alt Hacker News> The resulting allowlist is written to package.json
Couldn’t this effectively result in the same process we get in pre-12 defaults?
> The resulting allowlist is written to package.json
Couldn’t this effectively result in the same process we get in pre-12 defaults?
It's unstated, but I'm willing to assume that only the root package.json is consulted to decide if these scripts are allowed. Otherwise, yes, this would not actually change anything.