@npmcli/config 10.9.0 → 10.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
const Definition = require('./definition.js')
|
|
2
|
+
const parseAllowScriptsList = require('../parse-allow-scripts-list.js')
|
|
2
3
|
|
|
3
4
|
const ciInfo = require('ci-info')
|
|
4
5
|
const querystring = require('node:querystring')
|
|
@@ -153,7 +154,7 @@ const definitions = {
|
|
|
153
154
|
defaultDescription: `
|
|
154
155
|
'public' for new packages, existing packages it will not change the current level
|
|
155
156
|
`,
|
|
156
|
-
type: [null, 'restricted', 'public'],
|
|
157
|
+
type: [null, 'restricted', 'public', 'private'],
|
|
157
158
|
description: `
|
|
158
159
|
If you do not want your scoped package to be publicly viewable (and
|
|
159
160
|
installable) set \`--access=restricted\`.
|
|
@@ -164,8 +165,13 @@ const definitions = {
|
|
|
164
165
|
packages. Specifying a value of \`restricted\` or \`public\` during
|
|
165
166
|
publish will change the access for an existing package the same way that
|
|
166
167
|
\`npm access set status\` would.
|
|
168
|
+
|
|
169
|
+
The value \`private\` is an alias for \`restricted\`.
|
|
167
170
|
`,
|
|
168
|
-
flatten,
|
|
171
|
+
flatten (key, obj, flatOptions) {
|
|
172
|
+
const value = obj[key]
|
|
173
|
+
flatOptions.access = value === 'private' ? 'restricted' : value
|
|
174
|
+
},
|
|
169
175
|
}),
|
|
170
176
|
all: new Definition('all', {
|
|
171
177
|
default: false,
|
|
@@ -247,6 +253,31 @@ const definitions = {
|
|
|
247
253
|
`,
|
|
248
254
|
flatten,
|
|
249
255
|
}),
|
|
256
|
+
'allow-scripts': new Definition('allow-scripts', {
|
|
257
|
+
default: '',
|
|
258
|
+
type: [String, Array],
|
|
259
|
+
hint: '<package-list>',
|
|
260
|
+
description: `
|
|
261
|
+
Comma-separated list of packages whose install-time lifecycle scripts
|
|
262
|
+
(\`preinstall\`, \`install\`, \`postinstall\`, and \`prepare\` for
|
|
263
|
+
non-registry dependencies) are allowed to run.
|
|
264
|
+
|
|
265
|
+
This setting is intended for one-off and global contexts: \`npm exec\`,
|
|
266
|
+
\`npx\`, and \`npm install -g\`, where no project \`package.json\` is
|
|
267
|
+
involved. For team-wide policy in a project, use the \`allowScripts\`
|
|
268
|
+
field in \`package.json\` (which also supports explicit denials), or
|
|
269
|
+
configure it in \`.npmrc\`. Passing \`--allow-scripts\` on the command
|
|
270
|
+
line during a project-scoped \`npm install\`, \`ci\`, \`update\`, or
|
|
271
|
+
\`rebuild\` is an error.
|
|
272
|
+
|
|
273
|
+
Each name is matched against a dependency's resolved identity, not
|
|
274
|
+
against the package's self-reported name. \`--ignore-scripts\` and
|
|
275
|
+
\`--dangerously-allow-all-scripts\` both override this setting.
|
|
276
|
+
`,
|
|
277
|
+
flatten (key, obj, flatOptions) {
|
|
278
|
+
flatOptions.allowScripts = parseAllowScriptsList(obj[key])
|
|
279
|
+
},
|
|
280
|
+
}),
|
|
250
281
|
also: new Definition('also', {
|
|
251
282
|
default: null,
|
|
252
283
|
type: [null, 'dev', 'development'],
|
|
@@ -292,7 +323,6 @@ const definitions = {
|
|
|
292
323
|
default: null,
|
|
293
324
|
hint: '<date>',
|
|
294
325
|
type: [null, Date],
|
|
295
|
-
exclusive: ['min-release-age'],
|
|
296
326
|
description: `
|
|
297
327
|
If passed to \`npm install\`, will rebuild the npm tree such that only
|
|
298
328
|
versions that were available **on or before** the given date are
|
|
@@ -303,6 +333,12 @@ const definitions = {
|
|
|
303
333
|
pass the \`--before\` filter, the most recent version less than or equal
|
|
304
334
|
to that tag will be used. For example, \`foo@latest\` might install
|
|
305
335
|
\`foo@1.2\` even though \`latest\` is \`2.0\`.
|
|
336
|
+
|
|
337
|
+
If \`before\` and \`min-release-age\` are both set in the same source,
|
|
338
|
+
\`before\` wins (an explicit absolute date overrides a relative window).
|
|
339
|
+
Across sources, the standard precedence applies (cli > env > project >
|
|
340
|
+
user > global), so a higher-priority source can always relax or
|
|
341
|
+
override a lower-priority one.
|
|
306
342
|
`,
|
|
307
343
|
flatten,
|
|
308
344
|
}),
|
|
@@ -530,6 +566,18 @@ const definitions = {
|
|
|
530
566
|
`,
|
|
531
567
|
flatten,
|
|
532
568
|
}),
|
|
569
|
+
'dangerously-allow-all-scripts': new Definition('dangerously-allow-all-scripts', {
|
|
570
|
+
default: false,
|
|
571
|
+
type: Boolean,
|
|
572
|
+
description: `
|
|
573
|
+
If \`true\`, bypass the \`allowScripts\` policy entirely and run every
|
|
574
|
+
dependency install script regardless of whether it was approved or
|
|
575
|
+
denied. Intended as a migration escape hatch only; its use is strongly
|
|
576
|
+
discouraged. \`--ignore-scripts\` still takes precedence over this
|
|
577
|
+
setting.
|
|
578
|
+
`,
|
|
579
|
+
flatten,
|
|
580
|
+
}),
|
|
533
581
|
depth: new Definition('depth', {
|
|
534
582
|
default: null,
|
|
535
583
|
defaultDescription: `
|
|
@@ -1409,7 +1457,6 @@ const definitions = {
|
|
|
1409
1457
|
default: null,
|
|
1410
1458
|
hint: '<days>',
|
|
1411
1459
|
type: [null, Number],
|
|
1412
|
-
exclusive: ['before'],
|
|
1413
1460
|
envExport: false,
|
|
1414
1461
|
description: `
|
|
1415
1462
|
If set, npm will build the npm tree such that only versions that were
|
|
@@ -1418,12 +1465,18 @@ const definitions = {
|
|
|
1418
1465
|
command will error.
|
|
1419
1466
|
|
|
1420
1467
|
This flag is a complement to \`before\`, which accepts an exact date
|
|
1421
|
-
instead of a relative number of days.
|
|
1468
|
+
instead of a relative number of days. The two may coexist (e.g.
|
|
1469
|
+
\`min-release-age\` in your \`.npmrc\` is preserved when npm internally
|
|
1470
|
+
spawns a sub-process with \`--before\` while preparing a \`git:\` or
|
|
1471
|
+
\`github:\` dependency); when both apply, \`before\` wins within a
|
|
1472
|
+
single source and across sources the standard precedence rules apply.
|
|
1422
1473
|
`,
|
|
1423
1474
|
flatten: (key, obj, flatOptions) => {
|
|
1424
|
-
|
|
1425
|
-
|
|
1426
|
-
|
|
1475
|
+
const age = obj['min-release-age']
|
|
1476
|
+
// `hasOwn` so a `before` inherited via ConfigData's prototype chain (lib/index.js) from a lower-priority source doesn't silently win.
|
|
1477
|
+
// The `: null` clear depends on `Config#flat` iterating sources low → high.
|
|
1478
|
+
if (age != null && !Object.hasOwn(obj, 'before')) {
|
|
1479
|
+
flatOptions.before = age ? new Date(Date.now() - (86400000 * age)) : null
|
|
1427
1480
|
}
|
|
1428
1481
|
},
|
|
1429
1482
|
}),
|
|
@@ -1657,6 +1710,27 @@ const definitions = {
|
|
|
1657
1710
|
`,
|
|
1658
1711
|
flatten,
|
|
1659
1712
|
}),
|
|
1713
|
+
'allow-scripts-pending': new Definition('allow-scripts-pending', {
|
|
1714
|
+
default: false,
|
|
1715
|
+
type: Boolean,
|
|
1716
|
+
description: `
|
|
1717
|
+
List packages with install scripts that are not yet covered by the
|
|
1718
|
+
\`allowScripts\` policy, without modifying \`package.json\`. Only
|
|
1719
|
+
meaningful for \`npm approve-scripts\`.
|
|
1720
|
+
`,
|
|
1721
|
+
flatten,
|
|
1722
|
+
}),
|
|
1723
|
+
'allow-scripts-pin': new Definition('allow-scripts-pin', {
|
|
1724
|
+
default: true,
|
|
1725
|
+
type: Boolean,
|
|
1726
|
+
description: `
|
|
1727
|
+
Write pinned (\`pkg@version\`) entries when approving install scripts.
|
|
1728
|
+
Set to \`false\` to write name-only entries that allow any version.
|
|
1729
|
+
Has no effect on \`npm deny-scripts\`, which always writes name-only
|
|
1730
|
+
entries regardless of this setting.
|
|
1731
|
+
`,
|
|
1732
|
+
flatten,
|
|
1733
|
+
}),
|
|
1660
1734
|
'prefer-dedupe': new Definition('prefer-dedupe', {
|
|
1661
1735
|
default: false,
|
|
1662
1736
|
type: Boolean,
|
|
@@ -2228,6 +2302,22 @@ const definitions = {
|
|
|
2228
2302
|
`,
|
|
2229
2303
|
flatten,
|
|
2230
2304
|
}),
|
|
2305
|
+
'strict-allow-scripts': new Definition('strict-allow-scripts', {
|
|
2306
|
+
default: false,
|
|
2307
|
+
type: Boolean,
|
|
2308
|
+
description: `
|
|
2309
|
+
If \`true\`, turn the install-script policy from a warning into a hard
|
|
2310
|
+
error: any dependency with install scripts not covered by
|
|
2311
|
+
\`allowScripts\` will fail the install instead of running with a
|
|
2312
|
+
notice.
|
|
2313
|
+
|
|
2314
|
+
Dependencies explicitly denied with \`false\` in \`allowScripts\` are
|
|
2315
|
+
always silently skipped; this setting only affects unreviewed entries.
|
|
2316
|
+
\`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
|
|
2317
|
+
override this setting.
|
|
2318
|
+
`,
|
|
2319
|
+
flatten,
|
|
2320
|
+
}),
|
|
2231
2321
|
'strict-ssl': new Definition('strict-ssl', {
|
|
2232
2322
|
default: true,
|
|
2233
2323
|
type: Boolean,
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
// Parse an `allow-scripts` raw config value (string or array of strings)
|
|
2
|
+
// into a flat array of trimmed package-spec entries. Shared between the
|
|
3
|
+
// CLI/env layer (via the `allow-scripts` definition's `flatten`) and the
|
|
4
|
+
// package.json / .npmrc layer (in lib/utils/resolve-allow-scripts.js) so
|
|
5
|
+
// both paths agree on quoting, whitespace, and duplicate handling.
|
|
6
|
+
const parseAllowScriptsList = (raw) => {
|
|
7
|
+
const parts = []
|
|
8
|
+
const entries = Array.isArray(raw) ? raw : (typeof raw === 'string' ? [raw] : [])
|
|
9
|
+
for (const entry of entries) {
|
|
10
|
+
if (typeof entry !== 'string') {
|
|
11
|
+
continue
|
|
12
|
+
}
|
|
13
|
+
for (const part of entry.split(',')) {
|
|
14
|
+
const trimmed = part.trim()
|
|
15
|
+
if (trimmed) {
|
|
16
|
+
parts.push(trimmed)
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
return parts
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
module.exports = parseAllowScriptsList
|