npm-deny-scripts @11.16.0
Deny install scripts for specific dependenciesTable of contents
Synopsis
npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all
Note: This command is unaware of workspaces.
Description
The companion command to npm approve-scripts.
Writes false entries into the allowScripts field of your project's
package.json, recording that a dependency must not run install scripts
even if a future version would otherwise be eligible.
In the current release, install scripts still run by default, so deny-scripts
only affects how installs of denied packages are reported. A future release
will block unreviewed install scripts and respect deny entries at install
time.
npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all
<pkg> matches every installed version of that package. Denies are always
written name-only ("pkg": false), regardless of --allow-scripts-pin. Pinning a deny
to a specific version would silently re-allow scripts for any other version
of the same package, which defeats the purpose; the command picks the
safer default for you.
--all denies every package with unreviewed install scripts.
If a true (pinned or name-only) entry exists for a package and you then
deny it, the existing allow entries are removed so the name-only deny is
unambiguous.
Examples
# Deny a specific package outright
npm deny-scripts telemetry-pkg
# Deny everything that has install scripts and isn't already approved
npm deny-scripts --all
Configuration
all
- Default: false
- Type: Boolean
When running npm outdated and npm ls, setting --all will show all
outdated or installed packages, rather than only those directly depended
upon by the current project.
allow-scripts-pending
- Default: false
- Type: Boolean
List packages with install scripts that are not yet covered by the
allowScripts policy, without modifying package.json. Only meaningful for
npm approve-scripts.
allow-scripts-pin
- Default: true
- Type: Boolean
Write pinned (pkg@version) entries when approving install scripts. Set to
false to write name-only entries that allow any version. Has no effect on
npm deny-scripts, which always writes name-only entries regardless of this
setting.
json
- Default: false
- Type: Boolean
Whether or not to output JSON data, rather than the normal output.
- In
npm pkg setit enables parsing set values with JSON.parse() before saving them to yourpackage.json.
Not supported by all npm commands.