Skip to searchSkip to content

npm-approve-scripts

Approve install scripts for specific dependencies

Select CLI Version:

Table of contents

Synopsis

npm approve-scripts <pkg> [<pkg> ...]
npm approve-scripts --all
npm approve-scripts --allow-scripts-pending

Note: This command is unaware of workspaces.

Description

Manages the allowScripts field in your project's package.json, which records which of your dependencies are permitted to run install scripts (preinstall, install, postinstall, and prepare for non-registry sources). This command is the recommended way to maintain that field.

In the current release, this field is advisory: install scripts still run by default, but installs print a list of packages whose scripts have not been reviewed. A future release will block unreviewed install scripts.

There are three modes:

npm approve-scripts <pkg> [<pkg> ...]
npm approve-scripts --all
npm approve-scripts --allow-scripts-pending

<pkg> matches every installed version of that package. By default the command writes pinned entries (pkg@1.2.3), which keep their approval narrowed to the specific version you reviewed. Pass --no-allow-scripts-pin to write name-only entries that allow any future version.

--all approves every package with unreviewed install scripts in one go.

--allow-scripts-pending is read-only: it lists every package whose install scripts are not yet covered by allowScripts, without modifying package.json.

approve-scripts honours the asymmetric pin rule: if you re-approve a package whose installed version has changed, the existing pin is rewritten to track the new installed version. Multi-version statements (pkg@1 || 2) are left alone, since they likely capture intent that the command cannot infer. Existing false entries always win; approve-scripts will not silently re-allow a package you previously denied.

Examples

# Approve all currently-installed install scripts after reviewing them
npm approve-scripts --all


# Approve specific packages, pinned to their installed version
npm approve-scripts canvas sharp


# Approve name-only (any version of this package is allowed)
npm approve-scripts --no-allow-scripts-pin canvas


# Preview which packages still need review
npm approve-scripts --allow-scripts-pending

Configuration

all

  • Default: false
  • Type: Boolean

When running npm outdated and npm ls, setting --all will show all outdated or installed packages, rather than only those directly depended upon by the current project.

allow-scripts-pending

  • Default: false
  • Type: Boolean

List packages with install scripts that are not yet covered by the allowScripts policy, without modifying package.json. Only meaningful for npm approve-scripts.

allow-scripts-pin

  • Default: true
  • Type: Boolean

Write pinned (pkg@version) entries when approving install scripts. Set to false to write name-only entries that allow any version. Has no effect on npm deny-scripts, which always writes name-only entries regardless of this setting.

json

  • Default: false
  • Type: Boolean

Whether or not to output JSON data, rather than the normal output.

  • In npm pkg set it enables parsing set values with JSON.parse() before saving them to your package.json.

Not supported by all npm commands.

See Also

Edit this page on GitHub
1 contributorJamieMagee
Last edited by JamieMagee on May 27, 2026

Table of contents