@npmcli/config 10.9.1 → 10.11.0

package/lib/definitions/definitions.js

@@ -1,4 +1,5 @@
 const Definition = require('./definition.js')
+const parseAllowScriptsList = require('../parse-allow-scripts-list.js')
 
 const ciInfo = require('ci-info')
 const querystring = require('node:querystring')
@@ -153,7 +154,7 @@ const definitions = {
     defaultDescription: `
     'public' for new packages, existing packages it will not change the current level
   `,
-    type: [null, 'restricted', 'public'],
+    type: [null, 'restricted', 'public', 'private'],
     description: `
     If you do not want your scoped package to be publicly viewable (and
     installable) set \`--access=restricted\`.
@@ -164,17 +165,23 @@ const definitions = {
     packages.  Specifying a value of \`restricted\` or \`public\` during
     publish will change the access for an existing package the same way that
     \`npm access set status\` would.
+
+    The value \`private\` is an alias for \`restricted\`.
   `,
-    flatten,
+    flatten (key, obj, flatOptions) {
+      const value = obj[key]
+      flatOptions.access = value === 'private' ? 'restricted' : value
+    },
   }),
   all: new Definition('all', {
     default: false,
     type: Boolean,
     short: 'a',
     description: `
-    When running \`npm outdated\` and \`npm ls\`, setting \`--all\` will show
-    all outdated or installed packages, rather than only those directly
-    depended upon by the current project.
+    Show or act on all packages, not just the ones your project directly
+    depends on. For \`npm outdated\` and \`npm ls\` this lists every outdated
+    or installed package. For \`npm approve-scripts\` and \`npm deny-scripts\`
+    it selects every package with pending install scripts.
   `,
     flatten,
   }),
@@ -247,6 +254,31 @@ const definitions = {
   `,
     flatten,
   }),
+  'allow-scripts': new Definition('allow-scripts', {
+    default: '',
+    type: [String, Array],
+    hint: '<package-list>',
+    description: `
+      Comma-separated list of packages whose install-time lifecycle scripts
+      (\`preinstall\`, \`install\`, \`postinstall\`, and \`prepare\` for
+      non-registry dependencies) are allowed to run.
+
+      This setting is intended for one-off and global contexts: \`npm exec\`,
+      \`npx\`, and \`npm install -g\`, where no project \`package.json\` is
+      involved. For team-wide policy in a project, use the \`allowScripts\`
+      field in \`package.json\` (which also supports explicit denials), or
+      configure it in \`.npmrc\`. Passing \`--allow-scripts\` on the command
+      line during a project-scoped \`npm install\`, \`ci\`, \`update\`, or
+      \`rebuild\` is an error.
+
+      Each name is matched against a dependency's resolved identity, not
+      against the package's self-reported name. \`--ignore-scripts\` and
+      \`--dangerously-allow-all-scripts\` both override this setting.
+  `,
+    flatten (key, obj, flatOptions) {
+      flatOptions.allowScripts = parseAllowScriptsList(obj[key])
+    },
+  }),
   also: new Definition('also', {
     default: null,
     type: [null, 'dev', 'development'],
@@ -308,6 +340,9 @@ const definitions = {
       Across sources, the standard precedence applies (cli > env > project >
       user > global), so a higher-priority source can always relax or
       override a lower-priority one.
+
+      Packages whose names match \`min-release-age-exclude\` are exempt from
+      this filter.
     `,
     flatten,
   }),
@@ -535,6 +570,18 @@ const definitions = {
     `,
     flatten,
   }),
+  'dangerously-allow-all-scripts': new Definition('dangerously-allow-all-scripts', {
+    default: false,
+    type: Boolean,
+    description: `
+      If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+      dependency install script regardless of whether it was approved or
+      denied. Intended as a migration escape hatch only; its use is strongly
+      discouraged. \`--ignore-scripts\` still takes precedence over this
+      setting.
+    `,
+    flatten,
+  }),
   depth: new Definition('depth', {
     default: null,
     defaultDescription: `
@@ -1427,6 +1474,9 @@ const definitions = {
        spawns a sub-process with \`--before\` while preparing a \`git:\` or
        \`github:\` dependency); when both apply, \`before\` wins within a
        single source and across sources the standard precedence rules apply.
+
+       Packages whose names match \`min-release-age-exclude\` are exempt from
+       this filter.
     `,
     flatten: (key, obj, flatOptions) => {
       const age = obj['min-release-age']
@@ -1437,6 +1487,45 @@ const definitions = {
       }
     },
   }),
+  'min-release-age-exclude': new Definition('min-release-age-exclude', {
+    default: [],
+    hint: '<pkg|glob>',
+    type: [Array, String],
+    envExport: false,
+    description: `
+       A list of package names or \`minimatch\` glob patterns that are exempt
+       from the \`min-release-age\` (and \`before\`) filter. A matching package
+       can always resolve to its newest version, even when a release-age window
+       is set.
+
+       For example, to apply a release-age window to third-party dependencies
+       while letting internally maintained packages update immediately:
+
+       \`\`\`
+       min-release-age=7
+       min-release-age-exclude[]=@myorg/*
+       min-release-age-exclude[]=my-internal-pkg
+       \`\`\`
+
+       Only the named package is exempt; its own dependencies still follow the
+       release-age policy unless they also match a pattern. Patterns match
+       against the package name, so \`@myorg/*\` matches \`@myorg/shared-utils\`.
+
+       Excluding a package does not change which registry it is fetched from. You
+       should own your private scope on the public registry so that nobody else
+       can publish a package with the same name.
+    `,
+    flatten: (key, obj, flatOptions) => {
+      // The config layer always resolves this to an array (nopt and .npmrc both
+      // coerce `[Array, String]` to a list, default `[]`), so treat it as one.
+      // A single value may still pack multiple names as a comma string.
+      const list = obj[key]
+        .flatMap(v => String(v).split(','))
+        .map(v => v.trim())
+        .filter(Boolean)
+      flatOptions.minReleaseAgeExclude = [...new Set(list)]
+    },
+  }),
   'node-gyp': new Definition('node-gyp', {
     default: (() => {
       try {
@@ -1667,6 +1756,27 @@ const definitions = {
     `,
     flatten,
   }),
+  'allow-scripts-pending': new Definition('allow-scripts-pending', {
+    default: false,
+    type: Boolean,
+    description: `
+      List packages with install scripts that are not yet covered by the
+      \`allowScripts\` policy, without modifying \`package.json\`. Only
+      meaningful for \`npm approve-scripts\`.
+    `,
+    flatten,
+  }),
+  'allow-scripts-pin': new Definition('allow-scripts-pin', {
+    default: true,
+    type: Boolean,
+    description: `
+      Write pinned (\`pkg@version\`) entries when approving install scripts.
+      Set to \`false\` to write name-only entries that allow any version.
+      Has no effect on \`npm deny-scripts\`, which always writes name-only
+      entries regardless of this setting.
+    `,
+    flatten,
+  }),
   'prefer-dedupe': new Definition('prefer-dedupe', {
     default: false,
     type: Boolean,
@@ -2238,6 +2348,22 @@ const definitions = {
     `,
     flatten,
   }),
+  'strict-allow-scripts': new Definition('strict-allow-scripts', {
+    default: false,
+    type: Boolean,
+    description: `
+      If \`true\`, turn the install-script policy from a warning into a hard
+      error: any dependency with install scripts not covered by
+      \`allowScripts\` will fail the install instead of running with a
+      notice.
+
+      Dependencies explicitly denied with \`false\` in \`allowScripts\` are
+      always silently skipped; this setting only affects unreviewed entries.
+      \`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
+      override this setting.
+    `,
+    flatten,
+  }),
   'strict-ssl': new Definition('strict-ssl', {
     default: true,
     type: Boolean,
@@ -2258,13 +2384,13 @@ const definitions = {
       If you ask npm to install a package and don't tell it a specific version,
       then it will install the specified tag.
 
-      It is the tag added to the package@version specified in the 
+      It is the tag added to the package@version specified in the
       \`npm dist-tag add\` command, if no explicit tag is given.
 
       When used by the \`npm diff\` command, this is the tag used to fetch the
       tarball that will be compared with the local files by default.
-      
-      If used in the \`npm publish\` command, this is the tag that will be 
+
+      If used in the \`npm publish\` command, this is the tag that will be
       added to the package submitted to the registry.
     `,
     flatten (key, obj, flatOptions) {
@@ -2373,6 +2499,36 @@ const definitions = {
     flatten (key, obj, flatOptions) {
       const value = obj[key]
       const ciName = ciInfo.name?.toLowerCase().split(' ').join('-') || null
+      // A more specific sub-category for the detected CI, appended to the
+      // ci token as `ci/{ci-name}/{sub-ci-name}` when present.
+      let subCiName = null
+      if (ciInfo.GITHUB_ACTIONS) {
+        // Env vars can be absent, empty, or whitespace; normalize before use.
+        const serverUrl = (process.env.GITHUB_SERVER_URL || '').trim()
+        const runnerEnv = (process.env.RUNNER_ENVIRONMENT || '').trim()
+        let serverHost = ''
+        try {
+          serverHost = new URL(serverUrl).hostname.toLowerCase()
+        } catch {
+          serverHost = ''
+        }
+        if (serverHost === 'github.com') {
+          if (runnerEnv === 'github-hosted') {
+            subCiName = 'dotcom-hosted'
+          } else if (runnerEnv === 'self-hosted') {
+            subCiName = 'dotcom-selfhosted'
+          } else {
+            subCiName = 'dotcom'
+          }
+        } else if (serverHost === 'ghe.com' || serverHost.endsWith('.ghe.com')) {
+          subCiName = 'ghecom'
+        } else if (serverHost) {
+          subCiName = 'ghes'
+        }
+      }
+      const ci = ciName
+        ? `ci/${ciName}${subCiName ? `/${subCiName}` : ''}`
+        : ''
       let inWorkspaces = false
       if (obj.workspaces || obj.workspace && obj.workspace.length) {
         inWorkspaces = true
@@ -2383,7 +2539,7 @@ const definitions = {
           .replace(/\{platform\}/gi, process.platform)
           .replace(/\{arch\}/gi, process.arch)
           .replace(/\{workspaces\}/gi, inWorkspaces)
-          .replace(/\{ci\}/gi, ciName ? `ci/${ciName}` : '')
+          .replace(/\{ci\}/gi, ci)
           .trim()
 
       // We can't clobber the original or else subsequent flattening will fail

package/lib/parse-allow-scripts-list.js

@@ -0,0 +1,23 @@
+// Parse an `allow-scripts` raw config value (string or array of strings)
+// into a flat array of trimmed package-spec entries. Shared between the
+// CLI/env layer (via the `allow-scripts` definition's `flatten`) and the
+// package.json / .npmrc layer (in lib/utils/resolve-allow-scripts.js) so
+// both paths agree on quoting, whitespace, and duplicate handling.
+const parseAllowScriptsList = (raw) => {
+  const parts = []
+  const entries = Array.isArray(raw) ? raw : (typeof raw === 'string' ? [raw] : [])
+  for (const entry of entries) {
+    if (typeof entry !== 'string') {
+      continue
+    }
+    for (const part of entry.split(',')) {
+      const trimmed = part.trim()
+      if (trimmed) {
+        parts.push(trimmed)
+      }
+    }
+  }
+  return parts
+}
+
+module.exports = parseAllowScriptsList

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/config",
-  "version": "10.9.1",
+  "version": "10.11.0",
   "files": [
     "bin/",
     "lib/"