only-allow doesn't block other package managers
As per the docs, to prevent other package managers , I used this preinstall script to your
package.json:
Its expected behavior is to block these edge cases (and thus only allow PNPM):
- npm i
- npm i package
- npm i -D package
However, its observed behavior blocks npm i from running, but allows npm i package and npm i -D package to run.
Even though only-allow blocks npm i from running, npm i still creates package-lock.json.
I tried different variations of the preinstall script, which all fail to block the aforementioned edge cases:
- npx only-allow pnpm
- npx -y only-allow pnpm (I'm using version pnpm@10.13.1)
- only-allow pnpm (after pnpm add -D only-allow)
Unfortunately—until this problem is fixed—I cannot rely on the package only-allow!
I created an issue on their GitHub (for those of you curious enough to follow the thread).0 Replies