-
-
Notifications
You must be signed in to change notification settings - Fork 934
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ignore-scripts setting from .npmrc #3063
Comments
Does it not work if you set it via |
Yes, it does not work |
any update on this? |
I cannot reproduce the issue. I created a package.json with this content: {
"scripts": {
"postinstall": "touch postinstall"
}
}
ignore-scripts=true When I run
When I run
|
If I'm reading NPM's docs on lifecycle scripts1 right (assuming you're aiming for parity), the Their docs are a bit confusing though, and there also seem to exist some edge-cases. Footnotes |
I'd also like to see this implemented |
It works IIRC, see #4649 |
I just tried and it still runs Specifically, I'm installing deps for a project that uses Husky, and I'm seeing it trigger |
the paint text is |
I'd love to see this officially supported. It appears to be working and just need to be documented. A review that this works by a couple of people would help. However, when I looked at this what I really wanted wasn't to ignore scripts, but to download first with the network connected and then install them with the network disconnected. It looks like that should work with pnpm fetch! This is good because some packages need to run postinstall scripts, maybe including ones I may work on soon. For instance, compiling code to webassembly would be a good use - so you don't have to trust a binary blob. Reproducible builds is another way to fix this but each has its pros/cons. |
would be great to have something like this so I can finally get past the virus protection alerts and endless install and pipeline failures due to the transient es5-ext package that is unfortunately present on a few dependencies on account of the ass-clown repository owner slapping some post install protestware into his package and vehemently refuses to remove it. would be even better if there was a way to declare which packages to prevent scripts run against but ill settle for this as a win... |
Refs: pnpm/pnpm#3063 Refs: https://docs.npmjs.com/cli/v9/using-npm/config#ignore-scripts Signed-off-by: Derek Lewis <dereknongeneric@open.inf.is>
Refs: pnpm/pnpm#3063 Refs: https://docs.npmjs.com/cli/v9/using-npm/config#ignore-scripts Signed-off-by: Derek Lewis <dereknongeneric@open.inf.is>
Refs: pnpm/pnpm#3063 Refs: https://docs.npmjs.com/cli/v9/using-npm/config#ignore-scripts Signed-off-by: Derek Lewis <dereknongeneric@open.inf.is>
Refs: pnpm/pnpm#3063 Refs: https://docs.npmjs.com/cli/v9/using-npm/config#ignore-scripts Signed-off-by: Derek Lewis <dereknongeneric@open.inf.is>
Refs: pnpm/pnpm#3063 Refs: https://docs.npmjs.com/cli/v9/using-npm/config#ignore-scripts Signed-off-by: Derek Lewis <dereknongeneric@open.inf.is>
I would also like the ability to allow-list certain packages. For example, node-pty |
npm issue: npm/rfcs#325 |
Fwiw the flag does exist in the pnpm npmrc page. I assume it works now? |
It would be very convenient if
pnpm
would respect aignore-scripts=true
config in.npmrc
so that it's no longer necessary to use the--ignore-scripts
flag all the time when installing deps.This setting is also not listed in
pnpm
'snpmrc
docs[1]. Makes me wonder if there is any particular reason for ignoring it that might prevent this from being implemented.1: https://pnpm.js.org/en/npmrc
The text was updated successfully, but these errors were encountered: