Studio: auto-sync allowScripts pins after dependency bumps (#6136)

* Studio: npm v12 readiness for install-script gating

npm 12 (July 2026) stops running dependency install scripts unless they
are approved via allowScripts, and npm 11.16 already warns. Studio has
no git or remote URL deps anywhere, so script gating is the only
exposure:

- commit the allowScripts policy that npm approve-scripts writes for
  @biomejs/biome and msw, plus a manual fsevents entry: the tooling
  cannot match a darwin-only optional dep from Linux, but the strict
  check walks the platform independent ideal tree and flags it anyway
- drop the minimum-release-age npmrc alias; npm >=11.16 flags it as an
  unknown project config that stops working in npm 12
- approve bun's postinstall in the setup.sh / setup.ps1 bun bootstrap;
  under npm 12 defaults npm install -g bun otherwise leaves a broken
  stub and setup falls back to the slower npm install path
- fix the stale esbuild comment in studio-frontend-ci.yml: the vite 8
  chain ships napi binaries with no install scripts

* Studio: auto-sync allowScripts pins after dependency bumps

The allowScripts entries from #6128 are version pinned, so a biome or
msw bump strands the pin and the approval silently stops matching.
Dependabot cannot maintain the field, so:

- scripts/sync_allow_scripts_pins.py re-pins existing entries from the
  versions package-lock.json actually resolves. It never adds or
  removes entries, so approving a new script-bearing package stays a
  human decision. Bare names and non-exact specs are left alone.
- a pre-commit hook runs it with --fix; pre-commit.ci pushes the fix
  commit to PR branches, Dependabot's included, so stale pins heal
  without a human in the loop
- a Frontend CI step runs --check plus the offline unit tests as the
  backstop when pre-commit.ci is skipped

No dependabot.yml change needed: the /studio/frontend entry already
suppresses version PRs (security only) behind a 7 day cooldown.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Make the sync hook robust to lost executable bits

The pre-commit.ci autofix commit dropped the script's exec bit, which
breaks a shebang-style entry. Invoke via python instead and restore
the bit.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
This commit is contained in:
Daniel Han 2026-06-10 02:35:37 -07:00 committed by GitHub
parent 87deee7fbd
commit f41617ad9f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 306 additions and 0 deletions

View file

@ -17,6 +17,8 @@ on:
- 'studio/frontend/**'
- 'scripts/check_frontend_dep_removal.py'
- 'tests/studio/test_frontend_dep_removal.py'
- 'scripts/sync_allow_scripts_pins.py'
- 'tests/studio/test_sync_allow_scripts_pins.py'
- '.github/workflows/studio-frontend-ci.yml'
push:
branches: [main, pip]
@ -68,6 +70,14 @@ jobs:
working-directory: ${{ github.workspace }}
run: python3 scripts/lockfile_supply_chain_audit.py
# Dependency bumps strand the version-pinned allowScripts entries.
# The paired pre-commit hook auto-fixes PRs; this is the backstop.
- name: allowScripts pins must match the lockfile
working-directory: ${{ github.workspace }}
run: |
python3 tests/studio/test_sync_allow_scripts_pins.py
python3 scripts/sync_allow_scripts_pins.py --check
- name: Lockfile must agree with package.json (npm ci is strict)
# The vite 8 chain (rolldown, lightningcss, tailwind oxide) ships napi
# binaries with no install scripts. The only script-bearing deps are

View file

@ -19,3 +19,15 @@ repos:
exclude: '(chat_templates|ollama_template_mappers|_auto_install|mapper)\.py$'
additional_dependencies:
- ruff==0.6.9
# Re-pins allowScripts entries after dependency bumps. pre-commit.ci
# pushes the fix to PR branches, Dependabot's included, so stale pins
# heal without a human in the loop.
- id: sync-allow-scripts-pins
name: Sync allowScripts pins with the frontend lockfile
# `python <script>` not a direct exec: autofix commits can drop the
# executable bit, which kills shebang-style entries.
entry: python scripts/sync_allow_scripts_pins.py
args: [--fix]
language: python
files: ^studio/frontend/(package\.json|package-lock\.json)$
pass_filenames: false

View file

@ -0,0 +1,143 @@
#!/usr/bin/env python3
"""Keep `allowScripts` pins in studio/frontend/package.json in sync with
package-lock.json.
`npm approve-scripts` writes version-pinned entries ("pkg@1.2.3": true).
A dependency bump strands the pin, so the approval (or denial) silently
stops matching and the package's install scripts fall back to
"unreviewed". This tool re-pins existing entries to the versions the
lockfile actually resolves; it never adds or removes entries, so
approving a brand-new script-bearing package stays a human decision.
Usage:
python scripts/sync_allow_scripts_pins.py --check # CI: exit 1 on drift
python scripts/sync_allow_scripts_pins.py --fix # rewrite package.json
Pinned keys follow npm's allowScripts grammar: "name@1.2.3" or
"name@1.2.3 || 1.2.4". Bare names (no version) match every version and
are left alone. Entries whose range is not an exact-version disjunction
(wildcards, tags) are left alone too.
"""
from __future__ import annotations
import argparse
import json
import re
import sys
from pathlib import Path
REPO_ROOT = Path(__file__).resolve().parents[1]
DEFAULT_DIR = REPO_ROOT / "studio" / "frontend"
EXACT_VERSION_RE = re.compile(r"^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.+-]+)?$")
def split_spec(key: str) -> tuple[str, str | None]:
"""'@scope/name@1.2.3' -> ('@scope/name', '1.2.3'); bare names -> (key, None)."""
if key.startswith("@"):
rest = key[1:]
if "@" not in rest:
return key, None
name, rng = rest.split("@", 1)
return "@" + name, rng
if "@" not in key:
return key, None
name, rng = key.split("@", 1)
return name, rng
def is_exact_disjunction(rng: str) -> bool:
parts = [p.strip() for p in rng.split("||")]
return all(EXACT_VERSION_RE.match(p) for p in parts) and bool(parts)
def version_sort_key(version: str) -> tuple:
release = version.split("-", 1)[0].split("+", 1)[0]
return tuple(int(x) for x in release.split(".")), version
def script_versions_from_lock(lock: dict) -> dict[str, list[str]]:
"""Map package name -> sorted versions that carry install scripts."""
out: dict[str, set[str]] = {}
for path, meta in (lock.get("packages") or {}).items():
if not path or not meta.get("hasInstallScript"):
continue
name = path.rsplit("node_modules/", 1)[-1]
version = meta.get("version")
if name and version:
out.setdefault(name, set()).add(version)
return {n: sorted(vs, key = version_sort_key) for n, vs in out.items()}
def desired_key(name: str, versions: list[str]) -> str:
return f"{name}@{' || '.join(versions)}"
def compute_renames(policy: dict, lock_versions: dict[str, list[str]]) -> dict[str, str]:
renames: dict[str, str] = {}
for key in policy:
name, rng = split_spec(key)
if rng is None or not is_exact_disjunction(rng):
continue # bare name or non-exact spec: matches by name, never stale
versions = lock_versions.get(name)
if not versions:
continue # package gone or script-free now: stale pin is inert
want = desired_key(name, versions)
if key != want:
renames[key] = want
return renames
def main(argv: list[str] | None = None) -> int:
ap = argparse.ArgumentParser(description = __doc__)
mode = ap.add_mutually_exclusive_group(required = True)
mode.add_argument("--check", action = "store_true", help = "exit 1 if pins are stale")
mode.add_argument("--fix", action = "store_true", help = "rewrite package.json in place")
ap.add_argument(
"--dir",
type = Path,
default = DEFAULT_DIR,
help = "directory holding package.json + package-lock.json",
)
args = ap.parse_args(argv)
pkg_path = args.dir / "package.json"
lock_path = args.dir / "package-lock.json"
if not pkg_path.exists() or not lock_path.exists():
print(f"sync-allow-scripts: nothing to do ({args.dir} has no package.json + lockfile)")
return 0
pkg = json.loads(pkg_path.read_text(encoding = "utf-8"))
policy = pkg.get("allowScripts")
if not isinstance(policy, dict) or not policy:
print("sync-allow-scripts: no allowScripts policy in package.json, nothing to do")
return 0
lock = json.loads(lock_path.read_text(encoding = "utf-8"))
renames = compute_renames(policy, script_versions_from_lock(lock))
if not renames:
print(f"sync-allow-scripts: {len(policy)} allowScripts entries in sync with the lockfile")
return 0
for old, new in renames.items():
print(f' stale pin: "{old}" -> "{new}"')
if args.check:
print(
"sync-allow-scripts: pins are stale; run "
"`python scripts/sync_allow_scripts_pins.py --fix` and commit the result"
)
return 1
pkg["allowScripts"] = {renames.get(k, k): v for k, v in policy.items()}
pkg_path.write_text(json.dumps(pkg, indent = 2, ensure_ascii = False) + "\n", encoding = "utf-8")
print(
f"sync-allow-scripts: re-pinned {len(renames)} entr{'y' if len(renames) == 1 else 'ies'} in {pkg_path}"
)
return 0
if __name__ == "__main__":
sys.exit(main())

View file

@ -0,0 +1,141 @@
#!/usr/bin/env python3
"""Offline tests for scripts/sync_allow_scripts_pins.py."""
from __future__ import annotations
import json
import sys
import tempfile
from pathlib import Path
REPO_ROOT = Path(__file__).resolve().parents[2]
sys.path.insert(0, str(REPO_ROOT / "scripts"))
import sync_allow_scripts_pins as sync # noqa: E402
def write_fixture(tmp: Path, policy: dict, lock_packages: dict) -> None:
(tmp / "package.json").write_text(
json.dumps(
{
"name": "fixture",
"dependencies": {"a": "^1.0.0"},
"allowScripts": policy,
},
indent = 2,
)
+ "\n"
)
(tmp / "package-lock.json").write_text(
json.dumps(
{
"lockfileVersion": 3,
"packages": lock_packages,
}
)
+ "\n"
)
LOCK = {
"": {"name": "fixture"},
"node_modules/@biomejs/biome": {"version": "1.9.9", "hasInstallScript": True},
"node_modules/msw": {"version": "2.15.0", "hasInstallScript": True},
"node_modules/vite/node_modules/fsevents": {"version": "2.3.3", "hasInstallScript": True},
"node_modules/clean": {"version": "3.0.0"},
}
def test_split_spec():
assert sync.split_spec("fsevents") == ("fsevents", None)
assert sync.split_spec("@biomejs/biome") == ("@biomejs/biome", None)
assert sync.split_spec("@biomejs/biome@1.9.4") == ("@biomejs/biome", "1.9.4")
assert sync.split_spec("msw@2.14.3 || 2.15.0") == ("msw", "2.14.3 || 2.15.0")
def test_in_sync_is_clean():
with tempfile.TemporaryDirectory() as d:
tmp = Path(d)
write_fixture(
tmp,
{
"@biomejs/biome@1.9.9": True,
"msw@2.15.0": True,
"fsevents": True,
},
LOCK,
)
assert sync.main(["--check", "--dir", str(tmp)]) == 0
def test_stale_pin_fails_check_and_fix_repairs():
with tempfile.TemporaryDirectory() as d:
tmp = Path(d)
write_fixture(
tmp,
{
"@biomejs/biome@1.9.4": True, # stale, bumped to 1.9.9
"msw@2.14.3": False, # stale denial, bumped to 2.15.0
"fsevents": True, # bare: never stale
"ghost@9.9.9": True, # not in lockfile: left alone
"weird@*": True, # non-exact spec: left alone
},
LOCK,
)
assert sync.main(["--check", "--dir", str(tmp)]) == 1
assert sync.main(["--fix", "--dir", str(tmp)]) == 0
got = json.loads((tmp / "package.json").read_text())["allowScripts"]
assert got == {
"@biomejs/biome@1.9.9": True,
"msw@2.15.0": False, # value and key order preserved
"fsevents": True,
"ghost@9.9.9": True,
"weird@*": True,
}
assert list(got) == [
"@biomejs/biome@1.9.9",
"msw@2.15.0",
"fsevents",
"ghost@9.9.9",
"weird@*",
]
assert sync.main(["--check", "--dir", str(tmp)]) == 0
def test_multi_version_disjunction():
lock = dict(LOCK)
lock["node_modules/x/node_modules/msw"] = {"version": "2.14.3", "hasInstallScript": True}
with tempfile.TemporaryDirectory() as d:
tmp = Path(d)
write_fixture(tmp, {"msw@2.14.3": True}, lock)
assert sync.main(["--fix", "--dir", str(tmp)]) == 0
got = json.loads((tmp / "package.json").read_text())["allowScripts"]
assert got == {"msw@2.14.3 || 2.15.0": True}
def test_no_policy_is_noop():
with tempfile.TemporaryDirectory() as d:
tmp = Path(d)
(tmp / "package.json").write_text(json.dumps({"name": "fixture"}) + "\n")
(tmp / "package-lock.json").write_text(json.dumps({"packages": {}}) + "\n")
before = (tmp / "package.json").read_text()
assert sync.main(["--fix", "--dir", str(tmp)]) == 0
assert (tmp / "package.json").read_text() == before
def test_missing_files_is_noop():
with tempfile.TemporaryDirectory() as d:
assert sync.main(["--check", "--dir", d]) == 0
if __name__ == "__main__":
failures = 0
for name, fn in sorted(globals().items()):
if name.startswith("test_") and callable(fn):
try:
fn()
print(f"PASS {name}")
except AssertionError as e:
failures += 1
print(f"FAIL {name}: {e}")
sys.exit(1 if failures else 0)