[BUG] "npm approve-scripts --allow-scripts-pending" shows approved depdencies

[calle2010]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

This is not just a request to bump a dependency for a CVE

• This is not solely a request to bump a dependency for a CVE

Current Behavior

I run npm 11.17.0

I have added this to package.json:

    "allowScripts": {
        "esbuild@0.21.5": true,
        "@sap/hana-client@2.23.27": true,
        "esbuild@0.25.0": true,
        "protobufjs@8.4.2": true,
        "mbt@1.2.27": true,
        "protobufjs@7.6.1": true,
        "sqlite3@5.1.7": true,
        "xsd-schema-validator@0.11.0": true
    }

The output of "--allow-scripts-pending" is:

$ npm approve-scripts --allow-scripts-pending
5 packages have install scripts not yet covered by allowScripts:
  @sap/hana-client@2.23.27 (install: node checkbuild.js)
  esbuild@0.25.0 (postinstall: node install.js)
  mbt@1.2.27 (install: node install cloud-mta-build-tool)
  sqlite3@5.1.7 (install: node-gyp rebuild)
  xsd-schema-validator@0.11.0 (postinstall: node ./lib/post-install.js)

Run `npm approve-scripts <pkg>` to allow, or `npm deny-scripts <pkg>` to deny.

The same output appears for "npm install" or "npm ci".

When I remove the allowScripts section and run npm approve-scripts --all, only three packages are added to package.json:

$ npm approve-scripts --all
Approved esbuild:
  added esbuild@0.21.5
Approved protobufjs:
  added protobufjs@8.4.2
  added protobufjs@7.6.1

This is in a workspace root. For the omitted dependencies I can see no clear picture: devDependencies from root, devDependencies from workspaces, prod dependencies from workspaces.

Expected Behavior

• npm approve-scripts --allow-scripts-pending should not list already approved dependencies
• npm approve-scripts --all should add all listed dependencies to allowScripts in package.json

Environment

• npm: 11.17.0
• Node.js: 22.21.1
• OS Name: Linux
• System Model Name: x86_64 GNU/Linux
• npm config:

; "project" config from /home/wsl/git/redacted/.npmrc

engine-strict = true
min-release-age = 3

; node bin location = /home/wsl/.local/share/fnm/node-versions/v22.21.1/installation/bin/node
; node version = v22.21.1
; npm local prefix = /home/wsl/git/sol24c-main
; npm version = 11.17.0
; cwd = /home/wsl/git/redacted
; HOME = /home/wsl
; Run `npm config ls -l` to show all defaults.

[KoenDG]

I am experiencing this as well.

Node version 22.20.0
NPM version 11.17.0

Let's say I have code repo A.

The scripts that get added by npm approve-scripts --all are all scripts from dependencies directly in code repo A's package.json.

The scripts that don't get added, are from deeper down the dependency tree.

I even tested updating a dependency I control, setting the allowScripts there, publishing, then installing the new version in repo A.

Upon doing npm ci again after the install(I double checked, it's set to the new version in package.json and package-lock.json), the output list remains identical. The scripts I've allowed for the dependency I control are still listed. And I can confirm these are not themselves also direct dependencies of repo A.

So it seems there's a discrepancy between the "allow" logic for a repo, and scripts and allow logic deeper down the dependency tree.

Even if I manually add an "allowScripts" list to repo A, with the correct entries, they will still show up in the output of npm ci.

I would assume that the intended behavior is that every code project has to explicitly approve every single script, regardless of depth in the dependency tree. The whole reason this functionality came to be was malicious dependencies. So, there's no trusting the allow list of a dependency further down the tree.