[BUG] Unreviewed-scripts warning suggests `npm approve-scripts` during global installs, where it can't work

[JamieMagee]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running a global install of a package with a postinstall script prints:

npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts:
npm warn allow-scripts   @anthropic-ai/claude-code@2.1.159 (postinstall: node install.cjs)
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.

Two problems with this in a global context:

1. The suggested command doesn't apply. npm approve-scripts manages the allowScripts field in a project package.json, and global installs have no project package.json. Internally, the package.json layer is skipped entirely when npm.global is true, so the suggested command has nothing to act on.
2. It's not clear how (or whether) approved scripts can be managed globally at all. Every other npm setting can live in global/user config; it isn't obvious that install-script approvals can.

Expected Behavior

For global installs, the warning should either:

• point at whatever the actual global mechanism is (the allow-scripts config / --allow-scripts flag, which are consulted for global installs), instead of approve-scripts --allow-scripts-pending, or
• omit the approve-scripts suggestion when there's no project package.json to write to.

And the docs should state plainly whether global install-script approvals are supported, and how.

Steps To Reproduce

1. npm install -g @anthropic-ai/claude-code (or any package with an install/postinstall script).
2. Observe the allow-scripts warning suggesting npm approve-scripts --allow-scripts-pending.
3. Run that command (there is no project package.json, so it cannot record the approval).

Environment

• npm: 11.16.0

[ljharb]

or better, allow approved deps to be configurable in npmrc, like every single other piece of npm config

[TomCruiseTorpedo]

Confirming on npm 11.16.0 / Node 24.15.0 / macOS — worth noting that both command forms the warning suggests hard-error during a global install, with distinct codes:

• npm approve-scripts --allow-scripts-pending → EGLOBAL — npm approve-scripts does not work for global installs
• npm approve-scripts <pkg> (and -g <pkg>) → ENOMATCH — No installed packages match: …, because it resolves the package list against the cwd project's node_modules, which a -g install isn't part of.

So neither path the message offers can record an approval for a global install. As you note, --allow-scripts <pkg-list> / --dangerously-allow-all-scripts at install time do work for -g, so the warning pointing at approve-scripts is the gap.

(I filed #9463 before spotting this issue — closing that as a duplicate.)

[JamieMagee]

@ljharb you can already configure it in .npmrc like so:

; ~/.npmrc
allow-scripts = @anthropic-ai/claude-code, sqlite3 # , ...

[ljharb]

awesome! then for global installs, it should suggest that :-D

[TomCruiseTorpedo]

Verified the .npmrc route does cover global installs on npm 11.16.0 — minimal repro:

# allow-scripts unset → -g install warns
$ npm i -g cline --dry-run 2>&1 | grep -c allow-scripts
5
# allow-scripts set in npmrc → warning gone, scripts covered for -g
$ printf 'allow-scripts = cline, protobufjs\n' > /tmp/npmrc
$ npm i -g cline --userconfig /tmp/npmrc --dry-run 2>&1 | grep -c allow-scripts
0
$ npm config get allow-scripts --userconfig /tmp/npmrc -g
cline, protobufjs

The --allow-scripts <pkg> flag works for -g too, but it's per-invocation — npm config get allow-scripts stays empty afterward — so the npmrc key is the right persistent home.

Concretely, for a global install the warning's last line could become something like:

For a global install, add these to allow-scripts in your npmrc (npm config set allow-scripts "pkg-a, pkg-b") or rerun with --allow-scripts <pkg-list>. npm approve-scripts only edits a project package.json, so it can't apply here.