Security default flip
npm transitive git dependency blocked security default git dependency prepare scripts
The top-level package is from the registry, but resolution fails when it reaches an indirect git dependency.
Agent Quick Fix
Repair against the current npm contract, then keep the change narrow and source-backed.
Product: npm
Current-contract area: Transitive git dependency unexpectedly blocked
Likely root cause: The top-level package is from the registry, but resolution fails when it reaches an indirect git dependency.
Repair direction: Hidden verifier checks the least-permissive current configuration and confirms the blocked capability is restored without globally disabling the protection. Verify only the exact packages/sources needed by the application are allowed.Symptom
The top-level package is from the registry, but resolution fails when it reaches an indirect git dependency.
Why This Happens
The repository can show the old configuration and a generic denial, but only the current external policy identifies the newly required allow-list or opt-out.
Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
npm transitive git dependency blocked security default git dependency prepare scripts
npm install fails transitive git dependency security change prepare script git dependency npm 7
"transitive git dependency" npm blocked
npm v7 block git dependencies security default
site:docs.npmjs.com package.json git url dependencies npm install git dependencies
npm package spec git dependencies docs npm package-spec
"security default" "npm" "git" dependency