fix(js): preserve npm allowScripts allowlist in pruned package.json#36016
Open
leosvelperez wants to merge 1 commit into
Open
fix(js): preserve npm allowScripts allowlist in pruned package.json#36016leosvelperez wants to merge 1 commit into
leosvelperez wants to merge 1 commit into
Conversation
✅ Deploy Preview for nx-dev ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for nx-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
View your CI Pipeline Execution ↗ for commit e7a32b3
☁️ Nx Cloud last updated this comment at |
The @nx/js:prune-lockfile executor built its output package.json from only the project package.json, so the npm `allowScripts` install-script allowlist (which `npm approve-scripts` writes to the workspace root) was dropped from the pruned output. `npm ci` in the deployed artifact then ran install scripts the allowlist was meant to gate, and under npm's upcoming strict mode an approved script would instead be blocked. Carry the root `allowScripts` into the pruned package.json, with any project-level entries preserved and winning on conflict. This mirrors the existing `pnpm.allowBuilds` handling in createPackageJson.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Current Behavior
@nx/js:prune-lockfilebuilds the generatedpackage.jsonfrom only the projectpackage.json. The npmallowScriptsinstall-script allowlist lives at the workspace root (npm'sapprove-scriptsis workspace-unaware and writes it there), so it never reached the pruned output. Runningnpm ciagainst the pruned artifact then executed install scripts the developer had reviewed and gated, and once npm enforces the allowlist a previously approved script would instead be blocked.Expected Behavior
The pruned
package.jsoncarries the rootallowScriptspolicy, merged with any project-level entries (project entries win on conflict). This mirrors howcreatePackageJsonalready copies the rootpnpm.allowBuildsbuild-script allowlist into generatedpackage.jsonfiles.Related Issue(s)
Fixes #35931
View session information ↗