{
  "id": "P009",
  "slug": "npm-lifecycle-script-allow-list-workspace-root-install-blocked",
  "status": "search-observed",
  "product": "npm",
  "family": "Security default flip",
  "canonical_url": "https://gitdocs.org/fix/npm-lifecycle-script-allow-list-workspace-root-install-blocked",
  "query_alias_url": "https://gitdocs.org/q/npm-lifecycle-script-allow-list-workspace-root-install-blocked",
  "markdown_url": "https://gitdocs.org/fix/npm-lifecycle-script-allow-list-workspace-root-install-blocked.md",
  "json_url": "https://gitdocs.org/api/fixes/npm-lifecycle-script-allow-list-workspace-root-install-blocked.json",
  "canonical_query": "npm lifecycle script allow list workspace root install blocked",
  "observed_codex_queries": [
    "npm lifecycle script allow list workspace root install blocked",
    "site:docs.npmjs.com npm ignore-scripts workspaces lifecycle scripts",
    "\"onlyBuiltDependencies\" \"npm\"",
    "\"workspace-specific-script-allow-list\""
  ],
  "organic_dependency_search_count": 4,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.",
  "before": "",
  "after": "",
  "verification": "Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/",
      "label": "Upcoming breaking changes for npm v12"
    }
  ],
  "source_github_links": []
}