nodejs · nodejs-github-bot · May 29, 2026 · May 27, 2026
diff --git a/deps/npm/docs/content/commands/npm-approve-scripts.md b/deps/npm/docs/content/commands/npm-approve-scripts.md
@@ -0,0 +1,125 @@
+---
+title: npm-approve-scripts
+section: 1
+description: Approve install scripts for specific dependencies
+---
+
+### Synopsis
+
+```bash
+npm approve-scripts <pkg> [<pkg> ...]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+```
+
+Note: This command is unaware of workspaces.
+
+### Description
+
+Manages the `allowScripts` field in your project's `package.json`, which
+records which of your dependencies are permitted to run install scripts
+(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
+sources). This command is the recommended way to maintain that field.
+
+In the current release, this field is advisory: install scripts still run
+by default, but installs print a list of packages whose scripts have not
+been reviewed. A future release will block unreviewed install scripts.
+
+There are three modes:
+
+```bash
+npm approve-scripts <pkg> [<pkg> ...]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+```
+
+`<pkg>` matches every installed version of that package. By default the
+command writes pinned entries (`pkg@1.2.3`), which keep their approval
+narrowed to the specific version you reviewed. Pass `--no-allow-scripts-pin` to write
+name-only entries that allow any future version.
+
+`--all` approves every package with unreviewed install scripts in one go.
+
+`--allow-scripts-pending` is read-only: it lists every package whose install scripts
+are not yet covered by `allowScripts`, without modifying `package.json`.
+
+`approve-scripts` honours the asymmetric pin rule: if you re-approve a
+package whose installed version has changed, the existing pin is rewritten
+to track the new installed version. Multi-version statements
+(`pkg@1 || 2`) are left alone, since they likely capture intent that
+the command cannot infer. Existing `false` entries always win;
+`approve-scripts` will not silently re-allow a package you previously
+denied.
+
+### Examples
+
+```bash
+# Approve all currently-installed install scripts after reviewing them
+npm approve-scripts --all
+
+# Approve specific packages, pinned to their installed version
+npm approve-scripts canvas sharp
+
+# Approve name-only (any version of this package is allowed)
+npm approve-scripts --no-allow-scripts-pin canvas
+
+# Preview which packages still need review
+npm approve-scripts --allow-scripts-pending
+```
+
+### Configuration
+
+#### `all`
+
+* Default: false
+* Type: Boolean
+
+When running `npm outdated` and `npm ls`, setting `--all` will show all
+outdated or installed packages, rather than only those directly depended
+upon by the current project.
+
+
+
+#### `allow-scripts-pending`
+
+* Default: false
+* Type: Boolean
+
+List packages with install scripts that are not yet covered by the
+`allowScripts` policy, without modifying `package.json`. Only meaningful for
+`npm approve-scripts`.
+
+
+
+#### `allow-scripts-pin`
+
+* Default: true
+* Type: Boolean
+
+Write pinned (`pkg@version`) entries when approving install scripts. Set to
+`false` to write name-only entries that allow any version. Has no effect on
+`npm deny-scripts`, which always writes name-only entries regardless of this
+setting.
+
+
+
+#### `json`
+
+* Default: false
+* Type: Boolean
+
+Whether or not to output JSON data, rather than the normal output.
+
+* In `npm pkg set` it enables parsing set values with JSON.parse() before
+  saving them to your `package.json`.
+
+Not supported by all npm commands.
+
+
+
+### See Also
+
+* [npm deny-scripts](/commands/npm-deny-scripts)
+* [npm install](/commands/npm-install)
+* [npm rebuild](/commands/npm-rebuild)
+* [package.json](/configuring-npm/package-json)
diff --git a/deps/npm/docs/content/commands/npm-ci.md b/deps/npm/docs/content/commands/npm-ci.md
@@ -262,6 +262,56 @@ like `npm view`
 
 
 
+#### `allow-scripts`
+
+* Default: ""
+* Type: String (can be set multiple times)
+
+Comma-separated list of packages whose install-time lifecycle scripts
+(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
+dependencies) are allowed to run.
+
+This setting is intended for one-off and global contexts: `npm exec`, `npx`,
+and `npm install -g`, where no project `package.json` is involved. For
+team-wide policy in a project, use the `allowScripts` field in
+`package.json` (which also supports explicit denials), or configure it in
+`.npmrc`. Passing `--allow-scripts` on the command line during a
+project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error.
+
+Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. `--ignore-scripts` and
+`--dangerously-allow-all-scripts` both override this setting.
+
+
+
+#### `strict-allow-scripts`
+
+* Default: false
+* Type: Boolean
+
+If `true`, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by `allowScripts` will fail
+the install instead of running with a notice.
+
+Dependencies explicitly denied with `false` in `allowScripts` are always
+silently skipped; this setting only affects unreviewed entries.
+`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
+setting.
+
+
+
+#### `dangerously-allow-all-scripts`
+
+* Default: false
+* Type: Boolean
+
+If `true`, bypass the `allowScripts` policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+`--ignore-scripts` still takes precedence over this setting.
+
+
+
 #### `audit`
 
 * Default: true

diff --git a/deps/npm/docs/content/commands/npm-deny-scripts.md b/deps/npm/docs/content/commands/npm-deny-scripts.md
@@ -0,0 +1,109 @@
+---
+title: npm-deny-scripts
+section: 1
+description: Deny install scripts for specific dependencies
+---
+
+### Synopsis
+
+```bash
+npm deny-scripts <pkg> [<pkg> ...]
+npm deny-scripts --all
+```
+
+Note: This command is unaware of workspaces.
+
+### Description
+
+The companion command to [`npm approve-scripts`](/commands/npm-approve-scripts).
+Writes `false` entries into the `allowScripts` field of your project's
+`package.json`, recording that a dependency must not run install scripts
+even if a future version would otherwise be eligible.
+
+In the current release, install scripts still run by default, so `deny-scripts`
+only affects how installs of denied packages are reported. A future release
+will block unreviewed install scripts and respect deny entries at install
+time.
+
+```bash
+npm deny-scripts <pkg> [<pkg> ...]
+npm deny-scripts --all
+```
+
+`<pkg>` matches every installed version of that package. Denies are always
+written name-only (`"pkg": false`), regardless of `--allow-scripts-pin`. Pinning a deny
+to a specific version would silently re-allow scripts for any other version
+of the same package, which defeats the purpose; the command picks the
+safer default for you.
+
+`--all` denies every package with unreviewed install scripts.
+
+If a `true` (pinned or name-only) entry exists for a package and you then
+deny it, the existing allow entries are removed so the name-only deny is
+unambiguous.
+
+### Examples
+
+```bash
+# Deny a specific package outright
+npm deny-scripts telemetry-pkg
+
+# Deny everything that has install scripts and isn't already approved
+npm deny-scripts --all
+```
+
+### Configuration
+
+#### `all`
+
+* Default: false
+* Type: Boolean
+
+When running `npm outdated` and `npm ls`, setting `--all` will show all
+outdated or installed packages, rather than only those directly depended
+upon by the current project.
+
+
+
+#### `allow-scripts-pending`
+
+* Default: false
+* Type: Boolean
+
+List packages with install scripts that are not yet covered by the
+`allowScripts` policy, without modifying `package.json`. Only meaningful for
+`npm approve-scripts`.
+
+
+
+#### `allow-scripts-pin`
+
+* Default: true
+* Type: Boolean
+
+Write pinned (`pkg@version`) entries when approving install scripts. Set to
+`false` to write name-only entries that allow any version. Has no effect on
+`npm deny-scripts`, which always writes name-only entries regardless of this
+setting.
+
+
+
+#### `json`
+
+* Default: false
+* Type: Boolean
+
+Whether or not to output JSON data, rather than the normal output.
+
+* In `npm pkg set` it enables parsing set values with JSON.parse() before
+  saving them to your `package.json`.
+
+Not supported by all npm commands.
+
+
+
+### See Also
+
+* [npm approve-scripts](/commands/npm-approve-scripts)
+* [npm install](/commands/npm-install)
+* [package.json](/configuring-npm/package-json)
diff --git a/deps/npm/docs/content/commands/npm-exec.md b/deps/npm/docs/content/commands/npm-exec.md
@@ -158,6 +158,56 @@ the specified workspaces, and not on the root project.
 
 This value is not exported to the environment for child processes.
 
+#### `allow-scripts`
+
+* Default: ""
+* Type: String (can be set multiple times)
+
+Comma-separated list of packages whose install-time lifecycle scripts
+(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
+dependencies) are allowed to run.
+
+This setting is intended for one-off and global contexts: `npm exec`, `npx`,
+and `npm install -g`, where no project `package.json` is involved. For
+team-wide policy in a project, use the `allowScripts` field in
+`package.json` (which also supports explicit denials), or configure it in
+`.npmrc`. Passing `--allow-scripts` on the command line during a
+project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error.
+
+Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. `--ignore-scripts` and
+`--dangerously-allow-all-scripts` both override this setting.
+
+
+
+#### `strict-allow-scripts`
+
+* Default: false
+* Type: Boolean
+
+If `true`, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by `allowScripts` will fail
+the install instead of running with a notice.
+
+Dependencies explicitly denied with `false` in `allowScripts` are always
+silently skipped; this setting only affects unreviewed entries.
+`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
+setting.
+
+
+
+#### `dangerously-allow-all-scripts`
+
+* Default: false
+* Type: Boolean
+
+If `true`, bypass the `allowScripts` policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+`--ignore-scripts` still takes precedence over this setting.
+
+
+
 ### Examples
 
 Run the version of `tap` in the local dependencies, with the provided arguments: