a tool for only running dependency lifecycle hooks specified in an allowlist
add the package to start using it in your project. be sure to include the @lavamoat/ namespace in the package name
yarn add -D @lavamoat/allow-scriptsautomatically generate a configuration (that skips all lifecycle scripts) and write into package.json. edit as necesary.
yarn allow-scripts autoconfiguration goes in package.json
{
"lavamoat": {
"allowScripts": {
"keccak": true,
"core-js": false
}
}
}disable all scripts by default inside .yarnrc or .npmrc
ignore-scripts true
consider adding @lavamoat/preinstall-always-fail to ensure you never accidently run install scripts
yarn add -D @lavamoat/preinstall-always-fail
run all lifecycle scripts for packages specified in package.json
yarn allow-scriptsprints comprehension of configuration and dependencies with lifecycle scripts
yarn allow-scripts listconsider adding a "setup" npm script for all your post-install steps. no magic here, this is just a regular script. but using this will ensure you run your allowed scripts. its also a good place to add other post-processing commands you use. In the future when you add additional post-processing scripts, e.g. patch-package, you can add them to this "setup" script.
you will need to make an effort to remember to run yarn setup instead of just yarn 🧘
{
"scripts": {
"setup": "yarn install && yarn allow-scripts && ..."
}
}