选择命令行版本:
🌐 Synopsis
npm approve-scripts <pkg> [<pkg> ...]npm approve-scripts --allnpm approve-scripts --allow-scripts-pending
注意:此命令不支持工作区。
🌐 Note: This command is unaware of workspaces.
🌐 Description
管理你项目的 package.json 中的 allowScripts 字段,该字段记录了哪些依赖被允许运行安装脚本(非注册源的 preinstall、install、postinstall 和 prepare)。此命令是维护该字段的推荐方式。
🌐 Manages the allowScripts field in your project's package.json, which records which of your dependencies are permitted to run install scripts (preinstall, install, postinstall, and prepare for non-registry sources). This command is the recommended way to maintain that field.
在当前版本中,此字段为建议性:安装脚本仍然默认运行,但安装时会打印出脚本尚未审查的包的列表。将来的版本将阻止未审查的安装脚本。
🌐 In the current release, this field is advisory: install scripts still run by default, but installs print a list of packages whose scripts have not been reviewed. A future release will block unreviewed install scripts.
此命令仅在具有 package.json 的项目中有效。在带有 --global(-g)的情况下运行会失败,并出现 EGLOBAL 错误,因为全局安装(npm install -g)和一次性执行(npm exec / npx)没有可写入的项目 package.json。要在这些情况下允许安装脚本,请在安装时使用 --allow-scripts 标志(例如 npm install -g --allow-scripts=canvas,sharp),或使用 npm config set allow-scripts=canvas,sharp --location=user 保持该设置。
🌐 This command only works inside a project that has a package.json. Running it with --global (-g) fails with an EGLOBAL error, since global installs (npm install -g) and one-off executions (npm exec / npx) have no project package.json to write to. To allow install scripts in those contexts, use the --allow-scripts flag at install time (for example npm install -g --allow-scripts=canvas,sharp) or persist the setting with npm config set allow-scripts=canvas,sharp --location=user.
有三种模式:
🌐 There are three modes:
npm approve-scripts <pkg> [<pkg> ...]npm approve-scripts --allnpm approve-scripts --allow-scripts-pending
<pkg> 匹配该软件包的每个已安装版本。默认情况下,该命令会写入固定条目(pkg@1.2.3),这些条目将其批准范围限定在你评审的特定版本。传递 --no-allow-scripts-pin 可以写入仅名称条目,从而允许任何未来版本。
--all 一次性批准每个带有未经审核安装脚本的软件包。
--allow-scripts-pending 是只读的:它列出每个其安装脚本尚未被 allowScripts 覆盖的软件包,而不会修改 package.json。
approve-scripts 遵循非对称固定规则:如果你重新批准已安装版本发生变化的软件包,现有的固定将被重写以跟踪新的已安装版本。多版本声明 (pkg@1 || 2) 保持不变,因为它们很可能捕捉了命令无法推断的意图。现有的 false 条目总是优先;approve-scripts 不会默默地重新允许你之前拒绝的软件包。
如果注册表依赖在你的 package-lock.json 中没有 resolved URL(例如,较旧的锁文件或使用 omit-lockfile-registry-resolved 编写的文件),npm 无法验证其可信版本,也无法固定它:pkg@1.2.3 条目永远不会匹配,因此该包会继续出现在 --allow-scripts-pending 下。approve-scripts 通过名称(pkg: true``)批准这些,并在批准时发出警告。要恢复固定,请使用npm install` 刷新锁文件。
🌐 If a registry dependency has no resolved URL in your package-lock.json (for example, an older lockfile or one written with omit-lockfile-registry-resolved), npm cannot verify a trusted version for it and cannot pin it: a pkg@1.2.3 entry never matches, so the package keeps appearing under --allow-scripts-pending. approve-scripts approves these by name (pkg: true) and warns when it does. To restore pinning, refresh the lockfile with npm install.
🌐 Examples
# Approve all currently-installed install scripts after reviewing themnpm approve-scripts --all# Approve specific packages, pinned to their installed versionnpm approve-scripts canvas sharp# Approve name-only (any version of this package is allowed)npm approve-scripts --no-allow-scripts-pin canvas# Preview which packages still need reviewnpm approve-scripts --allow-scripts-pending
🌐 Configuration
all显示或操作所有包,而不仅仅是你的项目直接依赖的包。对于 npm outdated 和 npm ls,它会列出每个过时或已安装的包。对于 npm approve-scripts 和 npm deny-scripts,它会选择每个有待执行安装脚本的包。
🌐 Show or act on all packages, not just the ones your project directly depends on. For npm outdated and npm ls this lists every outdated or installed package. For npm approve-scripts and npm deny-scripts it selects every package with pending install scripts.
allow-scripts-pending列出尚未被 allowScripts 策略覆盖的带有安装脚本的软件包,但不修改 package.json。仅对 npm approve-scripts 有意义。
🌐 List packages with install scripts that are not yet covered by the allowScripts policy, without modifying package.json. Only meaningful for npm approve-scripts.
allow-scripts-pin在批准安装脚本时,写入固定(pkg@version)条目。设置为 false 可写入仅名称条目,允许任意版本。对 npm deny-scripts 没有影响,npm deny-scripts 始终写入仅名称条目,无论此设置如何。
🌐 Write pinned (pkg@version) entries when approving install scripts. Set to false to write name-only entries that allow any version. Has no effect on npm deny-scripts, which always writes name-only entries regardless of this setting.
json是否输出 JSON 数据,而不是正常输出。
🌐 Whether or not to output JSON data, rather than the normal output.
npm pkg set 中,它可以在将值保存到你的 package.json 之前使用 JSON.parse() 解析设置的值。并非所有 npm 命令都支持。
🌐 Not supported by all npm commands.
🌐 See Also