You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 18, 2024. It is now read-only.
Whitelist packages that you trust in your package.json: "allowScripts": { "packageName": "1.x.x - 2.x.x" }
Run npm install --ignore-scripts or yarn install --ignore-scripts
Run npx allow-scripts
Only the explicitly allowed [pre|post]install scripts will be executed.
Usage
$ npx allow-scripts [--dry-run]
Running the command will scan the list of installed dependencies (using an existing package-lock.json or npm-shrinkwrap.json or by creating one on the fly). It will then execute the scripts for allowed dependencies that have them in the following order:
preinstall in the main package
preinstall in dependencies
install in dependencies
postinstall in dependencies
install in the main package
postinstall in the main package
prepublish in the main package
prepare in the main package
Configuration
"allowScripts": {
"fsevents": "*", # allow install scripts in all versions
"node-sass": false, # ignore install scripts for all versions
"webpack-cli": "3.x.x" # allow all minors for v3, ignore everything else
}
Allowed package list is configurable in package.json by adding an allowScripts property, with an object where the key is a package name and the value is one of:
a string with a semver specifier for allowed versions
non-matching versions will be ignored
true - allow all versions (equivalent to '*' semver specifier)
false - ignore all versions
If a package has a lifecycle script, but is neither allowed nor ignored, allow-scripts will exit with an error.
