Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
When using a file:-dependency npm i outputs a warning that the dependency is not approved even if it is.
./package.json:
{
"name": "npm-approve-skripts-test",
"version": "1.0.0",
"description": "",
"license": "ISC",
"author": "",
"type": "commonjs",
"main": "index.js",
"allowScripts": {
"file:../testdep": false
},
"dependencies": {
"testdep": "file:testdep"
}
}> npm i
up to date, audited 3 packages in 137ms
found 0 vulnerabilities
npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts:
npm warn allow-scripts testdep@1.0.0 (postinstall: exit 1)
npm warn allow-scripts
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.
./testdep/package.json:
{
"name": "testdep",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"postinstall": "exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"type": "commonjs"
}Setting
"allowScripts": {
"file:../testdep": true
},will cause npm i to fail so the field is picked up correctly but the warning is still displayed.
Expected Behavior
npm i runs without a warning because the dependency was already approved/denied
Steps To Reproduce
see above
Environment
- npm: 11.16.0
- Node.js: 26.3.0
- OS Name: macOS Tahoe 26.5
- System Model Name: Macbook Pro
- npm config:
; "user" config from /Users/bayerf/.npmrc
; allow-directory = "none" ; overridden by project
allow-file = "none"
allow-git = "none"
allow-remote = "none"
; ignore-scripts = true ; overridden by project
min-release-age = 7
save-exact = true
save-prefix = ""
; "project" config from /Users/bayerf/tmp/npm-approve-skripts/.npmrc
allow-directory = "all"
ignore-scripts = false
; node bin location = /Users/bayerf/.local/share/fnm/node-versions/v26.3.0/installation/bin/node
; node version = v26.3.0
; npm local prefix = /Users/bayerf/Documents/Projekte/tmp/npm-approve-skripts
; npm version = 11.16.0
; cwd = /Users/bayerf/tmp/npm-approve-skripts
; HOME = /Users/bayerf
; Run `npm config ls -l` to show all defaults.
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
When using a
file:-dependencynpm ioutputs a warning that the dependency is not approved even if it is../package.json:
{ "name": "npm-approve-skripts-test", "version": "1.0.0", "description": "", "license": "ISC", "author": "", "type": "commonjs", "main": "index.js", "allowScripts": { "file:../testdep": false }, "dependencies": { "testdep": "file:testdep" } }./testdep/package.json:
{ "name": "testdep", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "postinstall": "exit 1" }, "keywords": [], "author": "", "license": "ISC", "type": "commonjs" }Setting
will cause npm i to fail so the field is picked up correctly but the warning is still displayed.
Expected Behavior
npm iruns without a warning because the dependency was already approved/deniedSteps To Reproduce
see above
Environment