diff --git a/lib/manager/npm/post-update/lerna.js b/lib/manager/npm/post-update/lerna.js
index 04a17b616aa836428fe9d274f70fedbf044414e3..27e4e3fe941d7dacb3e62317731b162d7c498b90 100644
--- a/lib/manager/npm/post-update/lerna.js
+++ b/lib/manager/npm/post-update/lerna.js
@@ -31,7 +31,7 @@ async function generateLockFiles(lernaClient, tmpDir, env, skipInstalls) {
       if (skipInstalls) {
         params = '--package-lock-only --no-audit';
       } else {
-        params = '--no-audit';
+        params = '--ignore-scripts  --no-audit';
       }
     } else {
       params =
diff --git a/lib/manager/npm/post-update/npm.js b/lib/manager/npm/post-update/npm.js
index 6a90bd0c7fcd43b154dd7dbc1040339631e1fc05..7c348a7a74f379c2cc234bec43ff84d0f1721633 100644
--- a/lib/manager/npm/post-update/npm.js
+++ b/lib/manager/npm/post-update/npm.js
@@ -56,7 +56,7 @@ async function generateLockFile(tmpDir, env, filename, skipInstalls) {
     if (skipInstalls) {
       cmd += ' --package-lock-only --no-audit';
     } else {
-      cmd += ' --no-audit';
+      cmd += ' --ignore-scripts --no-audit';
     }
     logger.debug(`Using npm: ${cmd}`);
     // TODO: Switch to native util.promisify once using only node 8