Security News
JavaScript Leaders Demand Oracle Release the JavaScript Trademark
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
@lavamoat/allow-scripts
Advanced tools
a tool for only running dependency lifecycle hooks specified in an allowlist
a tool for only running dependency lifecycle hooks specified in an allowlist
add the package to start using it in your project. be sure to include the @lavamoat/
namespace in the package name
yarn add -D @lavamoat/allow-scripts
automatically generate a configuration (that skips all lifecycle scripts) and write into package.json
. edit as necesary.
yarn allow-scripts auto
configuration goes in package.json
{
"lavamoat": {
"allowScripts": {
"keccak": true,
"core-js": false
}
}
}
disable all scripts by default inside .yarnrc
or .npmrc
ignore-scripts true
consider adding @lavamoat/preinstall-always-fail
to ensure you never accidently run install scripts
yarn add -D @lavamoat/preinstall-always-fail
run all lifecycle scripts for packages specified in package.json
yarn allow-scripts
prints comprehension of configuration and dependencies with lifecycle scripts
yarn allow-scripts list
consider adding a "setup" npm script for all your post-install steps. no magic here, this is just a regular script. but using this will ensure you run your allowed scripts. its also a good place to add other post-processing commands you use. In the future when you add additional post-processing scripts, e.g. patch-package
, you can add them to this "setup" script.
you will need to make an effort to remember to run yarn setup
instead of just yarn
:lotus_position:
{
"scripts": {
"setup": "yarn install && yarn allow-scripts && ..."
}
}
FAQs
A tool for running only the dependency lifecycle hooks specified in an allowlist.
We found that @lavamoat/allow-scripts demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.