On latest (v12-pre), allowScripts entries for file:/link: deps don't gate script execution. A local file: dep with a postinstall runs whether the policy entry is true, false, or missing.
Came up in #9490 review. @JamieMagee confirmed it's a gap that should close before v12 ships (comment).
Per the RFC, false should block silently and an absent entry should block with a warning. Workspaces stay owner-managed.
Lives around the scriptsAllowed check in workspaces/arborist/lib/arborist/rebuild.js#buildQueues.
On
latest(v12-pre),allowScriptsentries forfile:/link:deps don't gate script execution. A localfile:dep with apostinstallruns whether the policy entry istrue,false, or missing.Came up in #9490 review. @JamieMagee confirmed it's a gap that should close before v12 ships (comment).
Per the RFC,
falseshould block silently and an absent entry should block with a warning. Workspaces stay owner-managed.Lives around the
scriptsAllowedcheck inworkspaces/arborist/lib/arborist/rebuild.js#buildQueues.