Use ignore-scripts setting from .npmrc

[pcjmfranken]

It would be very convenient if pnpm would respect a ignore-scripts=true config in .npmrc so that it's no longer necessary to use the --ignore-scripts flag all the time when installing deps.

This setting is also not listed in pnpm's npmrc docs[1]. Makes me wonder if there is any particular reason for ignoring it that might prevent this from being implemented.

1: https://pnpm.js.org/en/npmrc

[zkochan]

Does it not work if you set it via .npmrc?

[Jack-Works]

Yes, it does not work

[sbonasu]

any update on this?

[zkochan]

I cannot reproduce the issue.

I created a package.json with this content:

{
  "scripts": {
    "postinstall": "touch postinstall"
  }
}

.npmrc in the same folder:

ignore-scripts=true

When I run pnpm install, I see:

Already up-to-date

When I run pnpm i --no-ignore-scripts, I see:

Already up-to-date

> @ postinstall /home/zoltan/src/sandbox/3063
> touch postinstall

[pcjmfranken]

If I'm reading NPM's docs on lifecycle scripts¹ right (assuming you're aiming for parity), the postinstall script listed in "Project A" is only executed when you install "Project A" as a dependency in "Project B", but not when you run npm install to install "Project A"'s local deps.

Their docs are a bit confusing though, and there also seem to exist some edge-cases.

Footnotes

1. https://docs.npmjs.com/cli/v8/using-npm/scripts ↩

[craig-jennings]

I'd also like to see this implemented

[Jack-Works]

It works IIRC, see #4649

[craig-jennings]

I just tried and it still runs postinstall scripts even with ignore-scripts=true in my .npmrc file.

Specifically, I'm installing deps for a project that uses Husky, and I'm seeing it trigger husky prepare when I run pnpm install, but it does not run that command when I do pnpm install --ignore-scripts.

[lianghx-319]

I just tried and it still runs postinstall scripts even with ignore-scripts = true in my .npmrc file.

Specifically, I'm installing deps for a project that uses Husky, and I'm seeing it trigger husky prepare when I run pnpm install, but it does not run that command when I do pnpm install --ignore-scripts.

the paint text is ignore-scripts = true? I think if you can try remove the spaces like that ignore-scripts=ture

[benatkin]

I'd love to see this officially supported. It appears to be working and just need to be documented. A review that this works by a couple of people would help.

However, when I looked at this what I really wanted wasn't to ignore scripts, but to download first with the network connected and then install them with the network disconnected. It looks like that should work with pnpm fetch!

https://pnpm.io/cli/fetch

This is good because some packages need to run postinstall scripts, maybe including ones I may work on soon. For instance, compiling code to webassembly would be a good use - so you don't have to trust a binary blob. Reproducible builds is another way to fix this but each has its pros/cons.

[binaryartifex]

would be great to have something like this so I can finally get past the virus protection alerts and endless install and pipeline failures due to the transient es5-ext package that is unfortunately present on a few dependencies on account of the ass-clown repository owner slapping some post install protestware into his package and vehemently refuses to remove it. would be even better if there was a way to declare which packages to prevent scripts run against but ill settle for this as a win...

medikoo/es5-ext#186

[NullVoxPopuli]

I would also like the ability to allow-list certain packages.

For example, node-pty

[benatkin]

I would also like the ability to allow-list certain packages.

npm issue: npm/rfcs#325

[MrHBS]

Fwiw the flag does exist in the pnpm npmrc page. I assume it works now?