(npm, unreviewedScripts)
| 232 | } |
| 233 | |
| 234 | const unreviewedScriptsMessage = (npm, unreviewedScripts) => { |
| 235 | if (!unreviewedScripts.length) { |
| 236 | return |
| 237 | } |
| 238 | |
| 239 | // Goes through log.warn so it respects --loglevel / --silent and lands |
| 240 | // on stderr like every other "FYI, here's something to know" message. |
| 241 | // stdout is reserved for things the user explicitly asked to see |
| 242 | // (npm ls, npm view). |
| 243 | const count = unreviewedScripts.length |
| 244 | const pkg = count === 1 ? 'package has' : 'packages have' |
| 245 | const header = `${count} ${pkg} install scripts not yet covered by allowScripts:` |
| 246 | |
| 247 | const names = [] |
| 248 | const lines = unreviewedScripts.map(({ node, scripts }) => { |
| 249 | const { name, version } = trustedDisplay(node) |
| 250 | /* istanbul ignore next: every test node has a name */ |
| 251 | const display = name || '<unknown>' |
| 252 | names.push(display) |
| 253 | const ver = version ? `@${version}` : '' |
| 254 | const events = Object.entries(scripts) |
| 255 | .map(([event, cmd]) => `${event}: ${cmd}`) |
| 256 | .join('; ') |
| 257 | return ` ${display}${ver} (${events})` |
| 258 | }) |
| 259 | |
| 260 | log.warn( |
| 261 | 'allow-scripts', |
| 262 | [ |
| 263 | header, |
| 264 | ...lines, |
| 265 | '', |
| 266 | ...remediationLines(npm, names), |
| 267 | ].join('\n') |
| 268 | ) |
| 269 | } |
| 270 | |
| 271 | // `npm approve-scripts` writes to a project package.json, which doesn't |
| 272 | // exist for global installs (it throws EGLOBAL). For those, point users at |
no test coverage detected
searching dependent graphs…