Fail on unreviewed build scripts (strict-dep-builds)
strict-dep-builds is a pnpm setting (pnpm ≥ 10.3) that turns a silently skipped dependency
build script into a hard install failure. Instead of quietly ignoring an unreviewed lifecycle script, the
install stops and forces you to make an explicit decision about whether that dependency may run code.
What it does
By default, pnpm does not run dependency build (lifecycle) scripts, such as postinstall,
unless they are on an approved allowlist. Without strict mode, dependencies that want to run a build
script but have not been approved are simply skipped, often without you noticing.
With strict-dep-builds enabled, an install fails (exits with a non-zero code)
when a dependency wants to run a build script that has not been reviewed or approved. That turns “a new
dependency quietly wants to run code at install time” into an explicit, visible decision you must make,
rather than something that slips past in the install output.
For the authoritative description, see the pnpm settings documentation.
Relationship to ignore-scripts
This setting pairs with ignore-scripts.
ignore-scripts disables automatic script execution so nothing runs at install time by default;
strict-dep-builds makes the unreviewed case a hard error so it cannot be missed. They are
complementary: one stops scripts from running silently, the other makes sure any dependency that still wants to
run a script gets surfaced as a decision instead of a silent skip.
Turn it on
Where the setting lives depends on your pnpm version. Use the rc form for pnpm ≤ 10, and the workspace or global YAML form for pnpm ≥ 11.
pnpm ≤ 10 (.npmrc / rc)
strict-dep-builds=truepnpm ≥ 11 (pnpm-workspace.yaml or global config.yaml)
strictDepBuilds: truestrict-dep-builds; the YAML form uses
the camelCase key strictDepBuilds. Pick the file that matches your pnpm version.
Why it matters
Supply chain payloads frequently rely on build and lifecycle scripts running at install time. That is how a compromised package gets its code to execute on your machine or in CI. If an unreviewed build script is skipped silently, you have no signal that a dependency tried to run code; if it is allowed to run because no one looked, the attack succeeds.
Failing loudly on unreviewed build scripts, rather than skipping them silently, forces a human to review the dependency before it can run anything. The Shai-Hulud npm worm is one example of script-triggered malware that relied on install-time execution to spread.
Let DepsGuard set it up
DepsGuard detects your pnpm setup, checks whether strict-dep-builds is configured, and writes the
right key in the right file for your pnpm version, with a diff preview and a backup before any change, so
you can see exactly what will be applied.