From ee10abe841f4d9aedcc6665a32a0c46eafdef6a3 Mon Sep 17 00:00:00 2001 From: Michael Garvin Date: Mon, 27 Apr 2026 14:01:20 -0700 Subject: [PATCH] feat: add allow-directory, allow-file, and allow-remote These complement allow-git. --- lib/commands/ci.js | 3 + lib/commands/dedupe.js | 3 + lib/commands/install.js | 3 + lib/commands/link.js | 3 + .../tap-snapshots/test/index.js.test.cjs | 14 +- .../test/lib/commands/config.js.test.cjs | 6 + tap-snapshots/test/lib/docs.js.test.cjs | 178 ++++++++++++++++-- .../config/lib/definitions/definitions.js | 48 ++++- .../test/type-description.js.test.cjs | 15 ++ 9 files changed, 254 insertions(+), 19 deletions(-) diff --git a/lib/commands/ci.js b/lib/commands/ci.js index 5971f921cb71d..05514b441068e 100644 --- a/lib/commands/ci.js +++ b/lib/commands/ci.js @@ -21,7 +21,10 @@ class CI extends ArboristWorkspaceCmd { 'strict-peer-deps', 'foreground-scripts', 'ignore-scripts', + 'allow-directory', + 'allow-file', 'allow-git', + 'allow-remote', 'audit', 'bin-links', 'fund', diff --git a/lib/commands/dedupe.js b/lib/commands/dedupe.js index a931cabd64604..347031b60a78a 100644 --- a/lib/commands/dedupe.js +++ b/lib/commands/dedupe.js @@ -14,7 +14,10 @@ class Dedupe extends ArboristWorkspaceCmd { 'omit', 'include', 'ignore-scripts', + 'allow-directory', + 'allow-file', 'allow-git', + 'allow-remote', 'audit', 'bin-links', 'fund', diff --git a/lib/commands/install.js b/lib/commands/install.js index 5970fddfdfe4f..287b585f13231 100644 --- a/lib/commands/install.js +++ b/lib/commands/install.js @@ -27,7 +27,10 @@ class Install extends ArboristWorkspaceCmd { 'package-lock-only', 'foreground-scripts', 'ignore-scripts', + 'allow-directory', + 'allow-file', 'allow-git', + 'allow-remote', 'audit', 'before', 'min-release-age', diff --git a/lib/commands/link.js b/lib/commands/link.js index e166a0051299a..ca656ad18f5ca 100644 --- a/lib/commands/link.js +++ b/lib/commands/link.js @@ -25,7 +25,10 @@ class Link extends ArboristWorkspaceCmd { 'omit', 'include', 'ignore-scripts', + 'allow-directory', + 'allow-file', 'allow-git', + 'allow-remote', 'audit', 'bin-links', 'fund', diff --git a/smoke-tests/tap-snapshots/test/index.js.test.cjs b/smoke-tests/tap-snapshots/test/index.js.test.cjs index 7ebbae073b255..bb15d01810ee1 100644 --- a/smoke-tests/tap-snapshots/test/index.js.test.cjs +++ b/smoke-tests/tap-snapshots/test/index.js.test.cjs @@ -58,8 +58,9 @@ npm error [--install-strategy ] [--legacy-bundlin npm error [--global-style] [--omit [--omit ...]] npm error [--include [--include ...]] npm error [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts] -npm error [--allow-git ] [--no-audit] [--no-bin-links] [--no-fund] -npm error [--dry-run] +npm error [--allow-directory ] [--allow-file ] +npm error [--allow-git ] [--allow-remote ] [--no-audit] +npm error [--no-bin-links] [--no-fund] [--dry-run] npm error [-w|--workspace [-w|--workspace ...]] npm error [--workspaces] [--include-workspace-root] [--install-links] npm error @@ -87,9 +88,18 @@ npm error npm error --ignore-scripts npm error If true, npm does not run scripts specified in package.json files. npm error +npm error --allow-directory +npm error Limits the ability for npm to install dependencies from directories. +npm error +npm error --allow-file +npm error Limits the ability for npm to install dependencies from tarball files. +npm error npm error --allow-git npm error Limits the ability for npm to fetch dependencies from git references. npm error +npm error --allow-remote +npm error Limits the ability for npm to fetch dependencies from urls. +npm error npm error --audit npm error When "true" submit audit reports alongside the current npm command to the npm error diff --git a/tap-snapshots/test/lib/commands/config.js.test.cjs b/tap-snapshots/test/lib/commands/config.js.test.cjs index 3446ea8617461..42bd213ba473e 100644 --- a/tap-snapshots/test/lib/commands/config.js.test.cjs +++ b/tap-snapshots/test/lib/commands/config.js.test.cjs @@ -16,7 +16,10 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna "access": null, "all": false, "allow-same-version": false, + "allow-directory": "all", + "allow-file": "all", "allow-git": "all", + "allow-remote": "all", "also": null, "audit": true, "audit-level": null, @@ -191,7 +194,10 @@ exports[`test/lib/commands/config.js TAP config list --long > output matches sna _auth = (protected) access = null all = false +allow-directory = "all" +allow-file = "all" allow-git = "all" +allow-remote = "all" allow-same-version = false also = null audit = true diff --git a/tap-snapshots/test/lib/docs.js.test.cjs b/tap-snapshots/test/lib/docs.js.test.cjs index 8ce6a3958c422..e7bad30e38ff4 100644 --- a/tap-snapshots/test/lib/docs.js.test.cjs +++ b/tap-snapshots/test/lib/docs.js.test.cjs @@ -211,6 +211,42 @@ upon by the current project. +#### \`allow-directory\` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +\`all\` allows any directories to be installed. \`none\` prevents any +directories from being installed. \`root\` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like \`npm view\` + + + +#### \`allow-file\` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +\`all\` allows any tarball file to be installed. \`none\` prevents any tarball +file from being installed. \`root\` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like \`npm view\` + + + #### \`allow-git\` * Default: "all" @@ -219,12 +255,31 @@ upon by the current project. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. \`all\` allows any git dependencies to be fetched and installed. \`none\` prevents any git dependencies from being fetched and installed. \`root\` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like \`npm view\` + + + +#### \`allow-remote\` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +\`all\` allows any url to be installed. \`none\` prevents any url from being +installed. \`root\` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like \`npm view\` @@ -2241,7 +2296,10 @@ Array [ "access", "all", "allow-same-version", + "allow-directory", + "allow-file", "allow-git", + "allow-remote", "also", "audit", "audit-level", @@ -2417,7 +2475,10 @@ Array [ "access", "all", "allow-same-version", + "allow-directory", + "allow-file", "allow-git", + "allow-remote", "also", "audit", "audit-level", @@ -2597,7 +2658,10 @@ Object { "_auth": null, "access": null, "all": false, + "allowDirectory": "all", + "allowFile": "all", "allowGit": "all", + "allowRemote": "all", "allowSameVersion": false, "audit": true, "auditLevel": null, @@ -2995,8 +3059,9 @@ Options: [--global-style] [--omit [--omit ...]] [--include [--include ...]] [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts] -[--allow-git ] [--no-audit] [--no-bin-links] [--no-fund] -[--dry-run] +[--allow-directory ] [--allow-file ] +[--allow-git ] [--allow-remote ] [--no-audit] +[--no-bin-links] [--no-fund] [--dry-run] [-w|--workspace [-w|--workspace ...]] [--workspaces] [--include-workspace-root] [--install-links] @@ -3024,9 +3089,18 @@ Options: --ignore-scripts If true, npm does not run scripts specified in package.json files. + --allow-directory + Limits the ability for npm to install dependencies from directories. + + --allow-file + Limits the ability for npm to install dependencies from tarball files. + --allow-git Limits the ability for npm to fetch dependencies from git references. + --allow-remote + Limits the ability for npm to fetch dependencies from urls. + --audit When "true" submit audit reports alongside the current npm command to the @@ -3070,7 +3144,10 @@ aliases: clean-install, ic, install-clean, isntall-clean #### \`strict-peer-deps\` #### \`foreground-scripts\` #### \`ignore-scripts\` +#### \`allow-directory\` +#### \`allow-file\` #### \`allow-git\` +#### \`allow-remote\` #### \`audit\` #### \`bin-links\` #### \`fund\` @@ -3167,8 +3244,10 @@ Options: [--global-style] [--strict-peer-deps] [--no-package-lock] [--omit [--omit ...]] [--include [--include ...]] -[--ignore-scripts] [--allow-git ] [--no-audit] [--no-bin-links] -[--no-fund] [--dry-run] +[--ignore-scripts] [--allow-directory ] +[--allow-file ] [--allow-git ] +[--allow-remote ] [--no-audit] [--no-bin-links] [--no-fund] +[--dry-run] [-w|--workspace [-w|--workspace ...]] [--workspaces] [--include-workspace-root] [--install-links] @@ -3196,9 +3275,18 @@ Options: --ignore-scripts If true, npm does not run scripts specified in package.json files. + --allow-directory + Limits the ability for npm to install dependencies from directories. + + --allow-file + Limits the ability for npm to install dependencies from tarball files. + --allow-git Limits the ability for npm to fetch dependencies from git references. + --allow-remote + Limits the ability for npm to fetch dependencies from urls. + --audit When "true" submit audit reports alongside the current npm command to the @@ -3242,7 +3330,10 @@ alias: ddp #### \`omit\` #### \`include\` #### \`ignore-scripts\` +#### \`allow-directory\` +#### \`allow-file\` #### \`allow-git\` +#### \`allow-remote\` #### \`audit\` #### \`bin-links\` #### \`fund\` @@ -3892,9 +3983,11 @@ Options: [--global-style] [--omit [--omit ...]] [--include [--include ...]] [--strict-peer-deps] [--prefer-dedupe] [--no-package-lock] [--package-lock-only] -[--foreground-scripts] [--ignore-scripts] [--allow-git ] -[--no-audit] [--before |--min-release-age ] [--no-bin-links] -[--no-fund] [--dry-run] [--cpu ] [--os ] [--libc ] +[--foreground-scripts] [--ignore-scripts] [--allow-directory ] +[--allow-file ] [--allow-git ] +[--allow-remote ] [--no-audit] +[--before |--min-release-age ] [--no-bin-links] [--no-fund] +[--dry-run] [--cpu ] [--os ] [--libc ] [-w|--workspace [-w|--workspace ...]] [--workspaces] [--include-workspace-root] [--install-links] @@ -3940,9 +4033,18 @@ Options: --ignore-scripts If true, npm does not run scripts specified in package.json files. + --allow-directory + Limits the ability for npm to install dependencies from directories. + + --allow-file + Limits the ability for npm to install dependencies from tarball files. + --allow-git Limits the ability for npm to fetch dependencies from git references. + --allow-remote + Limits the ability for npm to fetch dependencies from urls. + --audit When "true" submit audit reports alongside the current npm command to the @@ -4007,7 +4109,10 @@ aliases: add, i, in, ins, inst, insta, instal, isnt, isnta, isntal, isntall #### \`package-lock-only\` #### \`foreground-scripts\` #### \`ignore-scripts\` +#### \`allow-directory\` +#### \`allow-file\` #### \`allow-git\` +#### \`allow-remote\` #### \`audit\` #### \`before\` #### \`min-release-age\` @@ -4034,8 +4139,9 @@ Options: [--global-style] [--omit [--omit ...]] [--include [--include ...]] [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts] -[--allow-git ] [--no-audit] [--no-bin-links] [--no-fund] -[--dry-run] +[--allow-directory ] [--allow-file ] +[--allow-git ] [--allow-remote ] [--no-audit] +[--no-bin-links] [--no-fund] [--dry-run] [-w|--workspace [-w|--workspace ...]] [--workspaces] [--include-workspace-root] [--install-links] @@ -4063,9 +4169,18 @@ Options: --ignore-scripts If true, npm does not run scripts specified in package.json files. + --allow-directory + Limits the ability for npm to install dependencies from directories. + + --allow-file + Limits the ability for npm to install dependencies from tarball files. + --allow-git Limits the ability for npm to fetch dependencies from git references. + --allow-remote + Limits the ability for npm to fetch dependencies from urls. + --audit When "true" submit audit reports alongside the current npm command to the @@ -4109,7 +4224,10 @@ aliases: cit, clean-install-test, sit #### \`strict-peer-deps\` #### \`foreground-scripts\` #### \`ignore-scripts\` +#### \`allow-directory\` +#### \`allow-file\` #### \`allow-git\` +#### \`allow-remote\` #### \`audit\` #### \`bin-links\` #### \`fund\` @@ -4133,9 +4251,11 @@ Options: [--global-style] [--omit [--omit ...]] [--include [--include ...]] [--strict-peer-deps] [--prefer-dedupe] [--no-package-lock] [--package-lock-only] -[--foreground-scripts] [--ignore-scripts] [--allow-git ] -[--no-audit] [--before |--min-release-age ] [--no-bin-links] -[--no-fund] [--dry-run] [--cpu ] [--os ] [--libc ] +[--foreground-scripts] [--ignore-scripts] [--allow-directory ] +[--allow-file ] [--allow-git ] +[--allow-remote ] [--no-audit] +[--before |--min-release-age ] [--no-bin-links] [--no-fund] +[--dry-run] [--cpu ] [--os ] [--libc ] [-w|--workspace [-w|--workspace ...]] [--workspaces] [--include-workspace-root] [--install-links] @@ -4181,9 +4301,18 @@ Options: --ignore-scripts If true, npm does not run scripts specified in package.json files. + --allow-directory + Limits the ability for npm to install dependencies from directories. + + --allow-file + Limits the ability for npm to install dependencies from tarball files. + --allow-git Limits the ability for npm to fetch dependencies from git references. + --allow-remote + Limits the ability for npm to fetch dependencies from urls. + --audit When "true" submit audit reports alongside the current npm command to the @@ -4248,7 +4377,10 @@ alias: it #### \`package-lock-only\` #### \`foreground-scripts\` #### \`ignore-scripts\` +#### \`allow-directory\` +#### \`allow-file\` #### \`allow-git\` +#### \`allow-remote\` #### \`audit\` #### \`before\` #### \`min-release-age\` @@ -4277,8 +4409,10 @@ Options: [--global-style] [--strict-peer-deps] [--no-package-lock] [--omit [--omit ...]] [--include [--include ...]] -[--ignore-scripts] [--allow-git ] [--no-audit] [--no-bin-links] -[--no-fund] [--dry-run] +[--ignore-scripts] [--allow-directory ] +[--allow-file ] [--allow-git ] +[--allow-remote ] [--no-audit] [--no-bin-links] [--no-fund] +[--dry-run] [-w|--workspace [-w|--workspace ...]] [--workspaces] [--include-workspace-root] [--install-links] @@ -4315,9 +4449,18 @@ Options: --ignore-scripts If true, npm does not run scripts specified in package.json files. + --allow-directory + Limits the ability for npm to install dependencies from directories. + + --allow-file + Limits the ability for npm to install dependencies from tarball files. + --allow-git Limits the ability for npm to fetch dependencies from git references. + --allow-remote + Limits the ability for npm to fetch dependencies from urls. + --audit When "true" submit audit reports alongside the current npm command to the @@ -4364,7 +4507,10 @@ alias: ln #### \`omit\` #### \`include\` #### \`ignore-scripts\` +#### \`allow-directory\` +#### \`allow-file\` #### \`allow-git\` +#### \`allow-remote\` #### \`audit\` #### \`bin-links\` #### \`fund\` diff --git a/workspaces/config/lib/definitions/definitions.js b/workspaces/config/lib/definitions/definitions.js index 3565d214c1e88..52f6e8bff8935 100644 --- a/workspaces/config/lib/definitions/definitions.js +++ b/workspaces/config/lib/definitions/definitions.js @@ -187,6 +187,36 @@ const definitions = { `, flatten, }), + 'allow-directory': new Definition('allow-directory', { + default: 'all', + type: ['all', 'none', 'root'], + description: ` + Limits the ability for npm to install dependencies from directories. + That is, dependencies that point to a directory instead of a version or semver range. + Please note that this could leave your tree incomplete and some packages may not function as intended or designed. + Changing this setting will not remove dependencies that are already installed. + + \`all\` allows any directories to be installed. + \`none\` prevents any directories from being installed. + \`root\` only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \`npm view\` + `, + flatten, + }), + 'allow-file': new Definition('allow-file', { + default: 'all', + type: ['all', 'none', 'root'], + description: ` + Limits the ability for npm to install dependencies from tarball files. + That is, dependencies that point to a local tarball file instead of a version or semver range. + Please note that this could leave your tree incomplete and some packages may not function as intended or designed. + Changing this setting will not remove dependencies that are already installed. + + \`all\` allows any tarball file to be installed. + \`none\` prevents any tarball file from being installed. + \`root\` only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \`npm view\` + `, + flatten, + }), 'allow-git': new Definition('allow-git', { default: 'all', type: ['all', 'none', 'root'], @@ -194,10 +224,26 @@ const definitions = { Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. + Changing this setting will not remove dependencies that are already installed. \`all\` allows any git dependencies to be fetched and installed. \`none\` prevents any git dependencies from being fetched and installed. - \`root\` only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \`npm view\` + \`root\` only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \`npm view\` + `, + flatten, + }), + 'allow-remote': new Definition('allow-remote', { + default: 'all', + type: ['all', 'none', 'root'], + description: ` + Limits the ability for npm to fetch dependencies from urls. + That is, dependencies that point to a tarball url instead of a version or semver range. + Please note that this could leave your tree incomplete and some packages may not function as intended or designed. + Changing this setting will not remove dependencies that are already installed. + + \`all\` allows any url to be installed. + \`none\` prevents any url from being installed. + \`root\` only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \`npm view\` `, flatten, }), diff --git a/workspaces/config/tap-snapshots/test/type-description.js.test.cjs b/workspaces/config/tap-snapshots/test/type-description.js.test.cjs index 1c876db0c752d..78445376b9ef1 100644 --- a/workspaces/config/tap-snapshots/test/type-description.js.test.cjs +++ b/workspaces/config/tap-snapshots/test/type-description.js.test.cjs @@ -19,11 +19,26 @@ Object { "all": Array [ "boolean value (true or false)", ], + "allow-directory": Array [ + "all", + "none", + "root", + ], + "allow-file": Array [ + "all", + "none", + "root", + ], "allow-git": Array [ "all", "none", "root", ], + "allow-remote": Array [ + "all", + "none", + "root", + ], "allow-same-version": Array [ "boolean value (true or false)", ],