Expand description
Allowlist/denylist policy for running dependency lifecycle scripts.
Mirrors pnpm’s createAllowBuildFunction — given an allowBuilds
map (Record<string, boolean>) and a dangerouslyAllowAllBuilds
flag, produce a function from (pkgName, version) to an allow /
deny / unspecified decision. Unspecified means “fall through to the
caller’s default,” which for aube is always “deny.”
§Entry shapes
Keys in the allowBuilds map support three forms:
"esbuild"— bare name, matches every version of the package"esbuild@0.19.0"— exact version match"esbuild@0.19.0 || 0.20.0"— exact version union
Semver ranges are intentionally not supported, matching pnpm’s
expandPackageVersionSpecs behavior: if you pin a version in the
allowlist you’re asserting a specific build has been audited, so
range matching would defeat the point.
Name patterns may also contain * wildcards, mirroring pnpm’s
@pnpm/config.matcher. @babel/* matches every package under the
@babel scope, *-loader matches any name ending in -loader,
and a bare * matches every package. * is the only supported
metacharacter and always matches a possibly-empty run of any
characters. Wildcards must stand alone — combining them with a
version spec (@babel/*@1.0.0) is rejected, since a wildcard
name can’t be used to assert “this exact build was audited.”
Structs§
- Build
Policy - Resolved policy for deciding whether a package may run its lifecycle scripts.
Enums§
- Allow
Decision - The decision for a single
(name, version)lookup. - Build
Policy Error