From baa25aa0cfd74859dc26d06948f1a2387f4fc744 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Tue, 2 Jun 2020 23:14:43 +0200
Subject: [PATCH] fix(npm): ignore scripts even for package lock only

---
 .../post-update/__snapshots__/lerna.spec.ts.snap | 16 ++++++++--------
 .../post-update/__snapshots__/npm.spec.ts.snap   |  2 +-
 lib/manager/npm/post-update/lerna.ts             |  7 +++----
 lib/manager/npm/post-update/npm.ts               |  2 +-
 4 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/lib/manager/npm/post-update/__snapshots__/lerna.spec.ts.snap b/lib/manager/npm/post-update/__snapshots__/lerna.spec.ts.snap
index f93b73cf05..09a18a3414 100644
--- a/lib/manager/npm/post-update/__snapshots__/lerna.spec.ts.snap
+++ b/lib/manager/npm/post-update/__snapshots__/lerna.spec.ts.snap
@@ -3,7 +3,7 @@
 exports[`generateLockFiles() allows scripts for trust level high 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -20,7 +20,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@latest bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@latest bootstrap --no-ci --  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -42,7 +42,7 @@ Array [
 exports[`generateLockFiles() defaults to latest 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -59,7 +59,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@latest bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@latest bootstrap --no-ci -- --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -81,7 +81,7 @@ Array [
 exports[`generateLockFiles() generates package-lock.json files 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -98,7 +98,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@2.0.0 bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@2.0.0 bootstrap --no-ci -- --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -159,7 +159,7 @@ Array [
 exports[`generateLockFiles() maps dot files 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit",
+    "cmd": "npm install --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
@@ -176,7 +176,7 @@ Array [
     },
   },
   Object {
-    "cmd": "npx lerna@latest bootstrap --no-ci -- --package-lock-only --no-audit",
+    "cmd": "npx lerna@latest bootstrap --no-ci -- --ignore-scripts  --no-audit --package-lock-only",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
diff --git a/lib/manager/npm/post-update/__snapshots__/npm.spec.ts.snap b/lib/manager/npm/post-update/__snapshots__/npm.spec.ts.snap
index 319120c337..b44fbfc335 100644
--- a/lib/manager/npm/post-update/__snapshots__/npm.spec.ts.snap
+++ b/lib/manager/npm/post-update/__snapshots__/npm.spec.ts.snap
@@ -48,7 +48,7 @@ exports[`generateLockFile performs full install 1`] = `Array []`;
 exports[`generateLockFile performs lock file updates 1`] = `
 Array [
   Object {
-    "cmd": "npm install --package-lock-only --no-audit some-dep@1.0.1",
+    "cmd": "npm install --package-lock-only --ignore-scripts --no-audit some-dep@1.0.1",
     "options": Object {
       "cwd": "some-dir",
       "encoding": "utf-8",
diff --git a/lib/manager/npm/post-update/lerna.ts b/lib/manager/npm/post-update/lerna.ts
index 8136af093b..1cc1951fcd 100644
--- a/lib/manager/npm/post-update/lerna.ts
+++ b/lib/manager/npm/post-update/lerna.ts
@@ -36,10 +36,9 @@ export async function generateLockFiles(
       }
       cmdOptions = '--ignore-scripts --ignore-engines --ignore-platform';
     } else if (lernaClient === 'npm') {
-      if (skipInstalls === false) {
-        cmdOptions = '--ignore-scripts  --no-audit';
-      } else {
-        cmdOptions = '--package-lock-only --no-audit';
+      cmdOptions = '--ignore-scripts  --no-audit';
+      if (skipInstalls !== false) {
+        cmdOptions += ' --package-lock-only';
       }
     } else {
       logger.warn({ lernaClient }, 'Unknown lernaClient');
diff --git a/lib/manager/npm/post-update/npm.ts b/lib/manager/npm/post-update/npm.ts
index 26c3daf094..d1bd916336 100644
--- a/lib/manager/npm/post-update/npm.ts
+++ b/lib/manager/npm/post-update/npm.ts
@@ -35,7 +35,7 @@ export async function generateLockFile(
       cmdOptions += '--ignore-scripts --no-audit';
     } else {
       logger.debug('Updating lock file only');
-      cmdOptions += '--package-lock-only --no-audit';
+      cmdOptions += '--package-lock-only --ignore-scripts --no-audit';
     }
     const tagConstraint = await getNodeConstraint(config);
     const execOptions: ExecOptions = {
-- 
GitLab