npm git dependency prepare script skipped explicit fetch allow built artifacts missing prepare did not execute security default flip npm

Validation Status

Codex searched organically in the validation run. No no-web counterfactual is attached to this page yet.

Symptom

The git repository downloads, but its built artifacts are missing because `prepare` did not execute.

Why This Happens

The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.

Verification

Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.

Common Wrong Fixes

• Changing local code without checking the current external contract.
• Retrying the same install, build, or API call with no version/source change.
• Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

npm git dependency prepare script skipped explicit fetch allow built artifacts missing prepare did not execute security default flip npm
site:docs.npmjs.com git dependencies prepare script npm install prepare
npm package json git urls prepare script dependencies
https://docs.npmjs.com/cli/v10/using-npm/scripts
'Git URLs as Dependencies' in https://docs.npmjs.com/cli/v10/configuring-npm/package-json

Source Trail

• Upcoming breaking changes for npm v12: https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
• Official reference opened by Codex: https://docs.npmjs.com/cli/v10/using-npm/scripts