npm-install-scripts

管理依赖的安装脚本审批

选择命令行版本:

概要

🌐 Synopsis

npm install-scripts approve <pkg> [<pkg> ...]
npm install-scripts approve --all
npm install-scripts deny <pkg> [<pkg> ...]
npm install-scripts deny --all
npm install-scripts ls
npm install-scripts prune

注意:此命令不支持工作区。

🌐 Note: This command is unaware of workspaces.

描述

🌐 Description

管理你项目的 package.json 中的 allowScripts 字段,该字段记录了哪些依赖允许运行安装脚本(非注册源的 preinstallinstallpostinstallprepare)。这是维护该字段的推荐方式。

🌐 Manages the allowScripts field in your project's package.json, which records which of your dependencies are permitted to run install scripts (preinstall, install, postinstall, and prepare for non-registry sources). This is the recommended way to maintain that field.

依赖安装脚本默认被阻止。对于在 allowScripts 中没有匹配条目的任何依赖,安装命令会静默跳过其生命周期脚本,并最终列出其脚本被跳过的包,以便你在这里查看。

🌐 Dependency install scripts are blocked by default. Install commands silently skip lifecycle scripts for any dependency that does not have a matching entry in allowScripts, and end with a list of the packages whose scripts were skipped so you can review them here.

此命令仅在具有 package.json 的项目中有效。在带有 --global-g)的情况下运行会失败,并出现 EGLOBAL 错误,因为全局安装(npm install -g)和一次性执行(npm exec / npx)没有可写入的项目 package.json。要在这些情况下允许安装脚本,请在安装时使用 --allow-scripts 标志(例如 npm install -g --allow-scripts=canvas,sharp),或使用 npm config set allow-scripts=canvas,sharp --location=user 保持该设置。

🌐 This command only works inside a project that has a package.json. Running it with --global (-g) fails with an EGLOBAL error, since global installs (npm install -g) and one-off executions (npm exec / npx) have no project package.json to write to. To allow install scripts in those contexts, use the --allow-scripts flag at install time (for example npm install -g --allow-scripts=canvas,sharp) or persist the setting with npm config set allow-scripts=canvas,sharp --location=user.

有四个子命令:

🌐 There are four subcommands:

npm install-scripts approve <pkg> [<pkg> ...]
npm install-scripts approve --all
npm install-scripts deny <pkg> [<pkg> ...]
npm install-scripts deny --all
npm install-scripts ls
npm install-scripts prune

approve 允许为指定的软件包运行安装脚本。<pkg> 匹配该软件包的每个已安装版本。默认情况下,它会写入固定条目(pkg@1.2.3),这些条目将其批准范围限制在你已审核的具体版本。传递 --no-allow-scripts-pin 可以写入仅包含名称的条目,从而允许任何将来的版本。--all 一次性批准所有带有未审核安装脚本的软件包。

deny 记录了对指定包的明确拒绝(一个仅包含名称的 false 条目),该拒绝会持续有效于 npm install-scripts approve --all,并将该包排除在任何未来的统一批准之外。--all 拒绝每个具有未经审核安装脚本的包。

ls 是只读的:它列出每个其安装脚本尚未被 allowScripts 覆盖的软件包,而不会修改 package.json

prune 会移除不再匹配已安装包且带有安装脚本的 allowScripts 条目,这可能是因为该包已不再安装(传递依赖发生变化,或固定的 pkg@1.2.3 已升级),或者因为它不再有安装脚本。批准 (true) 和拒绝 (false) 都会被移除。它只会编辑 package.json 中的 allowScripts 字段,从不编辑 .npmrc--allow-scripts。传递 --dry-run 可进行预览而不写入。无法解析的键将保持不变。

approve 遵循非对称固定规则:如果你重新批准已安装版本发生变化的软件包,现有的固定将被重写以跟踪新的已安装版本。多版本声明 (pkg@1 || 2) 保持不变,因为它们很可能捕捉了命令无法推断的意图。现有的 false 条目总是优先;approve 不会默默地重新允许你之前拒绝的软件包。

独立命令 npm approve-scriptsnpm deny-scriptsnpm install-scripts approvenpm install-scripts deny 的别名。

🌐 The standalone commands npm approve-scripts and npm deny-scripts are aliases for npm install-scripts approve and npm install-scripts deny.

示例

🌐 Examples

# Approve all currently-installed install scripts after reviewing them
npm install-scripts approve --all
# Approve specific packages, pinned to their installed version
npm install-scripts approve canvas sharp
# Deny a package so it stays blocked
npm install-scripts deny telemetry-pkg
# Preview which packages still need review
npm install-scripts ls
# Preview stale allowScripts entries, then remove them
npm install-scripts prune --dry-run
npm install-scripts prune

配置

🌐 Configuration

all

  • 默认:否
  • 类型:布尔

显示或操作所有包,而不仅仅是你的项目直接依赖的包。对于 npm outdatednpm ls,它会列出每个过时或已安装的包。对于 npm approve-scriptsnpm deny-scripts,它会选择每个有待执行安装脚本的包。

🌐 Show or act on all packages, not just the ones your project directly depends on. For npm outdated and npm ls this lists every outdated or installed package. For npm approve-scripts and npm deny-scripts it selects every package with pending install scripts.

allow-scripts-pin

  • 默认:是
  • 类型:布尔

在批准安装脚本时,写入固定(pkg@version)条目。设置为 false 可写入仅名称条目,允许任意版本。对 npm deny-scripts 没有影响,npm deny-scripts 始终写入仅名称条目,无论此设置如何。

🌐 Write pinned (pkg@version) entries when approving install scripts. Set to false to write name-only entries that allow any version. Has no effect on npm deny-scripts, which always writes name-only entries regardless of this setting.

dry-run

  • 默认:否
  • 类型:布尔

表示你不希望 npm 做出任何更改,并且它只应该报告本来会做的事情。这个选项可以传递给任何修改本地安装的命令,例如 installupdatededupeuninstall,以及 packpublish

🌐 Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, install, update, dedupe, uninstall, as well as pack and publish.

注意:其他与网络相关的命令(例如 dist-tagsowner 等)不支持此项。

🌐 Note: This is NOT honored by other network related commands, eg dist-tags, owner, etc.

json

  • 默认:否
  • 类型:布尔

是否输出 JSON 数据,而不是正常输出。

🌐 Whether or not to output JSON data, rather than the normal output.

  • npm pkg set 中,它可以在将值保存到你的 package.json 之前使用 JSON.parse() 解析设置的值。

并非所有 npm 命令都支持。

🌐 Not supported by all npm commands.

也可以看看

🌐 See Also