Scroll to navigation

NPM-APPROVE-SCRIPTS(1) General Commands Manual NPM-APPROVE-SCRIPTS(1)

NAME

npm-approve-scripts

Synopsis

<!-- AUTOGENERATED USAGE DESCRIPTIONS -->

Description

Manages the allowScripts field in your project's package.json, which
records which of your dependencies are permitted to run install scripts
(preinstall, install, postinstall, and prepare for non-registry
sources). This command is the recommended way to maintain that field.

In the current release, this field is advisory: install scripts still run
by default, but installs print a list of packages whose scripts have not
been reviewed. A future release will block unreviewed install scripts.

There are three modes:

npm approve-scripts <pkg> [<pkg> ...]
npm approve-scripts --all
npm approve-scripts --allow-scripts-pending

<pkg> matches every installed version of that package. By default the
command writes pinned entries (pkg@1.2.3), which keep their approval
narrowed to the specific version you reviewed. Pass --no-allow-scripts-pin to write
name-only entries that allow any future version.

--all approves every package with unreviewed install scripts in one go.

--allow-scripts-pending is read-only: it lists every package whose install scripts
are not yet covered by allowScripts, without modifying package.json.

approve-scripts honours the asymmetric pin rule: if you re-approve a
package whose installed version has changed, the existing pin is rewritten
to track the new installed version. Multi-version statements
(pkg@1 || 2) are left alone, since they likely capture intent that
the command cannot infer. Existing false entries always win;
approve-scripts will not silently re-allow a package you previously
denied.

Examples

# Approve all currently-installed install scripts after reviewing them
npm approve-scripts --all
# Approve specific packages, pinned to their installed version
npm approve-scripts canvas sharp
# Approve name-only (any version of this package is allowed)
npm approve-scripts --no-allow-scripts-pin canvas
# Preview which packages still need review
npm approve-scripts --allow-scripts-pending

Configuration

<!-- AUTOGENERATED CONFIG DESCRIPTIONS -->

See Also

  • npm deny-scripts
  • npm install
  • npm rebuild
  • package.json

June 2026 11.16.0