audit-allow-builds
Installation
SKILL.md
Audit allowBuilds packages
Workflow for packages explicitly allowed to run lifecycle/build scripts (preinstall / install / postinstall) under pnpm’s allowBuilds map. These are the highest-risk install surface after a maintainer hijack or typosquat.
Pair with fix-dependency-security (audit, SFW, workspace policy) and upgrade-packages (bumps that may add new script runners).
Why this is separate
| Control | What it blocks |
|---|---|
pnpm audit |
Known CVEs in resolved versions |
minimumReleaseAge / blockExoticSubdeps |
Fresh or exotic installs |
trustPolicy: no-downgrade |
Weaker npm trust evidence vs prior release |
allowBuilds |
Which packages may execute code at install time |
A package can pass audit and still ship a malicious postinstall in a new patch. Re-audit allowBuilds entries after lockfile changes, incident news, or approving new build runners.