npm
diff --git a/‎docs/lib/content/nav.yml‎
Lines changed: 6 additions & 0 deletions b/‎docs/lib/content/nav.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎lib/utils/allow-scripts-cmd.js‎
Lines changed: 2 additions & 0 deletions b/‎lib/utils/allow-scripts-cmd.js‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/utils/allow-scripts-writer.js‎
Lines changed: 6 additions & 2 deletions b/‎lib/utils/allow-scripts-writer.js‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎tap-snapshots/test/lib/commands/completion.js.test.cjs‎
Lines changed: 1 addition & 0 deletions b/‎tap-snapshots/test/lib/commands/completion.js.test.cjs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tap-snapshots/test/lib/docs.js.test.cjs‎
Lines changed: 85 additions & 38 deletions b/‎tap-snapshots/test/lib/docs.js.test.cjs‎
Lines changed: 85 additions & 38 deletions
@@ -12,6 +12,9 @@
   - title: npm access
     url: /commands/npm-access
     description: Set access level on published packages
+  - title: npm approve-scripts
+    url: /commands/npm-approve-scripts
+    description: Approve install scripts for specific dependencies
   - title: npm audit
     url: /commands/npm-audit
     description: Run a security audit
@@ -33,6 +36,9 @@
   - title: npm dedupe
     url: /commands/npm-dedupe
     description: Reduce duplication in the package tree
+  - title: npm deny-scripts
+    url: /commands/npm-deny-scripts
+    description: Deny install scripts for specific dependencies
   - title: npm deprecate
     url: /commands/npm-deprecate
     description: Deprecate a version of a package
 
@@ -30,6 +30,7 @@ class AllowScriptsCmd extends BaseCommand {
   static ignoreImplicitWorkspace = false
 
   // Subclasses set this.
+  /* istanbul ignore next */
   get verb () {
     throw new Error('verb must be implemented by subclass')
   }
@@ -214,6 +215,7 @@ class AllowScriptsCmd extends BaseCommand {
       summary.push({ name, changes: result.changes })
     }
 
+    /* istanbul ignore else: writePolicyChanges only called when changes are expected */
     if (updated !== existing) {
       pkg.update({ allowScripts: updated })
       await pkg.save()
 
@@ -148,6 +148,7 @@ const keyTargetsNode = (key, node) => {
       try {
         resolvedParsed = node.resolved ? npa(node.resolved) : null
       } catch {
+        /* istanbul ignore next */
         return false
       }
       const keyHost = parsed.hosted?.ssh({ noCommittish: true })
@@ -174,7 +175,7 @@ const keyTargetsNode = (key, node) => {
 //   - `changes` is a list of `{ key, change }` entries describing edits
 //   - `warning` is an optional message to surface to the user
 const applyApprovalForPackage = (existing, nodes, { pin = true } = {}) => {
-  const allowScripts = { ...(existing || {}) }
+  const allowScripts = { ...existing }
   const changes = []
 
   if (!Array.isArray(nodes) || nodes.length === 0) {
@@ -188,6 +189,8 @@ const applyApprovalForPackage = (existing, nodes, { pin = true } = {}) => {
   for (const node of nodes) {
     for (const [key, value] of Object.entries(allowScripts)) {
       if (value === false && keyTargetsNode(key, node)) {
+        /* istanbul ignore next: name fallback covers the empty-name edge case */
+        const subject = name || 'this package'
         return {
           allowScripts,
           changes,
@@ -211,6 +214,7 @@ const applyApprovalForPackage = (existing, nodes, { pin = true } = {}) => {
       }
     }
 
+    /* istanbul ignore else: name === null is the no-identity path tested separately */
     if (name && allowScripts[name] !== true) {
       allowScripts[name] = true
       changes.push({ key: name, change: 'added' })
@@ -262,7 +266,7 @@ const applyApprovalForPackage = (existing, nodes, { pin = true } = {}) => {
 
 // Apply a deny for a single package. Always name-only; ignores `--pin`.
 const applyDenyForPackage = (existing, nodes) => {
-  const allowScripts = { ...(existing || {}) }
+  const allowScripts = { ...existing }
   const changes = []
 
   if (!Array.isArray(nodes) || nodes.length === 0) {
 
@@ -61,6 +61,7 @@ exports[`test/lib/commands/completion.js TAP completion multiple command names >
 Array [
   String(
     access
+    approve-scripts
     audit
     author
     add
 
@@ -301,19 +301,22 @@ to the same value as the current version.
 * Default: ""
 * Type: String (can be set multiple times)
 
-Comma-separated list of packages whose install scripts (\`preinstall\`,
-\`install\`, \`postinstall\`) are allowed to run. Used as a fallback when no
-\`allowScripts\` field is set in the root project's \`package.json\`, and for
-global/npx contexts where no project \`package.json\` exists.
+Comma-separated list of packages whose install-time lifecycle scripts
+(\`preinstall\`, \`install\`, \`postinstall\`, and \`prepare\` for non-registry
+dependencies) are allowed to run. Used as a fallback when no \`allowScripts\`
+field is set in the root project's \`package.json\`, and for global/npx
+contexts where no project \`package.json\` exists.
 
-The \`package.json\` \`allowScripts\` field takes precedence over this setting.
-Layers are not merged: the first source in the precedence chain that defines
-any allowlist configuration wins for the entire install.
+Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. CLI flags take precedence over
+\`package.json\`, which takes precedence over this setting. Layers are not
+merged.
 
-This setting is part of an opt-in install-script policy. In the current
-release, scripts are not blocked by default; this setting prepares your
-project for a future release that will block dependency install scripts
-unless they are explicitly allowed.
+This setting is part of an opt-in install-script policy that will land
+across multiple npm releases. In this release, install scripts still run as
+they always have. Setting this field does not block anything; it records
+your intent so the install command can list the packages that would still
+need to be reviewed before the future release that flips the default.
 
 
 
@@ -511,14 +514,15 @@ are same as \`cpu\` field of package.json, which comes from \`process.arch\`.
 * Default: false
 * Type: Boolean
 
-When \`true\`, all dependency install scripts run regardless of the
-\`allowScripts\` field in \`package.json\` or the \`allow-scripts\` config. This
-is an escape hatch for migration and emergency use; its use is strongly
-discouraged.
+Reserved for a future release. When that release lands, setting this to
+\`true\` will tell npm to run every dependency install script regardless of
+the \`allowScripts\` policy — an escape hatch for migration. Its use will be
+strongly discouraged.
 
-This setting has no effect in the current release, where dependency install
-scripts already run by default. It is reserved for a future release that
-will block them unless explicitly allowed.
+In this release, install scripts still run as they always have, so this
+setting has no effect on install behaviour. The flag is registered now so
+projects can pin it in their tooling ahead of the release that flips the
+default.
 
 
 
@@ -1893,13 +1897,13 @@ this warning is treated as a failure.
 * Default: false
 * Type: Boolean
 
-When \`true\`, any dependency install script that is blocked by the
-\`allowScripts\` policy causes the install to fail with an error instead of
-printing a warning and continuing.
+Reserved for a future release. When that release lands, setting this to
+\`true\` will turn the install-script policy from a warning into a hard error:
+any unreviewed install script will fail the install instead of being skipped
+with a notice.
 
-This setting has no effect in the current release, where dependency install
-scripts run by default and no scripts are blocked. It is reserved for a
-future release that will block install scripts unless explicitly allowed.
+In this release, install scripts still run as they always have, so this
+setting has no effect on install behaviour.
 
 
 
@@ -3236,13 +3240,13 @@ Options:
     Limits the ability for npm to fetch dependencies from urls.
 
   --allow-scripts
-    Comma-separated list of packages whose install scripts (\`preinstall\`,
+    Comma-separated list of packages whose install-time lifecycle scripts
 
   --strict-script-builds
-    When \`true\`, any dependency install script that is blocked by the
+    Reserved for a future release. When that release lands, setting this
 
   --dangerously-allow-all-scripts
-    When \`true\`, all dependency install scripts run regardless of the
+    Reserved for a future release. When that release lands, setting this
 
   --audit
     When "true" submit audit reports alongside the current npm command to the
@@ -3779,6 +3783,8 @@ Options:
 [--package <package-spec> [--package <package-spec> ...]] [-c|--call <call>]
 [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
 [--workspaces] [--include-workspace-root]
+[--allow-scripts <package-list> [--allow-scripts <package-list> ...]]
+[--strict-script-builds] [--dangerously-allow-all-scripts]
 
   --package
     The package or packages to install for [\`npm exec\`](/commands/npm-exec)
@@ -3795,6 +3801,15 @@ Options:
   --include-workspace-root
     Include the workspace root when workspaces are enabled for a command.
 
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-script-builds
+    Reserved for a future release. When that release lands, setting this
+
+  --dangerously-allow-all-scripts
+    Reserved for a future release. When that release lands, setting this
+
 
 alias: x
 
@@ -3814,6 +3829,9 @@ alias: x
 #### \`workspace\`
 #### \`workspaces\`
 #### \`include-workspace-root\`
+#### \`allow-scripts\`
+#### \`strict-script-builds\`
+#### \`dangerously-allow-all-scripts\`
 `
 
 exports[`test/lib/docs.js TAP usage explain > must match snapshot 1`] = `
@@ -4232,13 +4250,13 @@ Options:
     Limits the ability for npm to fetch dependencies from urls.
 
   --allow-scripts
-    Comma-separated list of packages whose install scripts (\`preinstall\`,
+    Comma-separated list of packages whose install-time lifecycle scripts
 
   --strict-script-builds
-    When \`true\`, any dependency install script that is blocked by the
+    Reserved for a future release. When that release lands, setting this
 
   --dangerously-allow-all-scripts
-    When \`true\`, all dependency install scripts run regardless of the
+    Reserved for a future release. When that release lands, setting this
 
   --audit
     When "true" submit audit reports alongside the current npm command to the
@@ -4382,13 +4400,13 @@ Options:
     Limits the ability for npm to fetch dependencies from urls.
 
   --allow-scripts
-    Comma-separated list of packages whose install scripts (\`preinstall\`,
+    Comma-separated list of packages whose install-time lifecycle scripts
 
   --strict-script-builds
-    When \`true\`, any dependency install script that is blocked by the
+    Reserved for a future release. When that release lands, setting this
 
   --dangerously-allow-all-scripts
-    When \`true\`, all dependency install scripts run regardless of the
+    Reserved for a future release. When that release lands, setting this
 
   --audit
     When "true" submit audit reports alongside the current npm command to the
@@ -4528,13 +4546,13 @@ Options:
     Limits the ability for npm to fetch dependencies from urls.
 
   --allow-scripts
-    Comma-separated list of packages whose install scripts (\`preinstall\`,
+    Comma-separated list of packages whose install-time lifecycle scripts
 
   --strict-script-builds
-    When \`true\`, any dependency install script that is blocked by the
+    Reserved for a future release. When that release lands, setting this
 
   --dangerously-allow-all-scripts
-    When \`true\`, all dependency install scripts run regardless of the
+    Reserved for a future release. When that release lands, setting this
 
   --audit
     When "true" submit audit reports alongside the current npm command to the
@@ -5492,6 +5510,8 @@ npm rebuild [<package-spec>] ...]
 
 Options:
 [-g|--global] [--no-bin-links] [--foreground-scripts] [--ignore-scripts]
+[--allow-scripts <package-list> [--allow-scripts <package-list> ...]]
+[--strict-script-builds] [--dangerously-allow-all-scripts]
 [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -5507,6 +5527,15 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-script-builds
+    Reserved for a future release. When that release lands, setting this
+
+  --dangerously-allow-all-scripts
+    Reserved for a future release. When that release lands, setting this
+
   -w|--workspace
     Enable running a command in the context of the configured workspaces of the
 
@@ -5534,6 +5563,9 @@ alias: rb
 #### \`bin-links\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-scripts\`
+#### \`strict-script-builds\`
+#### \`dangerously-allow-all-scripts\`
 #### \`workspace\`
 #### \`workspaces\`
 #### \`include-workspace-root\`
@@ -6217,8 +6249,11 @@ Options:
 [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
 [--include <prod|dev|optional|peer> [--include <prod|dev|optional|peer> ...]]
 [--strict-peer-deps] [--no-package-lock] [--foreground-scripts]
-[--ignore-scripts] [--no-audit] [--before <date>|--min-release-age <days>]
-[--no-bin-links] [--no-fund] [--dry-run]
+[--ignore-scripts]
+[--allow-scripts <package-list> [--allow-scripts <package-list> ...]]
+[--strict-script-builds] [--dangerously-allow-all-scripts] [--no-audit]
+[--before <date>|--min-release-age <days>] [--no-bin-links] [--no-fund]
+[--dry-run]
 [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -6255,6 +6290,15 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-script-builds
+    Reserved for a future release. When that release lands, setting this
+
+  --dangerously-allow-all-scripts
+    Reserved for a future release. When that release lands, setting this
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -6304,6 +6348,9 @@ aliases: u, up, upgrade, udpate
 #### \`package-lock\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-scripts\`
+#### \`strict-script-builds\`
+#### \`dangerously-allow-all-scripts\`
 #### \`audit\`
 #### \`before\`
 #### \`min-release-age\`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ class AllowScriptsCmd extends BaseCommand {`
`30`	`30`	`static ignoreImplicitWorkspace = false`
`31`	`31`
`32`	`32`	`// Subclasses set this.`
	`33`	`+ /* istanbul ignore next */`
`33`	`34`	`get verb () {`
`34`	`35`	`throw new Error('verb must be implemented by subclass')`
`35`	`36`	`}`
`@@ -214,6 +215,7 @@ class AllowScriptsCmd extends BaseCommand {`
`214`	`215`	`summary.push({ name, changes: result.changes })`
`215`	`216`	`}`
`216`	`217`
	`218`	`+ /* istanbul ignore else: writePolicyChanges only called when changes are expected */`
`217`	`219`	`if (updated !== existing) {`
`218`	`220`	`pkg.update({ allowScripts: updated })`
`219`	`221`	`await pkg.save()`
-Original file line number
+Diff line change
 Array [
   String(
     access
 +    approve-scripts
     audit
     author
     add