vis approve-builds
Review and approve dependencies with build scripts
vis approve-builds
Scan installed dependencies for packages with lifecycle (build) scripts and surface them for explicit approval. vis blocks dependency build scripts by default; use this command to populate security.policies.installScripts.allow (or the native PM equivalent) for the packages you trust.
Usage
vis approve-builds [options]Examples
vis approve-builds # interactively review pending builds
vis approve-builds --all # approve everything (pnpm only, no prompts)
vis approve-builds --sync-native # mirror installScripts.allow into the native PM config
vis approve-builds --write # write the suggested entries into vis.config.tsOptions
| Option | Default | Description |
|---|---|---|
--all | false | Approve all pending builds without prompting (pnpm only) |
--scan | false | Force vis scanning even for pnpm (instead of delegating to pnpm approve-builds) |
--sync-native | false | Sync installScripts.allow to the native PM config (bun: trustedDependencies, npm: .npmrc, yarn: .yarnrc.yml) |
--write | false | Mutate vis.config.ts in place — add the unapproved packages to security.policies.installScripts.allow (LavaMoat auto parity) |
--write behavior
--write adds every unapproved package to vis.config.ts under security.policies.installScripts.allow. It is the non-interactive counterpart of LavaMoat's allow-scripts auto:
- Honors
security.pinVersions: with pinning on, entries are written as"<name>@<version>": true,; otherwise as"<name>": true,. - Three layouts are supported:
security.policies.installScripts.allowalready exists → new entries are appended; existing keys are deduped.security.policies.installScriptsexists but noallow→ anallowblock is inserted as the first child ofinstallScripts.- Neither exists → a fresh
security: { policies: { installScripts: { allow: { ... } } } }is injected at the top ofdefineConfig({ … })/export default { … }.
If no vis.config.{ts,js,mjs,cjs} is found, the command reports no-config and prints the snippet you would paste in manually. If the file exists but cannot be anchored (no defineConfig( or export default {), the command reports missing-anchor and leaves the file untouched.
Output sections
When run with the vis scanner (i.e. for any non-pnpm PM, or pnpm with --scan), the output includes:
- Unapproved — installed packages with lifecycle scripts (
preinstall,install,postinstall,prepare) that are not covered bysecurity.policies.installScripts.allow. Packages that ship abinding.gypbut no install script are flagged with the synthetic hookinstall (binding.gyp)— npm runsnode-gyp rebuildfor them implicitly (LavaMoat allow-scripts parity). - Stale installScripts.allow entries — patterns in
security.policies.installScripts.allowthat no longer match any installed package. Prune them fromvis.config.ts. - Version drift (only when
security.pinVersions: true) — entries pinned to a version that is no longer installed, with afrom → tomigration suggestion you can paste intovis.config.ts.
When security.pinVersions: true, suggested allowlist keys are emitted as "<name>@<version>": true, so a copy-paste covers the exact installed version.
Related
vis security list— same triage report, also available as--jsonfor tooling integration.vis security sync— push the updatedinstallScripts.allowto the native PM config.