rush trust
rush trust [subcommand] [flags]Manages which packages are allowed to run install-time lifecycle scripts (preinstall, install, postinstall). Running rush trust with no subcommand lists the current trust state.
Why trust exists
Section titled “Why trust exists”Packages that declare install hooks are blocked by default — they can’t run arbitrary code on your machine without your explicit approval. This protects against supply-chain attacks where a malicious package uses install hooks to exfiltrate data or modify your system.
After rush install, blocked packages are reported:
2 packages have install scripts that were not run.Run rush trust add <name> to allow them. - esbuild (0.21.5) - sharp (0.33.4)Subcommands
Section titled “Subcommands”rush trust — list
Section titled “rush trust — list”rush trust [--verbose]Displays two sections:
- Trusted — packages listed in
trustedDependenciesinpackage.json - Blocked — packages found in
node_modules/that declare scripts but aren’t trusted
Trusted: (2)- esbuild- sharp
Blocked: (1)- canvas (1.6.17)
note: run rush trust add <name> to allow install scriptsrush trust add — trust a package
Section titled “rush trust add — trust a package”rush trust add <package> [<package> ...]Adds one or more package names to trustedDependencies in package.json. On the next rush install, their lifecycle scripts will run automatically.
rush trust add esbuildrush trust add node-gyp canvas sharprush trust remove — untrust a package
Section titled “rush trust remove — untrust a package”rush trust remove <package> [<package> ...]Alias: rush trust rm
Removes package names from trustedDependencies in package.json. Their scripts will be blocked on the next install.
rush trust remove esbuildtrustedDependencies in package.json
Section titled “trustedDependencies in package.json”The trust list is stored as a top-level field in package.json:
{ "name": "my-app", "dependencies": { "esbuild": "^0.21.5", "sharp": "^0.33.4" }, "trustedDependencies": ["esbuild", "sharp"]}You can edit this list by hand or use rush trust add / rush trust remove.
Skipping trust checks
Section titled “Skipping trust checks”Pass --ignore-scripts to rush install or rush add to skip both trusted script execution and blocked-script reporting for that run:
rush install --ignore-scripts