feat: add default untrusted list (#4)

zkochan · web-flow · commit 100be8a54139 · 2026-03-23T14:57:02.000+01:00
* feat: add default untrusted list for packages with unnecessary postinstall scripts

* feat: generate allowBuilds.json as Record&lt;string, boolean&gt; for pnpm v11

* fix: run update-list before tests to generate allowBuilds.json

* fix: lazy-load allowBuilds.json so tests work without generating it

* fix: don't overwrite untrusted entries in allowBuilds.json and remove network-dependent pretest
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+allowBuilds.json
diff --git a/index.js b/index.js
@@ -1 +1,6 @@
 module.exports.TRUSTED_PACKAGE_NAMES = require('./allow.json')
+
+Object.defineProperty(module.exports, 'DEFAULT_ALLOW_BUILDS', {
+  get () { return require('./allowBuilds.json') },
+  enumerable: true,
+})
diff --git a/package.json b/package.json
@@ -6,6 +6,8 @@
   "files": [
     "index.js",
     "allow.json",
+    "allowBuilds.json",
+    "untrusted.js",
     "pnpmfile.cjs"
   ],
   "scripts": {
diff --git a/pnpmfile.cjs b/pnpmfile.cjs
@@ -4,10 +4,16 @@ module.exports = {
       const pnpmMajor = parseInt(config.packageManager?.version?.split('.')[0] ?? '0', 10)
       const useAllowBuilds = pnpmMajor >= 11
       const defaultAllowed = require('./allow.json')
+      const defaultUntrusted = require('./untrusted.js')
       if (useAllowBuilds) {
         if (config.allowBuilds == null) {
           config.allowBuilds = {}
         }
+        for (const untrusted of defaultUntrusted) {
+          if (config.allowBuilds[untrusted] == null) {
+            config.allowBuilds[untrusted] = false
+          }
+        }
         for (const allowed of defaultAllowed) {
           if (config.allowBuilds[allowed] == null) {
             config.allowBuilds[allowed] = true
@@ -17,14 +23,14 @@ module.exports = {
         if (config.onlyBuiltDependencies == null) {
           config.onlyBuiltDependencies = []
         }
-        if (!config.ignoredBuiltDependencies?.length) {
-          config.onlyBuiltDependencies.push(...defaultAllowed)
-        } else {
-          const ignored = new Set(config.ignoredBuiltDependencies)
-          for (const allowed of defaultAllowed) {
-            if (!ignored.has(allowed)) {
-              config.onlyBuiltDependencies.push(allowed)
-            }
+        if (config.ignoredBuiltDependencies == null) {
+          config.ignoredBuiltDependencies = []
+        }
+        config.ignoredBuiltDependencies.push(...defaultUntrusted)
+        const ignored = new Set(config.ignoredBuiltDependencies)
+        for (const allowed of defaultAllowed) {
+          if (!ignored.has(allowed)) {
+            config.onlyBuiltDependencies.push(allowed)
           }
         }
       }
diff --git a/test.js b/test.js
@@ -17,6 +17,15 @@ test('populates onlyBuiltDependencies for pnpm < 11', () => {
   assert.equal(config.allowBuilds, undefined)
 })
 
+test('excludes untrusted packages for pnpm < 11', () => {
+  const config = {
+    packageManager: { version: '10.28.1' },
+  }
+  pnpmfile.hooks.updateConfig(config)
+  assert(!config.onlyBuiltDependencies.includes('core-js'))
+  assert(config.ignoredBuiltDependencies.includes('core-js'))
+})
+
 test('do not reenable dependency builds for pnpm < 11', () => {
   const config = {
     packageManager: { version: '10.28.1' },
@@ -38,6 +47,23 @@ test('populates allowBuilds for pnpm >= 11', () => {
   assert.equal(config.onlyBuiltDependencies, undefined)
 })
 
+test('excludes untrusted packages for pnpm >= 11', () => {
+  const config = {
+    packageManager: { version: '11.0.0' },
+  }
+  pnpmfile.hooks.updateConfig(config)
+  assert.equal(config.allowBuilds['core-js'], false)
+})
+
+test('respects user override of untrusted package for pnpm >= 11', () => {
+  const config = {
+    packageManager: { version: '11.0.0' },
+    allowBuilds: { 'core-js': true },
+  }
+  pnpmfile.hooks.updateConfig(config)
+  assert.equal(config.allowBuilds['core-js'], true)
+})
+
 test('do not reenable dependency builds for pnpm >= 11', () => {
   const config = {
     packageManager: { version: '11.0.0' },
diff --git a/untrusted.js b/untrusted.js
@@ -0,0 +1,8 @@
+module.exports = [
+  // Prints a message in postinstall script
+  'core-js',
+  'core-js-pure',
+  'es5-ext',
+  'less',
+  'protobufjs',
+]
diff --git a/updateList.ts b/updateList.ts
@@ -26,7 +26,24 @@ async function fetchToJson (
   const outPath = `allow.json`
   await writeFile(outPath, JSON.stringify(combined, null, 2), "utf8")
 
+  // Generate allowBuilds.json (Record<string, boolean>)
+  const { createRequire } = await import('node:module')
+  const require = createRequire(import.meta.url)
+  const untrusted: string[] = require('./untrusted.js')
+  const allowBuilds: Record<string, boolean> = {}
+  for (const pkg of untrusted.sort()) {
+    allowBuilds[pkg] = false
+  }
+  for (const pkg of combined) {
+    if (!(pkg in allowBuilds)) {
+      allowBuilds[pkg] = true
+    }
+  }
+  const allowBuildsPath = 'allowBuilds.json'
+  await writeFile(allowBuildsPath, JSON.stringify(allowBuilds, null, 2), "utf8")
+
   console.log(`✅  Saved ${combined.length} items to ${outPath} (${bunEntries.length} from bun + ${pnpmEntries.length} from pnpm-allow.json)`)
+  console.log(`✅  Saved ${Object.keys(allowBuilds).length} items to ${allowBuildsPath}`)
 }
 
 fetchToJson().catch((err) => {
