Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm approve-scripts cannot approve packages whose name contains dots (e.g. cordova.plugins.diagnostic). The package is correctly detected by npm approve-scripts --allow-scripts-pending as having unreviewed install scripts, but every approval path silently fails or errors - leaving the package permanently stuck as "pending" with no CLI path to approve it.
- npm approve-scripts cordova.plugins.diagnostic - Nothing to approve; allowScripts unchanged
- npm approve-scripts cordova.plugins.diagnostic@7.3.0 - ENOMATCH: No installed packages match
- npm approve-scripts --all - silently skips it, Nothing to approve; allowScripts unchanged
The workaround is to manually edit package.json:
"allowScripts": {
"cordova.plugins.diagnostic@7.3.0": true
}
Expected Behavior
npm approve-scripts cordova.plugins.diagnostic should add "cordova.plugins.diagnostic@7.3.0": true to the allowScripts block in package.json, the same way it works for packages without dots in their name (e.g. @sentry/cli).
Steps To Reproduce
-
Create a project that depends on cordova.plugins.diagnostic
mkdir repro && cd repro
cat > package.json << 'EOF'
{
"name": "repro",
"version": "1.0.0",
"dependencies": {
"cordova.plugins.diagnostic": "7.3.0"
}
}
EOF
-
Install
npm install
-
See it flagged as pending — works correctly
npm approve-scripts --allow-scripts-pending
1 package has install scripts not yet covered by allowScripts:
cordova.plugins.diagnostic@7.3.0 (postinstall: node ./scripts/apply-modules.js)
- Try to approve - silent no-op
npm approve-scripts cordova.plugins.diagnostic
Nothing to approve; allowScripts unchanged
- Try with version specifier - ENOMATCH
npm approve-scripts cordova.plugins.diagnostic@7.3.0
npm error code ENOMATCH
npm error No installed packages match: cordova.plugins.diagnostic@7.3.0
- --all also silently skips it
npm approve-scripts --all
Nothing to approve; allowScripts unchanged
Environment
- npm: 11.16.0
- Node.js: v22.22.3
- OS Name: macOS 15.7.5
- System Model Name: MacBook Pro
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm approve-scripts cannot approve packages whose name contains dots (e.g. cordova.plugins.diagnostic). The package is correctly detected by npm approve-scripts --allow-scripts-pending as having unreviewed install scripts, but every approval path silently fails or errors - leaving the package permanently stuck as "pending" with no CLI path to approve it.
The workaround is to manually edit package.json:
"allowScripts": {
"cordova.plugins.diagnostic@7.3.0": true
}
Expected Behavior
npm approve-scripts cordova.plugins.diagnostic should add "cordova.plugins.diagnostic@7.3.0": true to the allowScripts block in package.json, the same way it works for packages without dots in their name (e.g. @sentry/cli).
Steps To Reproduce
Create a project that depends on cordova.plugins.diagnostic
mkdir repro && cd repro
cat > package.json << 'EOF'
{
"name": "repro",
"version": "1.0.0",
"dependencies": {
"cordova.plugins.diagnostic": "7.3.0"
}
}
EOF
Install
npm install
See it flagged as pending — works correctly
npm approve-scripts --allow-scripts-pending
npm approve-scripts cordova.plugins.diagnostic
npm approve-scripts cordova.plugins.diagnostic@7.3.0
npm approve-scripts --all
Environment