsed.type === 'tag') {
+    /* istanbul ignore next: validatePolicy filters this; defensive */
+    return false
+  }
+
+  // `range` includes `pkg@^1`, `pkg@1 || 2`, `pkg@*`, `pkg@>=0`, and bare
+  // names like `pkg` (npa parses these as range with fetchSpec='*'). The
+  // RFC permits bare names (name-only allow) and exact versions joined by
+  // `||`; ranges like ^/~/>=/< are rejected because they would silently
+  // allow versions the user has never reviewed.
+  if (parsed.type === 'range') {
+    // Bare name or `pkg@*`: treat as name-only allow.
+    if (parsed.fetchSpec === '*' || parsed.rawSpec === '' || parsed.rawSpec === '*') {
+      return true
+    }
+    if (!trusted.version || !isExactVersionDisjunction(parsed.fetchSpec)) {
+      return false
+    }
+    return semver.satisfies(trusted.version, parsed.fetchSpec, { loose: true })
+  }
+
+  // `version` is an exact pin like `pkg@1.2.3`.
+  /* istanbul ignore else: parsed.type at this point is always 'version';
+     the istanbul-ignored fallback below handles the impossible case. */
+  if (parsed.type === 'version') {
+    return trusted.version === parsed.fetchSpec
+  }
+
+  /* istanbul ignore next: parsed.type is constrained to tag/range/version
+     by the caller; this final fallback is defensive. */
+  return false
+}
+
+// Derive a registry node's trusted name+version.
+//
+// Preferred source: the lockfile's resolved URL parsed via
+// versionFromTgz. arborist records the URL when it first adds the dep,
+// before any tarball is unpacked, so the URL cannot be forged by the
+// package's own package.json.
+//
+// Fallback for lockfiles produced with omit-lockfile-registry-resolved
+// (where the URL is absent): take the dep name from an incoming
+// dependency edge. The edge's spec was written by the consumer (or by an
+// upstream package.json), not by the installed tarball. For aliases like
+// `"trusted": "npm:naughty@1.0.0"`, the underlying registered package
+// name is parsed out of the alias `subSpec`. The install location
+// (`node_modules/trusted`) is deliberately not consulted because for
+// aliases it carries only the alias name, which would let a malicious
+// publisher bypass an allowScripts entry written for the real package.
+//
+// Version is left null in the fallback case because the only remaining
+// source for it (`node.version`) reads from the tarball.
+//
+// Returns `{ name, version }` or `null` if no trusted identity exists.
+const getTrustedRegistryIdentity = (node) => {
+  if (node.resolved && typeof node.resolved === 'string') {
+    const parsed = versionFromTgz('', node.resolved)
+    /* istanbul ignore else: versionFromTgz returns either a complete
+       { name, version } or null; partial objects are not produced. */
+    if (parsed && parsed.name && parsed.version) {
+      return parsed
+    }
+  }
+  const name = nameFromEdges(node)
+  if (name) {
+    return { name, version: null }
+  }
+  return null
+}
+
+const nameFromEdges = (node) => {
+  if (!node.edgesIn || typeof node.edgesIn[Symbol.iterator] !== 'function') {
+    return null
+  }
+  for (const edge of node.edgesIn) {
+    let parsed
+    try {
+      parsed = npa.resolve(edge.name, edge.spec)
+    } catch {
+      continue
+    }
+    // Aliases: trust the underlying registered package, not the alias.
+    if (parsed.type === 'alias' && parsed.subSpec && parsed.subSpec.registry) {
+      return parsed.subSpec.name
+    }
+    // Non-aliased registry edge: the edge name is the package name as
+    // written by the consumer / upstream, which is trusted (it is not
+    // read from the installed tarball).
+    if (parsed.registry) {
+      return parsed.name
+    }
+  }
+  return null
+}
+
+// True if `rangeSpec` is one or more exact versions joined by `||`. Anything
+// containing comparator operators (^, ~, >=, <, *) returns false.
+const isExactVersionDisjunction = (rangeSpec) => {
+  /* istanbul ignore next: caller always passes parsed.fetchSpec, which
+     npa guarantees to be a non-empty string for range specs. */
+  if (typeof rangeSpec !== 'string' || rangeSpec.trim() === '') {
+    return false
+  }
+  const parts = rangeSpec.split('||').map(p => p.trim())
+  /* istanbul ignore next: String.prototype.split always returns at least
+     one element; defensive guard only. */
+  if (parts.length === 0) {
+    return false
+  }
+  return parts.every(p => p !== '' && semver.valid(p) !== null)
+}
+
+const matchGit = (node, parsed) => {
+  if (!node.resolved || !node.resolved.startsWith('git')) {
+    return false
+  }
+
+  let nodeParsed
+  try {
+    nodeParsed = npa(node.resolved)
+  } catch {
+    /* istanbul ignore next: npa parsing a git URL we already validated
+       starts with `git` should not throw; defensive guard only. */
+    return false
+  }
+
+  // Compare the host/repo. Both sides should resolve to the same canonical
+  // ssh URL.
+  const noCommittish = { noCommittish: true }
+  const keyHost = parsed.hosted?.ssh(noCommittish)
+  const nodeHost = nodeParsed.hosted?.ssh(noCommittish)
+  if (keyHost && nodeHost) {
+    if (keyHost !== nodeHost) {
+      return false
+    }
+  } else if (parsed.fetchSpec && nodeParsed.fetchSpec) {
+    // Non-hosted git URLs: fall back to fetch spec.
+    if (parsed.fetchSpec !== nodeParsed.fetchSpec) {
+      return false
+    }
+  } else {
+    return false
+  }
+
+  // If the policy key has no committish, name-only match.
+  const keyCommittish = parsed.gitCommittish || parsed.hosted?.committish
+  if (!keyCommittish) {
+    return true
+  }
+
+  // Match the resolved full SHA against the key's committish. Users
+  // typically write short SHAs in the policy; the lockfile stores 40-char
+  // SHAs. Direction matters: the lockfile's full SHA must START WITH the
+  // key's short SHA, never the reverse. A longer key matching a shorter
+  // resolved committish would let a malformed lockfile or a divergent
+  // resolver allow scripts the user never approved.
+  const nodeCommittish = nodeParsed.gitCommittish || nodeParsed.hosted?.committish || ''
+  if (!nodeCommittish) {
+    return false
+  }
+  return nodeCommittish.startsWith(keyCommittish)
+}
+
+const matchFileOrDir = (node, parsed) => {
+  return resolvedSourceSpecs(node)
+    .some(resolved => resolved === parsed.saveSpec || resolved === parsed.fetchSpec)
+}
+
+const matchRemote = (node, parsed) => {
+  return resolvedSourceSpecs(node)
+    .some(resolved => resolved === parsed.fetchSpec || resolved === parsed.saveSpec)
+}
+
+const isRegistryNode = (node) => {
+  // Prefer arborist's edge-based check when available (real Node objects).
+  // It inspects the incoming edges' specs and only returns true if every
+  // edge resolves to a registry spec, which is much harder to spoof than
+  // the URL.
+  if (typeof node.isRegistryDependency === 'boolean') {
+    return node.isRegistryDependency
+  }
+  // Fall back to URL parsing for nodes without the arborist getter
+  // (e.g. test fixtures, lockfiles with omit-lockfile-registry-resolved).
+  // Treat the node as a registry dep when:
+  //   - resolved is missing entirely (omitLockfileRegistryResolved),
+  //   - resolved is an https/http URL pointing at a registry tarball, or
+  //   - resolved is undefined and the node has a version (defensive).
+  if (!node.resolved) {
+    return !!node.version
+  }
+  // Registry tarballs live at `<host>/<pkg-name>/-/<pkg-name>-<version>.tgz`.
+  // Require a path segment before `/-/` so an attacker can't lift a
+  // registry-style allow entry to a hostile URL like
+  // `https://evil.com/-/trusted-1.0.0.tgz`.
+  return /^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
+}
+
+// Trusted display identity for human-facing output (the `npm install`
+// blocked-scripts summary and `npm approve-scripts --allow-scripts-pending`).
+// Same as getTrustedRegistryIdentity, but for display only: version
+// falls back to node.version when the URL doesn't carry one. Do not
+// use for policy matching.
+const trustedDisplay = (node) => {
+  const trusted = getTrustedRegistryIdentity(node)
+  /* istanbul ignore next: defensive fallbacks for nodes without name/version */
+  return {
+    name: (trusted && trusted.name) || node.name || null,
+    version: (trusted && trusted.version) || node.version || null,
+  }
+}
+
+module.exports = isScriptAllowed
+module.exports.isScriptAllowed = isScriptAllowed
+module.exports.isExactVersionDisjunction = isExactVersionDisjunction
+module.exports.getTrustedRegistryIdentity = getTrustedRegistryIdentity
+module.exports.resolvedSourceSpecs = resolvedSourceSpecs
+module.exports.trustedDisplay = trustedDisplay

package/lib/shrinkwrap.js

@@ -929,8 +929,14 @@ class Shrinkwrap {
           continue
         }
         const loc = relpath(this.path, node.path)
-        // Drop lockfile entries for extraneous nodes outside node_modules. These are stale workspace entries: the workspace was removed from package.json or its directory was deleted, so it should not be tracked in package-lock.json.
-        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules') {
+        // Drop lockfile entries for extraneous nodes outside node_modules that
+        // are direct fsChildren of the root (or detached link targets). These
+        // are stale top-level entries: a workspace or file: dep removed from
+        // the root manifest, or whose directory was deleted. Extraneous
+        // fsChildren nested under another package (e.g. a file: dep of another
+        // file: dep) are kept so `npm ci` can resolve the parent's dependency.
+        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules' &&
+          (!node.fsParent || node.fsParent.isRoot)) {
           continue
         }
         const meta = Shrinkwrap.metaFromNode(

package/lib/unreviewed-scripts.js

@@ -0,0 +1,94 @@
+const isScriptAllowed = require('./script-allowed.js')
+const getInstallScripts = require('./install-scripts.js')
+
+// Shared allowScripts walk used by both the npm CLI
+// (lib/utils/check-allow-scripts.js, lib/utils/strict-allow-scripts-preflight.js)
+// and libnpmexec (npm exec / npx). It lives in arborist because that is the
+// only package both callers can import.
+//
+// Walks a tree's inventory and returns the dep nodes that have
+// install-relevant lifecycle scripts and are not yet covered (or explicitly
+// denied) by the allowScripts policy.
+//
+// Returns an array of `{ node, scripts }` entries. `scripts` is an object
+// describing the relevant lifecycle scripts that would run.
+const collectUnreviewedScripts = async ({
+  tree,
+  policy,
+  ignoreScripts = false,
+  dangerouslyAllowAllScripts = false,
+  includeWhenIgnored = false,
+} = {}) => {
+  // With ignore-scripts set, no scripts run, so execution callers bail out
+  // here. approve/deny pass includeWhenIgnored so they keep listing
+  // unreviewed packages, which is what you need to move from a blanket
+  // ignore-scripts to an allowlist. Listing never runs anything.
+  if ((ignoreScripts && !includeWhenIgnored) || dangerouslyAllowAllScripts) {
+    return []
+  }
+
+  if (!tree?.inventory) {
+    return []
+  }
+
+  const resolvedPolicy = policy || null
+
+  const unreviewed = []
+  for (const node of tree.inventory.values()) {
+    if (node.isProjectRoot || node.isWorkspace) {
+      continue
+    }
+    if (node.isLink) {
+      // Linked workspace dependencies are managed by the workspace owner.
+      continue
+    }
+    if (node.inBundle) {
+      // Bundled dependencies never run their install scripts and cannot be
+      // allowlisted, so they are never "pending". Skipping them keeps them
+      // out of the advisory warning and out of strict-allow-scripts. A
+      // package that needs a bundled dep's script must forward it as one of
+      // its own lifecycle scripts.
+      continue
+    }
+
+    const verdict = isScriptAllowed(node, resolvedPolicy)
+    if (verdict === true || verdict === false) {
+      continue
+    }
+
+    const scripts = await getInstallScripts(node)
+    if (Object.keys(scripts).length === 0) {
+      continue
+    }
+
+    unreviewed.push({ node, scripts })
+  }
+
+  return unreviewed
+}
+
+// Builds the `ESTRICTALLOWSCRIPTS` error thrown by the strict-mode preflight
+// from a list of `{ node, scripts }` entries. `remediation` is the
+// caller-specific guidance appended after the package list (npm install vs
+// npm exec have different remediation commands).
+const strictAllowScriptsError = (unreviewed, { remediation } = {}) => {
+  const lines = unreviewed.map(({ node, scripts }) => {
+    const events = Object.entries(scripts)
+      .map(([event, body]) => `${event}: ${body}`)
+      .join('; ')
+    const name = node.package?.name || node.name
+    const version = node.package?.version || ''
+    const label = version ? `${name}@${version}` : name
+    return `  ${label} (${events})`
+  }).join('\n')
+
+  return Object.assign(
+    new Error(
+      `--strict-allow-scripts: ${unreviewed.length} package(s) have install ` +
+      `scripts not covered by allowScripts:\n${lines}\n${remediation}`
+    ),
+    { code: 'ESTRICTALLOWSCRIPTS' }
+  )
+}
+
+module.exports = { collectUnreviewedScripts, strictAllowScriptsError }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.6.0",
+  "version": "9.8.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",