Run npm lifecycle scripts

npm packages can declare lifecycle scripts such as preinstall and postinstall that run arbitrary code during installation, a well-known supply chain attack vector. Unlike npm, Deno does not run these scripts unless you explicitly approve them. Packages with native addons (like npm:better-sqlite3) need their build scripts to work, so this tutorial walks through approving them.

Install a package that needs build scripts Jump to heading#

In a project with a package.json, install a package that declares lifecycle scripts:

$ deno install npm:better-sqlite3
...
╭ Warning
│
│  Ignored build scripts for packages:
│  npm:better-sqlite3@12.10.0
│
│  Run "deno approve-scripts" to run build scripts.
╰─

The package is installed, but its install script was skipped, so the native binding is missing and the package will fail at runtime.

Approve the scripts Jump to heading#

deno approve-scripts is the way to review and run pending scripts. Run it with no arguments for an interactive prompt listing every package with unapproved scripts, or name packages directly:

$ deno approve-scripts npm:better-sqlite3
Approved npm:better-sqlite3
Initialize better-sqlite3@12.10.0: running 'install' script

Persist approvals in deno.json Jump to heading#

To make approvals part of the project configuration so every contributor and CI run gets the same behavior, list the packages in the allowScripts field:

{
  "allowScripts": ["npm:better-sqlite3"]
}

Now a plain deno install runs the build scripts for the listed packages without any extra flags. A one-off alternative is passing --allow-scripts=npm:better-sqlite3 to deno install directly.

For more detail, see the deno approve-scripts reference and the native Node.js addons section of the deno install docs.