Skip to content

feat: namespace install-script approval commands under npm install-scripts#9629

Merged
owlstronaut merged 5 commits into
npm:latestfrom
manzoorwanijk:feat/install-scripts-namespace
Jun 24, 2026
Merged

feat: namespace install-script approval commands under npm install-scripts#9629
owlstronaut merged 5 commits into
npm:latestfrom
manzoorwanijk:feat/install-scripts-namespace

Conversation

@manzoorwanijk

Copy link
Copy Markdown
Contributor

Add a namespaced npm install-scripts command that groups the install-script approval operations, following npm's existing npm cache <cmd> / npm token <cmd> convention:

  • npm install-scripts approve <pkg>... | --all
  • npm install-scripts deny <pkg>... | --all
  • npm install-scripts ls (list packages with unreviewed install scripts)

The shipped npm approve-scripts and npm deny-scripts commands keep working as aliases for approve and deny, so this is additive and backwards compatible. The shared AllowScriptsCmd base now dispatches through runMode(mode, args); the standalone commands route through it via static verb. The --allow-scripts-pending flag is only honored by the commands that declare it, so the namespace lists exclusively through ls.

References

Closes #9545
Follow-up from RFC npm/rfcs#868.

@manzoorwanijk manzoorwanijk marked this pull request as ready for review June 24, 2026 11:36
@manzoorwanijk manzoorwanijk requested review from a team as code owners June 24, 2026 11:36
@owlstronaut owlstronaut merged commit 0c4dd41 into npm:latest Jun 24, 2026
52 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Backport to release/v11 failed.

This usually means the cherry-pick had conflicts. Please create a manual backport:

git fetch origin release/v11
git checkout -b backport/v11/9629 origin/release/v11
git cherry-pick -x 0c4dd414f213971c82fe0d620bbf34d7fae25f0d
# resolve any conflicts, then:
git push origin backport/v11/9629
Error details
Command failed: git cherry-pick -x 0c4dd414f213971c82fe0d620bbf34d7fae25f0d
error: could not apply 0c4dd414f... feat: namespace install-script approval commands under npm install-scripts (#9629)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

@manzoorwanijk manzoorwanijk deleted the feat/install-scripts-namespace branch June 24, 2026 14:51
@manzoorwanijk

Copy link
Copy Markdown
Contributor Author

I will try creating a manual backport for this, but my guess is that it will be chaotic 😄

@owlstronaut

Copy link
Copy Markdown
Contributor

I will try creating a manual backport for this, but my guess is that it will be chaotic 😄

thanks! I appreciate it. I started to but please do 😄

manzoorwanijk added a commit to manzoorwanijk/npm-cli that referenced this pull request Jun 24, 2026
…ripts (npm#9629)

Add a namespaced `npm install-scripts` command that groups the
install-script approval operations, following npm's existing `npm cache
<cmd>` / `npm token <cmd>` convention:

- `npm install-scripts approve <pkg>... | --all`
- `npm install-scripts deny <pkg>... | --all`
- `npm install-scripts ls` (list packages with unreviewed install
scripts)

The shipped `npm approve-scripts` and `npm deny-scripts` commands keep
working as aliases for `approve` and `deny`, so this is additive and
backwards compatible. The shared `AllowScriptsCmd` base now dispatches
through `runMode(mode, args)`; the standalone commands route through it
via `static verb`. The `--allow-scripts-pending` flag is only honored by
the commands that declare it, so the namespace lists exclusively through
`ls`.

Closes npm#9545
Follow-up from RFC npm/rfcs#868.
manzoorwanijk added a commit to manzoorwanijk/npm-cli that referenced this pull request Jun 24, 2026
…ripts (npm#9629)

Add a namespaced `npm install-scripts` command that groups the
install-script approval operations, following npm's existing `npm cache
<cmd>` / `npm token <cmd>` convention:

- `npm install-scripts approve <pkg>... | --all`
- `npm install-scripts deny <pkg>... | --all`
- `npm install-scripts ls` (list packages with unreviewed install
scripts)

The shipped `npm approve-scripts` and `npm deny-scripts` commands keep
working as aliases for `approve` and `deny`, so this is additive and
backwards compatible. The shared `AllowScriptsCmd` base now dispatches
through `runMode(mode, args)`; the standalone commands route through it
via `static verb`. The `--allow-scripts-pending` flag is only honored by
the commands that declare it, so the namespace lists exclusively through
`ls`.

Closes npm#9545
Follow-up from RFC npm/rfcs#868.
manzoorwanijk added a commit to manzoorwanijk/npm-cli that referenced this pull request Jun 24, 2026
…ripts (npm#9629)

Add a namespaced `npm install-scripts` command that groups the
install-script approval operations, following npm's existing `npm cache
<cmd>` / `npm token <cmd>` convention:

- `npm install-scripts approve <pkg>... | --all`
- `npm install-scripts deny <pkg>... | --all`
- `npm install-scripts ls` (list packages with unreviewed install
scripts)

The shipped `npm approve-scripts` and `npm deny-scripts` commands keep
working as aliases for `approve` and `deny`, so this is additive and
backwards compatible. The shared `AllowScriptsCmd` base now dispatches
through `runMode(mode, args)`; the standalone commands route through it
via `static verb`. The `--allow-scripts-pending` flag is only honored by
the commands that declare it, so the namespace lists exclusively through
`ls`.

Closes npm#9545
Follow-up from RFC npm/rfcs#868.
owlstronaut pushed a commit that referenced this pull request Jun 24, 2026
…ripts (#9635)

Backport of #9629 to `release/v11`.

Adds the namespaced `npm install-scripts` command (`approve`, `deny`,
`ls`), keeping `npm approve-scripts` / `npm deny-scripts` working as
aliases, and points the install-time, rebuild, and strict-allow-scripts
guidance at the new namespace.

## References

Backports #9629
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

2 participants