Feature Request: Allow suppressing workspace allowScripts warnings for intentional standalone workspace packages
Current Behavior
In an npm workspace, npm warns when a non-root workspace package has a top-level allowScripts field:
npm warn allow-scripts allowScripts in workspace project (/path/to/repo/apps/project) is ignored. Move the field to the project root package.json.
This warning is technically correct for a root workspace install, but it is not always actionable.
In our monorepo, some workspaces are Git submodules and can also be installed, developed, or released as standalone projects. Their package.json files intentionally contain their own allowScripts policy for standalone usage. When those same projects are checked out inside the parent monorepo, npm treats them as workspaces and warns on every root install.
Moving the field to the parent root is not a valid fix because the submodule must remain self-contained.
Expected Behavior
npm should provide a targeted way to suppress this warning when a workspace package intentionally keeps allowScripts for standalone use.
For example, one of:
warn-workspace-allow-scripts=false
or:
allow-scripts-warn-workspaces=false
or another narrowly scoped config name.
This should suppress only the non-root workspace allowScripts warning, without requiring loglevel=error and without hiding unrelated npm warnings.
Why This Matters
loglevel=error is currently the only practical workaround, but it suppresses too much. In CI and local development, teams still want to see peer dependency warnings, deprecations, audit warnings, and other useful npm warnings.
The current warning becomes noisy in monorepos that include standalone packages or Git submodules as workspaces. In that setup, the warning is expected and non-actionable, because the package-local policy is needed outside the parent workspace context.
Steps To Reproduce
- Create a root workspace package:
{
"private": true,
"workspaces": ["packages/*"]
}
- Create
packages/example/package.json:
{
"name": "example",
"version": "1.0.0",
"allowScripts": {
"sharp@0.34.5": true
}
}
- Run:
- Observe:
npm warn allow-scripts allowScripts in workspace example (.../packages/example) is ignored. Move the field to the project root package.json.
Proposed Solution
Add a narrowly scoped npm config that disables this specific warning.
Default should remain the current behavior, so users still get warned unless they explicitly opt out.
References
This warning appears to have been introduced as part of npm/cli#9360, which implemented Phase 1 of the allowScripts install-script policy from #868.
npm/cli#9360
#868
Feature Request: Allow suppressing workspace
allowScriptswarnings for intentional standalone workspace packagesCurrent Behavior
In an npm workspace, npm warns when a non-root workspace package has a top-level
allowScriptsfield:This warning is technically correct for a root workspace install, but it is not always actionable.
In our monorepo, some workspaces are Git submodules and can also be installed, developed, or released as standalone projects. Their
package.jsonfiles intentionally contain their ownallowScriptspolicy for standalone usage. When those same projects are checked out inside the parent monorepo, npm treats them as workspaces and warns on every root install.Moving the field to the parent root is not a valid fix because the submodule must remain self-contained.
Expected Behavior
npm should provide a targeted way to suppress this warning when a workspace package intentionally keeps
allowScriptsfor standalone use.For example, one of:
warn-workspace-allow-scripts=falseor:
allow-scripts-warn-workspaces=falseor another narrowly scoped config name.
This should suppress only the non-root workspace
allowScriptswarning, without requiringloglevel=errorand without hiding unrelated npm warnings.Why This Matters
loglevel=erroris currently the only practical workaround, but it suppresses too much. In CI and local development, teams still want to see peer dependency warnings, deprecations, audit warnings, and other useful npm warnings.The current warning becomes noisy in monorepos that include standalone packages or Git submodules as workspaces. In that setup, the warning is expected and non-actionable, because the package-local policy is needed outside the parent workspace context.
Steps To Reproduce
{ "private": true, "workspaces": ["packages/*"] }packages/example/package.json:{ "name": "example", "version": "1.0.0", "allowScripts": { "sharp@0.34.5": true } }Proposed Solution
Add a narrowly scoped npm config that disables this specific warning.
Default should remain the current behavior, so users still get warned unless they explicitly opt out.
References
This warning appears to have been introduced as part of npm/cli#9360, which implemented Phase 1 of the
allowScriptsinstall-script policy from #868.npm/cli#9360
#868