Skip to content

Commit 56b15b4

Browse files
committed
deps: upgrade npm to 11.18.0
1 parent 4ee2117 commit 56b15b4

293 files changed

Lines changed: 3844 additions & 723 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

deps/npm/docs/content/commands/npm-approve-scripts.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,14 @@ the command cannot infer. Existing `false` entries always win;
5959
`approve-scripts` will not silently re-allow a package you previously
6060
denied.
6161

62+
If a registry dependency has no `resolved` URL in your `package-lock.json`
63+
(for example, an older lockfile or one written with
64+
`omit-lockfile-registry-resolved`), npm cannot verify a trusted version for
65+
it and cannot pin it: a `pkg@1.2.3` entry never matches, so the package
66+
keeps appearing under `--allow-scripts-pending`. `approve-scripts` approves
67+
these by name (`pkg: true`) and warns when it does. To restore pinning,
68+
refresh the lockfile with `npm install`.
69+
6270
### Examples
6371

6472
```bash

deps/npm/docs/content/commands/npm-ci.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,8 +74,16 @@ Sets the strategy for installing packages in node_modules. hoisted
7474
(default): Install non-duplicated in top-level, and duplicated as necessary
7575
within directory structure. nested: (formerly --legacy-bundling) install in
7676
place, no hoisting. shallow (formerly --global-style) only install direct
77-
deps at top-level. linked: (experimental) install in node_modules/.store,
78-
link in place, unhoisted.
77+
deps at top-level. linked: install in node_modules/.store, link in place,
78+
unhoisted.
79+
80+
We recommend that package authors use `--install-strategy=linked` during
81+
development to catch undeclared ("phantom") dependencies before publishing:
82+
the isolated layout only exposes a package's declared dependencies, so an
83+
`import` of a package that was never added to `package.json` can fail
84+
instead of resolving by accident and shipping broken. See [Catching
85+
undeclared ("phantom")
86+
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
7987

8088

8189

@@ -298,6 +306,10 @@ silently skipped; this setting only affects unreviewed entries.
298306
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
299307
setting.
300308

309+
Optional dependencies that cannot be installed on the current platform or
310+
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
311+
their install scripts never run.
312+
301313

302314

303315
#### `dangerously-allow-all-scripts`

deps/npm/docs/content/commands/npm-dedupe.md

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,8 +74,16 @@ Sets the strategy for installing packages in node_modules. hoisted
7474
(default): Install non-duplicated in top-level, and duplicated as necessary
7575
within directory structure. nested: (formerly --legacy-bundling) install in
7676
place, no hoisting. shallow (formerly --global-style) only install direct
77-
deps at top-level. linked: (experimental) install in node_modules/.store,
78-
link in place, unhoisted.
77+
deps at top-level. linked: install in node_modules/.store, link in place,
78+
unhoisted.
79+
80+
We recommend that package authors use `--install-strategy=linked` during
81+
development to catch undeclared ("phantom") dependencies before publishing:
82+
the isolated layout only exposes a package's declared dependencies, so an
83+
`import` of a package that was never added to `package.json` can fail
84+
instead of resolving by accident and shipping broken. See [Catching
85+
undeclared ("phantom")
86+
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
7987
8088
8189

deps/npm/docs/content/commands/npm-exec.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,6 +194,10 @@ silently skipped; this setting only affects unreviewed entries.
194194
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
195195
setting.
196196

197+
Optional dependencies that cannot be installed on the current platform or
198+
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
199+
their install scripts never run.
200+
197201

198202

199203
#### `dangerously-allow-all-scripts`

deps/npm/docs/content/commands/npm-find-dupes.md

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,16 @@ Sets the strategy for installing packages in node_modules. hoisted
2525
(default): Install non-duplicated in top-level, and duplicated as necessary
2626
within directory structure. nested: (formerly --legacy-bundling) install in
2727
place, no hoisting. shallow (formerly --global-style) only install direct
28-
deps at top-level. linked: (experimental) install in node_modules/.store,
29-
link in place, unhoisted.
28+
deps at top-level. linked: install in node_modules/.store, link in place,
29+
unhoisted.
30+
31+
We recommend that package authors use `--install-strategy=linked` during
32+
development to catch undeclared ("phantom") dependencies before publishing:
33+
the isolated layout only exposes a package's declared dependencies, so an
34+
`import` of a package that was never added to `package.json` can fail
35+
instead of resolving by accident and shipping broken. See [Catching
36+
undeclared ("phantom")
37+
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
3038

3139

3240

deps/npm/docs/content/commands/npm-install-ci-test.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,16 @@ Sets the strategy for installing packages in node_modules. hoisted
2727
(default): Install non-duplicated in top-level, and duplicated as necessary
2828
within directory structure. nested: (formerly --legacy-bundling) install in
2929
place, no hoisting. shallow (formerly --global-style) only install direct
30-
deps at top-level. linked: (experimental) install in node_modules/.store,
31-
link in place, unhoisted.
30+
deps at top-level. linked: install in node_modules/.store, link in place,
31+
unhoisted.
32+
33+
We recommend that package authors use `--install-strategy=linked` during
34+
development to catch undeclared ("phantom") dependencies before publishing:
35+
the isolated layout only exposes a package's declared dependencies, so an
36+
`import` of a package that was never added to `package.json` can fail
37+
instead of resolving by accident and shipping broken. See [Catching
38+
undeclared ("phantom")
39+
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
3240

3341

3442

@@ -251,6 +259,10 @@ silently skipped; this setting only affects unreviewed entries.
251259
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
252260
setting.
253261

262+
Optional dependencies that cannot be installed on the current platform or
263+
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
264+
their install scripts never run.
265+
254266

255267

256268
#### `dangerously-allow-all-scripts`
Lines changed: 166 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,166 @@
1+
---
2+
title: npm-install-scripts
3+
section: 1
4+
description: Manage install-script approvals for dependencies
5+
---
6+
7+
### Synopsis
8+
9+
```bash
10+
npm install-scripts approve <pkg> [<pkg> ...]
11+
npm install-scripts approve --all
12+
npm install-scripts deny <pkg> [<pkg> ...]
13+
npm install-scripts deny --all
14+
npm install-scripts ls
15+
npm install-scripts prune
16+
```
17+
18+
Note: This command is unaware of workspaces.
19+
20+
### Description
21+
22+
Manages the `allowScripts` field in your project's `package.json`, which
23+
records which of your dependencies are permitted to run install scripts
24+
(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
25+
sources). This is the recommended way to maintain that field.
26+
27+
Dependency install scripts are blocked by default. Install commands
28+
silently skip lifecycle scripts for any dependency that does not have a
29+
matching entry in `allowScripts`, and end with a list of the packages
30+
whose scripts were skipped so you can review them here.
31+
32+
This command only works inside a project that has a `package.json`. Running
33+
it with `--global` (`-g`) fails with an `EGLOBAL` error, since global
34+
installs (`npm install -g`) and one-off executions (`npm exec` / `npx`) have
35+
no project `package.json` to write to. To allow install scripts in those
36+
contexts, use the `--allow-scripts` flag at install time (for example
37+
`npm install -g --allow-scripts=canvas,sharp`) or persist the setting with
38+
`npm config set allow-scripts=canvas,sharp --location=user`.
39+
40+
There are four subcommands:
41+
42+
```bash
43+
npm install-scripts approve <pkg> [<pkg> ...]
44+
npm install-scripts approve --all
45+
npm install-scripts deny <pkg> [<pkg> ...]
46+
npm install-scripts deny --all
47+
npm install-scripts ls
48+
npm install-scripts prune
49+
```
50+
51+
`approve` allows install scripts for the named packages. `<pkg>` matches
52+
every installed version of that package. By default it writes pinned entries
53+
(`pkg@1.2.3`), which keep their approval narrowed to the specific version you
54+
reviewed. Pass `--no-allow-scripts-pin` to write name-only entries that allow
55+
any future version. `--all` approves every package with unreviewed install
56+
scripts in one go.
57+
58+
`deny` records an explicit denial for the named packages (a name-only `false`
59+
entry), which survives `npm install-scripts approve --all` and excludes the
60+
package from any future blanket approval. `--all` denies every package with
61+
unreviewed install scripts.
62+
63+
`ls` is read-only: it lists every package whose install scripts are not yet
64+
covered by `allowScripts`, without modifying `package.json`.
65+
66+
`prune` removes `allowScripts` entries that no longer match an installed
67+
package with an install script, either because the package is no longer
68+
installed (a transitive dependency changed, or a pinned `pkg@1.2.3` was
69+
upgraded) or because it no longer has an install script. Both approvals
70+
(`true`) and denials (`false`) are removed. It edits only the `allowScripts`
71+
field in `package.json`, never `.npmrc` or `--allow-scripts`. Pass `--dry-run`
72+
to preview without writing. Unparseable keys are left alone.
73+
74+
`approve` honours the asymmetric pin rule: if you re-approve a package whose
75+
installed version has changed, the existing pin is rewritten to track the new
76+
installed version. Multi-version statements (`pkg@1 || 2`) are left alone,
77+
since they likely capture intent that the command cannot infer. Existing
78+
`false` entries always win; `approve` will not silently re-allow a package you
79+
previously denied.
80+
81+
The standalone commands [`npm approve-scripts`](/commands/npm-approve-scripts)
82+
and [`npm deny-scripts`](/commands/npm-deny-scripts) are aliases for
83+
`npm install-scripts approve` and `npm install-scripts deny`.
84+
85+
### Examples
86+
87+
```bash
88+
# Approve all currently-installed install scripts after reviewing them
89+
npm install-scripts approve --all
90+
91+
# Approve specific packages, pinned to their installed version
92+
npm install-scripts approve canvas sharp
93+
94+
# Deny a package so it stays blocked
95+
npm install-scripts deny telemetry-pkg
96+
97+
# Preview which packages still need review
98+
npm install-scripts ls
99+
100+
# Preview stale allowScripts entries, then remove them
101+
npm install-scripts prune --dry-run
102+
npm install-scripts prune
103+
```
104+
105+
### Configuration
106+
107+
#### `all`
108+
109+
* Default: false
110+
* Type: Boolean
111+
112+
Show or act on all packages, not just the ones your project directly depends
113+
on. For `npm outdated` and `npm ls` this lists every outdated or installed
114+
package. For `npm approve-scripts` and `npm deny-scripts` it selects every
115+
package with pending install scripts.
116+
117+
118+
119+
#### `allow-scripts-pin`
120+
121+
* Default: true
122+
* Type: Boolean
123+
124+
Write pinned (`pkg@version`) entries when approving install scripts. Set to
125+
`false` to write name-only entries that allow any version. Has no effect on
126+
`npm deny-scripts`, which always writes name-only entries regardless of this
127+
setting.
128+
129+
130+
131+
#### `dry-run`
132+
133+
* Default: false
134+
* Type: Boolean
135+
136+
Indicates that you don't want npm to make any changes and that it should
137+
only report what it would have done. This can be passed into any of the
138+
commands that modify your local installation, eg, `install`, `update`,
139+
`dedupe`, `uninstall`, as well as `pack` and `publish`.
140+
141+
Note: This is NOT honored by other network related commands, eg `dist-tags`,
142+
`owner`, etc.
143+
144+
145+
146+
#### `json`
147+
148+
* Default: false
149+
* Type: Boolean
150+
151+
Whether or not to output JSON data, rather than the normal output.
152+
153+
* In `npm pkg set` it enables parsing set values with JSON.parse() before
154+
saving them to your `package.json`.
155+
156+
Not supported by all npm commands.
157+
158+
159+
160+
### See Also
161+
162+
* [npm approve-scripts](/commands/npm-approve-scripts)
163+
* [npm deny-scripts](/commands/npm-deny-scripts)
164+
* [npm install](/commands/npm-install)
165+
* [npm rebuild](/commands/npm-rebuild)
166+
* [package.json](/configuring-npm/package-json)

deps/npm/docs/content/commands/npm-install-test.md

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,16 @@ Sets the strategy for installing packages in node_modules. hoisted
6868
(default): Install non-duplicated in top-level, and duplicated as necessary
6969
within directory structure. nested: (formerly --legacy-bundling) install in
7070
place, no hoisting. shallow (formerly --global-style) only install direct
71-
deps at top-level. linked: (experimental) install in node_modules/.store,
72-
link in place, unhoisted.
71+
deps at top-level. linked: install in node_modules/.store, link in place,
72+
unhoisted.
73+
74+
We recommend that package authors use `--install-strategy=linked` during
75+
development to catch undeclared ("phantom") dependencies before publishing:
76+
the isolated layout only exposes a package's declared dependencies, so an
77+
`import` of a package that was never added to `package.json` can fail
78+
instead of resolving by accident and shipping broken. See [Catching
79+
undeclared ("phantom")
80+
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
7381

7482

7583

@@ -328,6 +336,10 @@ silently skipped; this setting only affects unreviewed entries.
328336
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
329337
setting.
330338

339+
Optional dependencies that cannot be installed on the current platform or
340+
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
341+
their install scripts never run.
342+
331343

332344

333345
#### `dangerously-allow-all-scripts`
@@ -375,6 +387,10 @@ sources, the standard precedence applies (cli > env > project > user >
375387
global), so a higher-priority source can always relax or override a
376388
lower-priority one.
377389

390+
As with `min-release-age`, when this cutoff blocks a fix that `npm audit
391+
fix` would install, npm keeps the vulnerable version, warns, and exits with
392+
a non-zero code.
393+
378394
Packages whose names match `min-release-age-exclude` are exempt from this
379395
filter.
380396

@@ -397,6 +413,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
397413
apply, `before` wins within a single source and across sources the standard
398414
precedence rules apply.
399415

416+
When this window stops `npm audit fix` from installing a patched version
417+
(because the fix was published too recently), npm keeps the package at its
418+
vulnerable version, warns that the fix was blocked, and exits with a
419+
non-zero code. To install the fix, add the package to
420+
`min-release-age-exclude`, or relax `min-release-age` or `before`.
421+
400422
Packages whose names match `min-release-age-exclude` are exempt from this
401423
filter.
402424

deps/npm/docs/content/commands/npm-install.md

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -410,8 +410,16 @@ Sets the strategy for installing packages in node_modules. hoisted
410410
(default): Install non-duplicated in top-level, and duplicated as necessary
411411
within directory structure. nested: (formerly --legacy-bundling) install in
412412
place, no hoisting. shallow (formerly --global-style) only install direct
413-
deps at top-level. linked: (experimental) install in node_modules/.store,
414-
link in place, unhoisted.
413+
deps at top-level. linked: install in node_modules/.store, link in place,
414+
unhoisted.
415+
416+
We recommend that package authors use `--install-strategy=linked` during
417+
development to catch undeclared ("phantom") dependencies before publishing:
418+
the isolated layout only exposes a package's declared dependencies, so an
419+
`import` of a package that was never added to `package.json` can fail
420+
instead of resolving by accident and shipping broken. See [Catching
421+
undeclared ("phantom")
422+
dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
415423

416424

417425

@@ -670,6 +678,10 @@ silently skipped; this setting only affects unreviewed entries.
670678
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
671679
setting.
672680
681+
Optional dependencies that cannot be installed on the current platform or
682+
engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
683+
their install scripts never run.
684+
673685
674686
675687
#### `dangerously-allow-all-scripts`
@@ -717,6 +729,10 @@ sources, the standard precedence applies (cli > env > project > user >
717729
global), so a higher-priority source can always relax or override a
718730
lower-priority one.
719731
732+
As with `min-release-age`, when this cutoff blocks a fix that `npm audit
733+
fix` would install, npm keeps the vulnerable version, warns, and exits with
734+
a non-zero code.
735+
720736
Packages whose names match `min-release-age-exclude` are exempt from this
721737
filter.
722738
@@ -739,6 +755,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
739755
apply, `before` wins within a single source and across sources the standard
740756
precedence rules apply.
741757
758+
When this window stops `npm audit fix` from installing a patched version
759+
(because the fix was published too recently), npm keeps the package at its
760+
vulnerable version, warns that the fix was blocked, and exits with a
761+
non-zero code. To install the fix, add the package to
762+
`min-release-age-exclude`, or relax `min-release-age` or `before`.
763+
742764
Packages whose names match `min-release-age-exclude` are exempt from this
743765
filter.
744766

0 commit comments

Comments
 (0)