audit-allow-builds

Installation
SKILL.md

Audit allowBuilds packages

Workflow for packages explicitly allowed to run lifecycle/build scripts (preinstall / install / postinstall) under pnpm’s allowBuilds map. These are the highest-risk install surface after a maintainer hijack or typosquat.

Pair with fix-dependency-security (audit, SFW, workspace policy) and upgrade-packages (bumps that may add new script runners).

Why this is separate

Control What it blocks
pnpm audit Known CVEs in resolved versions
minimumReleaseAge / blockExoticSubdeps Fresh or exotic installs
trustPolicy: no-downgrade Weaker npm trust evidence vs prior release
allowBuilds Which packages may execute code at install time

A package can pass audit and still ship a malicious postinstall in a new patch. Re-audit allowBuilds entries after lockfile changes, incident news, or approving new build runners.


Installs
1
Repository
p10ns11y/skills
GitHub Stars
1
First Seen
Jun 8, 2026
audit-allow-builds — p10ns11y/skills