Skip to content

fix(allowScripts): close three enforcement gaps#9652

Merged
owlstronaut merged 3 commits into
npm:latestfrom
JamieMagee:jamiemagee/allowscripts-enforcement-fixes
Jun 25, 2026
Merged

fix(allowScripts): close three enforcement gaps#9652
owlstronaut merged 3 commits into
npm:latestfrom
JamieMagee:jamiemagee/allowscripts-enforcement-fixes

Conversation

@JamieMagee

@JamieMagee JamieMagee commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Three allowScripts (install-script policy) fixes:

  • Version-pinned deny fails closed when the lockfile omits resolved.
  • npm link <pkg> gates the global install of a missing package.
  • Regression test: bundled-dep scripts stay blocked under the gate.
@JamieMagee JamieMagee requested review from a team as code owners June 24, 2026 23:37
Comment thread test/lib/commands/link.js Outdated
Comment thread workspaces/arborist/test/script-allowed.js Outdated
Comment thread workspaces/arborist/test/arborist/rebuild.js Outdated
@JamieMagee JamieMagee force-pushed the jamiemagee/allowscripts-enforcement-fixes branch from 8ce994c to 83bdb35 Compare June 25, 2026 16:06
@JamieMagee JamieMagee requested a review from nishantms June 25, 2026 16:14
@owlstronaut owlstronaut merged commit 60d0d3d into npm:latest Jun 25, 2026
47 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Backport to release/v11 failed.

This usually means the cherry-pick had conflicts. Please create a manual backport:

git fetch origin release/v11
git checkout -b backport/v11/9652 origin/release/v11
git cherry-pick -x 60d0d3d7c4c8b394b4a35b18f138439d75308368
# resolve any conflicts, then:
git push origin backport/v11/9652
Error details
Command failed: git cherry-pick -x 60d0d3d7c4c8b394b4a35b18f138439d75308368
error: could not apply 60d0d3d7c... fix(allowScripts): close three enforcement gaps (#9652)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

owlstronaut pushed a commit that referenced this pull request Jun 25, 2026
…11) (#9663)

Backport of #9652 to `release/v11`.

Two adaptations versus latest:

- `link.js`: dropped the `patchRelaxOpts`/`cli-only-flag` lines, which
only exist on latest. The global-install policy gating and strict
preflight are kept.
- Omitted the bundled-dependency regression test. v11's rebuild gate is
deny-only (blocks on `isScriptAllowed === false`), so a bundled dep
(null verdict) is not blocked there and the test would not hold.

The version-pinned deny fix and the `npm link` global-install gating
both apply and are tested. Changed source keeps 100% coverage on
`script-allowed.js`.
@github-actions github-actions Bot mentioned this pull request Jun 25, 2026
@JamieMagee JamieMagee deleted the jamiemagee/allowscripts-enforcement-fixes branch June 25, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

3 participants