{
  "id": "P004",
  "slug": "npm-allow-list-lifecycle-scripts-scoped-package-blocked-allow-scripts-package-name-scope",
  "status": "search-observed",
  "product": "npm",
  "family": "Security default flip",
  "canonical_url": "https://gitdocs.org/fix/npm-allow-list-lifecycle-scripts-scoped-package-blocked-allow-scripts-package-name-scope",
  "query_alias_url": "https://gitdocs.org/q/npm-allow-list-lifecycle-scripts-scoped-package-blocked-allow-scripts-package-name-scope",
  "markdown_url": "https://gitdocs.org/fix/npm-allow-list-lifecycle-scripts-scoped-package-blocked-allow-scripts-package-name-scope.md",
  "json_url": "https://gitdocs.org/api/fixes/npm-allow-list-lifecycle-scripts-scoped-package-blocked-allow-scripts-package-name-scope.json",
  "canonical_query": "npm allow list lifecycle scripts scoped package blocked allow-scripts package name scope",
  "observed_codex_queries": [
    "npm allow list lifecycle scripts scoped package blocked allow-scripts package name scope",
    "\"allow-scripts\" npm scoped package",
    "\"lifecycle script remains blocked\" \"allow-list\" \"scoped package\"",
    "site:docs.npmjs.com scoped package name npm @scope/name package.json name",
    "npm docs creating and publishing scoped packages @scope/package"
  ],
  "organic_dependency_search_count": 5,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.",
  "before": "",
  "after": "",
  "verification": "Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/",
      "label": "Upcoming breaking changes for npm v12"
    }
  ],
  "source_github_links": []
}