Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm 12.0.0 blocks postinstall execution after installing from remote URL
ENOMATCH warning
does not recognize existing allowScripts
added 169 packages, and audited 170 packages in 24s
53 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
npm warn install-scripts 1 package had install scripts blocked because they are not covered by allowScripts:
npm warn install-scripts cypress@15.18.1 (postinstall: node dist/index.js --exec install)
npm warn install-scripts
npm warn install-scripts Run `npm install-scripts ls` to review, or `npm install-scripts approve <pkg>` to allow.
cy-npm-install-test@ /home/mike/github/TESTING/cy-npm-install-test
└── cypress@15.18.1
npm warn install-scripts skipping cypress: no trusted identity for policy key
npm error code ENOMATCH
npm error No installed packages match: cypress
npm error A complete log of this run can be found in: /home/mike/.npm/_logs/2026-07-09T04_40_55_501Z-debug-0.log
In the case of Cypress, the workaround is to run npx cypress install to manually run the postinstall script.
Expected Behavior
npm should allow installation from a remote CDN and accept the allowScripts setting. If additional configs are necessary for this to work, then they should be documented.
Steps To Reproduce
Execute the following:
cat > package.json <<EOT
{
"allowScripts": {
"cypress": true
}
}
EOT
npm set allow-remote=all --location=project
rm -rf ~/.cache/Cypress
npm install https://cdn.cypress.io/beta/npm/15.18.1/linux-x64/develop-8addb93e04dd372ab736d76c60735711d570312e/cypress.tgz
npm ls cypress
npm install-scripts approve cypress
See also https://docs.cypress.io/app/references/advanced-installation#Install-pre-release-version
Environment
- npm: 12.0.0
- Node.js: 26.5.0
- OS Name: Ubuntu 26.04 LTS
- System Model Name: HP x64 desktop
- npm config:
; "project" config from /home/mike/github/TESTING/cy-npm-install-test/.npmrc
allow-remote = "all"
; node bin location = /home/mike/n/bin/node
; node version = v26.5.0
; npm local prefix = /home/mike/github/TESTING/cy-npm-install-test
; npm version = 12.0.0
; cwd = /home/mike/github/TESTING/cy-npm-install-test
; HOME = /home/mike
; Run `npm config ls -l` to show all defaults.
install-scriptsafter remote install #9723 for npm 11.18.0Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm 12.0.0 blocks
postinstallexecution after installing from remote URLENOMATCHwarningdoes not recognize existing
allowScriptsIn the case of Cypress, the workaround is to run
npx cypress installto manually run thepostinstallscript.Expected Behavior
npm should allow installation from a remote CDN and accept the
allowScriptssetting. If additional configs are necessary for this to work, then they should be documented.Steps To Reproduce
Execute the following:
See also https://docs.cypress.io/app/references/advanced-installation#Install-pre-release-version
Environment