NAME¶

npm-deny-scripts

Synopsis¶

<!-- AUTOGENERATED USAGE DESCRIPTIONS -->

Description¶

The companion command to npm approve-scripts.
Writes false entries into the allowScripts field of your project's
package.json, recording that a dependency must not run install scripts
even if a future version would otherwise be eligible.

In the current release, install scripts still run by default, so deny-scripts
only affects how installs of denied packages are reported. A future release
will block unreviewed install scripts and respect deny entries at install
time.

npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all

<pkg> matches every installed version of that package. Denies are always
written name-only (&quot;pkg&quot;: false), regardless of --allow-scripts-pin. Pinning a deny
to a specific version would silently re-allow scripts for any other version
of the same package, which defeats the purpose; the command picks the
safer default for you.

--all denies every package with unreviewed install scripts.

If a true (pinned or name-only) entry exists for a package and you then
deny it, the existing allow entries are removed so the name-only deny is
unambiguous.

Examples¶

# Deny a specific package outright
npm deny-scripts telemetry-pkg
# Deny everything that has install scripts and isn't already approved
npm deny-scripts --all

Configuration¶

<!-- AUTOGENERATED CONFIG DESCRIPTIONS -->

See Also¶