Skip to content

fix(allowScripts): close enforcement gaps (#9652) (backport release/v11)#9663

Merged
owlstronaut merged 1 commit into
npm:release/v11from
JamieMagee:backport/v11/9652
Jun 25, 2026
Merged

fix(allowScripts): close enforcement gaps (#9652) (backport release/v11)#9663
owlstronaut merged 1 commit into
npm:release/v11from
JamieMagee:backport/v11/9652

Conversation

@JamieMagee

Copy link
Copy Markdown
Contributor

Backport of #9652 to release/v11.

Two adaptations versus latest:

  • link.js: dropped the patchRelaxOpts/cli-only-flag lines, which only exist on latest. The global-install policy gating and strict preflight are kept.
  • Omitted the bundled-dependency regression test. v11's rebuild gate is deny-only (blocks on isScriptAllowed === false), so a bundled dep (null verdict) is not blocked there and the test would not hold.

The version-pinned deny fix and the npm link global-install gating both apply and are tested. Changed source keeps 100% coverage on script-allowed.js.

Backport of npm#9652 to release/v11.

Two v11 adaptations versus latest:
- link.js: dropped the patchRelaxOpts/cli-only-flag lines (that helper
  only exists on latest); the preflight and global-install policy gating
  are kept.
- Omitted the bundled-dependency regression test. v11's rebuild gate is
  deny-only (blocks on isScriptAllowed === false), so a bundled dep
  (null verdict) is not blocked there and the test would not hold.

(cherry picked from commit 60d0d3d)
@JamieMagee JamieMagee requested review from a team as code owners June 25, 2026 16:37
@owlstronaut owlstronaut merged commit 168ba30 into npm:release/v11 Jun 25, 2026
33 checks passed
@github-actions github-actions Bot mentioned this pull request Jun 25, 2026
@JamieMagee JamieMagee deleted the backport/v11/9652 branch June 25, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants