[BUG] `allowScripts` and its tooling ignored when `ignore-scripts=true` in `.npmrc`

[naugtur]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

With ignore-scripts=true in ~/.npmrc OR ./.npmrc - the following behavior is observed:

$ npm approve-scripts --allow-scripts-pending
No packages with unreviewed install scripts.

• no scripts can be identified or added to allowlist

$ npm ci --foreground-scripts

• no scripts run even with "allowScripts" correctly specifieed in package.json

Expected Behavior

npm approve-scripts Should list scripts pending for approval, thus enabling migration from the configuration where scritps were ignored to a configuration with an allowlist.

Should manage and execute the allowlist even if ignore-scripts=true is still set (to avoid falling back to running all scripts when npm is accidentally downgraded)

Caution

Being able to keep ignore-scripts=true in .npmrc while using the allowlist is the only way to avoid defaulting to running all install scripts whenever use of Node.js version managers or system path tweaks or adding new team members causes someone to run an older version of npm

Steps To Reproduce

1. set up the situation:

package.json

{
  "name": "test",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "not-really-a-package": "^1.1.0"
  },
  "devDependencies": {
    "@lavamoat/preinstall-always-fail": "^1.0.3"
  }
}

~/.npmrc OR ./.npmrc

ignore-scripts=true

2. Attempt to manage and execute lifecycle scripts

Environment

$ npm --version
11.16.0

[naugtur]

cross-reference: https://github.com/npm/rfcs/pull/868/changes#r3333927126

[bakkot]

Should manage and execute the allowlist even if ignore-scripts=true is still set (to avoid falling back to running all scripts when npm is accidentally downgraded)

Extremely strong disagree. If I clone a random package and build with ignore-scripts=true, it should not matter what the package allowlists: I have said not to run scripts and that should take precedence. This is much more important than being defensive against having the wrong version of npm installed.

[naugtur]

Good point @bakkot

How do we then cover the fallback then?
How about a separate config field that says "I opt in to the allowlist despite having ignore-scripts in the config" that has to be in the same config file?

[bakkot]

I don't actually think it's important to cover for npm being accidentally downgraded; it is not generally practical to be defensive against running the wrong version of a command except by checking the version before running it.

I don't like the idea of a separate config field because that will have to be maintained in perpetuity (or cause breakage later) even though this is only a very temporary concern.

[bakkot]

If npmrc let you specify a minimum npm version that would address any future such issues, but I don't believe it currently does so no help for this.