@npmcli/config 10.9.1 → 10.10.0

package/lib/definitions/definitions.js

@@ -1,4 +1,5 @@
 const Definition = require('./definition.js')
+const parseAllowScriptsList = require('../parse-allow-scripts-list.js')
 
 const ciInfo = require('ci-info')
 const querystring = require('node:querystring')
@@ -153,7 +154,7 @@ const definitions = {
     defaultDescription: `
     'public' for new packages, existing packages it will not change the current level
   `,
-    type: [null, 'restricted', 'public'],
+    type: [null, 'restricted', 'public', 'private'],
     description: `
     If you do not want your scoped package to be publicly viewable (and
     installable) set \`--access=restricted\`.
@@ -164,8 +165,13 @@ const definitions = {
     packages.  Specifying a value of \`restricted\` or \`public\` during
     publish will change the access for an existing package the same way that
     \`npm access set status\` would.
+
+    The value \`private\` is an alias for \`restricted\`.
   `,
-    flatten,
+    flatten (key, obj, flatOptions) {
+      const value = obj[key]
+      flatOptions.access = value === 'private' ? 'restricted' : value
+    },
   }),
   all: new Definition('all', {
     default: false,
@@ -247,6 +253,31 @@ const definitions = {
   `,
     flatten,
   }),
+  'allow-scripts': new Definition('allow-scripts', {
+    default: '',
+    type: [String, Array],
+    hint: '<package-list>',
+    description: `
+      Comma-separated list of packages whose install-time lifecycle scripts
+      (\`preinstall\`, \`install\`, \`postinstall\`, and \`prepare\` for
+      non-registry dependencies) are allowed to run.
+
+      This setting is intended for one-off and global contexts: \`npm exec\`,
+      \`npx\`, and \`npm install -g\`, where no project \`package.json\` is
+      involved. For team-wide policy in a project, use the \`allowScripts\`
+      field in \`package.json\` (which also supports explicit denials), or
+      configure it in \`.npmrc\`. Passing \`--allow-scripts\` on the command
+      line during a project-scoped \`npm install\`, \`ci\`, \`update\`, or
+      \`rebuild\` is an error.
+
+      Each name is matched against a dependency's resolved identity, not
+      against the package's self-reported name. \`--ignore-scripts\` and
+      \`--dangerously-allow-all-scripts\` both override this setting.
+  `,
+    flatten (key, obj, flatOptions) {
+      flatOptions.allowScripts = parseAllowScriptsList(obj[key])
+    },
+  }),
   also: new Definition('also', {
     default: null,
     type: [null, 'dev', 'development'],
@@ -535,6 +566,18 @@ const definitions = {
     `,
     flatten,
   }),
+  'dangerously-allow-all-scripts': new Definition('dangerously-allow-all-scripts', {
+    default: false,
+    type: Boolean,
+    description: `
+      If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+      dependency install script regardless of whether it was approved or
+      denied. Intended as a migration escape hatch only; its use is strongly
+      discouraged. \`--ignore-scripts\` still takes precedence over this
+      setting.
+    `,
+    flatten,
+  }),
   depth: new Definition('depth', {
     default: null,
     defaultDescription: `
@@ -1667,6 +1710,27 @@ const definitions = {
     `,
     flatten,
   }),
+  'allow-scripts-pending': new Definition('allow-scripts-pending', {
+    default: false,
+    type: Boolean,
+    description: `
+      List packages with install scripts that are not yet covered by the
+      \`allowScripts\` policy, without modifying \`package.json\`. Only
+      meaningful for \`npm approve-scripts\`.
+    `,
+    flatten,
+  }),
+  'allow-scripts-pin': new Definition('allow-scripts-pin', {
+    default: true,
+    type: Boolean,
+    description: `
+      Write pinned (\`pkg@version\`) entries when approving install scripts.
+      Set to \`false\` to write name-only entries that allow any version.
+      Has no effect on \`npm deny-scripts\`, which always writes name-only
+      entries regardless of this setting.
+    `,
+    flatten,
+  }),
   'prefer-dedupe': new Definition('prefer-dedupe', {
     default: false,
     type: Boolean,
@@ -2238,6 +2302,22 @@ const definitions = {
     `,
     flatten,
   }),
+  'strict-allow-scripts': new Definition('strict-allow-scripts', {
+    default: false,
+    type: Boolean,
+    description: `
+      If \`true\`, turn the install-script policy from a warning into a hard
+      error: any dependency with install scripts not covered by
+      \`allowScripts\` will fail the install instead of running with a
+      notice.
+
+      Dependencies explicitly denied with \`false\` in \`allowScripts\` are
+      always silently skipped; this setting only affects unreviewed entries.
+      \`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
+      override this setting.
+    `,
+    flatten,
+  }),
   'strict-ssl': new Definition('strict-ssl', {
     default: true,
     type: Boolean,

package/lib/parse-allow-scripts-list.js

@@ -0,0 +1,23 @@
+// Parse an `allow-scripts` raw config value (string or array of strings)
+// into a flat array of trimmed package-spec entries. Shared between the
+// CLI/env layer (via the `allow-scripts` definition's `flatten`) and the
+// package.json / .npmrc layer (in lib/utils/resolve-allow-scripts.js) so
+// both paths agree on quoting, whitespace, and duplicate handling.
+const parseAllowScriptsList = (raw) => {
+  const parts = []
+  const entries = Array.isArray(raw) ? raw : (typeof raw === 'string' ? [raw] : [])
+  for (const entry of entries) {
+    if (typeof entry !== 'string') {
+      continue
+    }
+    for (const part of entry.split(',')) {
+      const trimmed = part.trim()
+      if (trimmed) {
+        parts.push(trimmed)
+      }
+    }
+  }
+  return parts
+}
+
+module.exports = parseAllowScriptsList

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/config",
-  "version": "10.9.1",
+  "version": "10.10.0",
   "files": [
     "bin/",
     "lib/"