> The resulting allowlist is written to package.json
Couldn’t this effectively result in the same process we get in pre-12 defaults?
> The resulting allowlist is written to package.json
Couldn’t this effectively result in the same process we get in pre-12 defaults?
It's unstated, but I'm willing to assume that only the root package.json is consulted to decide if these scripts are allowed. Otherwise, yes, this would not actually change anything.
Thanks for the sanity check!
Had a quick read on my mobile, and that was my first impression.
Guess its more of a way to make the maintainers accountable instead of making npm reputation the main focus.