Skip to searchSkip to content

npm-deny-scripts

Deny install scripts for specific dependencies

Select CLI Version:

Table of contents

Synopsis

npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all

Note: This command is unaware of workspaces.

Description

The companion command to npm approve-scripts. Writes false entries into the allowScripts field of your project's package.json, recording that a dependency must not run install scripts even if a future version would otherwise be eligible.

In the current release, install scripts still run by default, so deny-scripts only affects how installs of denied packages are reported. A future release will block unreviewed install scripts and respect deny entries at install time.

npm deny-scripts <pkg> [<pkg> ...]
npm deny-scripts --all

<pkg> matches every installed version of that package. Denies are always written name-only ("pkg": false), regardless of --allow-scripts-pin. Pinning a deny to a specific version would silently re-allow scripts for any other version of the same package, which defeats the purpose; the command picks the safer default for you.

--all denies every package with unreviewed install scripts.

If a true (pinned or name-only) entry exists for a package and you then deny it, the existing allow entries are removed so the name-only deny is unambiguous.

Examples

# Deny a specific package outright
npm deny-scripts telemetry-pkg


# Deny everything that has install scripts and isn't already approved
npm deny-scripts --all

Configuration

all

  • Default: false
  • Type: Boolean

When running npm outdated and npm ls, setting --all will show all outdated or installed packages, rather than only those directly depended upon by the current project.

allow-scripts-pending

  • Default: false
  • Type: Boolean

List packages with install scripts that are not yet covered by the allowScripts policy, without modifying package.json. Only meaningful for npm approve-scripts.

allow-scripts-pin

  • Default: true
  • Type: Boolean

Write pinned (pkg@version) entries when approving install scripts. Set to false to write name-only entries that allow any version. Has no effect on npm deny-scripts, which always writes name-only entries regardless of this setting.

json

  • Default: false
  • Type: Boolean

Whether or not to output JSON data, rather than the normal output.

  • In npm pkg set it enables parsing set values with JSON.parse() before saving them to your package.json.

Not supported by all npm commands.

See Also

Edit this page on GitHub
1 contributorJamieMagee
Last edited by JamieMagee on May 27, 2026

Table of contents