npm-deny-scripts

拒绝为特定依赖安装脚本

选择命令行版本:

概要

🌐 Synopsis

npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all

注意:此命令不支持工作区。

🌐 Note: This command is unaware of workspaces.

描述

🌐 Description

npm approve-scripts 配套的命令。将 false 条目写入你项目的 package.jsonallowScripts 字段,记录即使将来的版本原本有资格,也不允许依赖运行安装脚本。

🌐 The companion command to npm approve-scripts. Writes false entries into the allowScripts field of your project's package.json, recording that a dependency must not run install scripts even if a future version would otherwise be eligible.

在当前版本中,安装脚本仍默认运行,因此 deny-scripts 仅影响被拒绝软件包的安装报告方式。未来的版本将会在安装时阻止未经审核的安装脚本,并遵守拒绝条目。

🌐 In the current release, install scripts still run by default, so deny-scripts only affects how installs of denied packages are reported. A future release will block unreviewed install scripts and respect deny entries at install time.

npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all

<pkg> 匹配该软件包的每个已安装版本。拒绝条目总是只写名称("pkg": false),无论 --allow-scripts-pin 如何。将拒绝固定到特定版本会悄悄地重新允许该软件包的任何其他版本的脚本执行,这会违背初衷;该命令会为你选择更安全的默认选项。

--all 拒绝所有包含未审核安装脚本的软件包。

如果某个包存在一个 true(固定或仅限名称)条目,而你随后拒绝它,现有的允许条目将被移除,因此仅限名称的拒绝将明确无误。

🌐 If a true (pinned or name-only) entry exists for a package and you then deny it, the existing allow entries are removed so the name-only deny is unambiguous.

示例

🌐 Examples

# Deny a specific package outright
npm deny-scripts telemetry-pkg
# Deny everything that has install scripts and isn't already approved
npm deny-scripts --all

配置

🌐 Configuration

all

  • 默认:否
  • 类型:布尔

显示或操作所有包,而不仅仅是你的项目直接依赖的包。对于 npm outdatednpm ls,它会列出每个过时或已安装的包。对于 npm approve-scriptsnpm deny-scripts,它会选择每个有待执行安装脚本的包。

🌐 Show or act on all packages, not just the ones your project directly depends on. For npm outdated and npm ls this lists every outdated or installed package. For npm approve-scripts and npm deny-scripts it selects every package with pending install scripts.

allow-scripts-pending

  • 默认:否
  • 类型:布尔

列出尚未被 allowScripts 策略覆盖的带有安装脚本的软件包,但不修改 package.json。仅对 npm approve-scripts 有意义。

🌐 List packages with install scripts that are not yet covered by the allowScripts policy, without modifying package.json. Only meaningful for npm approve-scripts.

allow-scripts-pin

  • 默认:是
  • 类型:布尔

在批准安装脚本时,写入固定(pkg@version)条目。设置为 false 可写入仅名称条目,允许任意版本。对 npm deny-scripts 没有影响,npm deny-scripts 始终写入仅名称条目,无论此设置如何。

🌐 Write pinned (pkg@version) entries when approving install scripts. Set to false to write name-only entries that allow any version. Has no effect on npm deny-scripts, which always writes name-only entries regardless of this setting.

json

  • 默认:否
  • 类型:布尔

是否输出 JSON 数据,而不是正常输出。

🌐 Whether or not to output JSON data, rather than the normal output.

  • npm pkg set 中,它可以在将值保存到你的 package.json 之前使用 JSON.parse() 解析设置的值。

并非所有 npm 命令都支持。

🌐 Not supported by all npm commands.

也可以看看

🌐 See Also