Add the ability to run install scripts only for packages in an allowlist

[rgrove]

In light of recent problems with npm packages that install malware via install scripts, I've been looking for a way to only run install scripts for packages I specifically trust. It looks like this isn't a feature pnpm currently supports.

One way to do this might be to set ignore-scripts to true in .npmrc and then manually run pnpm rebuild <package> every time a new version of a trusted package is installed, but this is cumbersome and won't scale well for a team of developers.

pnpm does support a pnpm.neverBuiltDependencies field in package.json that acts as a blocklist, but this also isn't ideal because I want to block all packages from running scripts by default, and only allow a few that I trust to run scripts.

It looks like Yarn 2 supports this through a combination of setting enableScripts to false and setting a package-specific "built": true option in dependenciesMeta, although I haven't tried it and am not interested in switching to Yarn.

I'd be thrilled if pnpm supported a pnpm.onlyBuildDependencies field or something like the Yarn 2 approach via dependenciesMeta. Is this something other people would be interested in?

[rgrove]

Looks like this was implemented in 6.32.0! 🎉

https://github.com/pnpm/pnpm/releases/tag/v6.32.0

[zkochan]

yes, but it has a bug #4377