You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-up from RFC #868 (make install scripts opt-in), tracking the command-naming discussion at npm/rfcs#868 (comment).
Background
npm v11.16.0 shipped two top-level commands, npm approve-scripts and npm deny-scripts. Both are thin subclasses of lib/utils/allow-scripts-cmd.js, registered in lib/utils/cmd-list.js. The verb-noun shape came from pnpm (pnpm approve-builds), and it doesn't match how npm normally groups related operations: npm cache <cmd>, npm team <cmd>, npm token <cmd>, npm org <cmd>.
Proposal
Add one namespaced command and keep the verb-noun forms as aliases (they've shipped, so this stays backwards compatible):
npm install-scripts approve <pkg>... | --all
npm install-scripts deny <pkg>...
npm install-scripts ls (list unreviewed; see companion issue)
npm approve-scripts / npm deny-scripts alias to the above
Follow-up from RFC #868 (make install scripts opt-in), tracking the command-naming discussion at npm/rfcs#868 (comment).
Background
npm v11.16.0 shipped two top-level commands,
npm approve-scriptsandnpm deny-scripts. Both are thin subclasses oflib/utils/allow-scripts-cmd.js, registered inlib/utils/cmd-list.js. Theverb-nounshape came from pnpm (pnpm approve-builds), and it doesn't match how npm normally groups related operations:npm cache <cmd>,npm team <cmd>,npm token <cmd>,npm org <cmd>.Proposal
Add one namespaced command and keep the verb-noun forms as aliases (they've shipped, so this stays backwards compatible):
npm install-scripts approve <pkg>... | --allnpm install-scripts deny <pkg>...npm install-scripts ls(list unreviewed; see companion issue)npm approve-scripts/npm deny-scriptsalias to the aboveNames raised in the thread:
npm install-scripts(favoured by @bakkot)npm scripts(rejected: clashes with thescriptsblock andnpm run)npm trust(rejected:npm trustalready exists)npm hooks,npm lifecycle@owlstronaut suggested aliasing the current commands and adding the namespace in Phase 2.
Notes
install-scriptssays what it does, so it's the strongest candidate.install-scripts ls), which removes the--allow-scripts-pendingambiguity (companion issue).