preinstall script fails to block other package managers

[ZeLinguist]

As per the docs, to prevent other package managers , I used this preinstall script to your package.json:

{
	"scripts": {
		"preinstall": "npx only-allow pnpm"
	}
}

Its expected behavior is to block these edge cases (and thus only allow PNPM):

• npm i
• npm i package
• npm i -D package

However, its observed behavior blocks npm i from running, but allows npm i package and npm i -D package to run.
Even though only-allow blocks npm i from running, npm i still creates package-lock.json.

I tried different variations of the preinstall script, which all fail to block the aforementioned edge cases:

• npx only-allow pnpm
• npx -y only-allow pnpm (I'm using version pnpm@10.13.1)
• only-allow pnpm (after pnpm add -D only-allow)

Unfortunately—until this problem is fixed—I cannot rely on the package only-allow!

Are there any workarounds? If so, I'd appreciate them in the documentation–I can help!

[ZeLinguist]

My Workaround

As per the NPM docs, since Node v16.9.0 (backported to v14.19.0):

1. Create a file, if it doesn't already exist, named .npmrc at the root of your project.
2. Set the following configuration variable in your .npmrc to true:

engine-strict=true

3. Specify the following fields in your package.json:

{
  "devEngines": {
    "runtime": {
      "name": "node",
      "onFail": "error"
    },
    "packageManager": {
      "name": "pnpm",
      "version": "10.13.1",
      "onFail": "error"
    }
  },
  "engines": {
    "node": ">=18.18.0",
    "pnpm": ">=10.0.0"
  },
}

• Now, when you run npm i or npm i -D, these commands return this error (before the preinstall script can run):

username@hostname nodejs-project % npm i -D package
npm error code EBADDEVENGINES
npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
npm error EBADDEVENGINES Invalid engine "packageManager"
npm error EBADDEVENGINES Invalid name "pnpm" does not match "npm" for "packageManager"
npm error EBADDEVENGINES {
npm error EBADDEVENGINES   current: { name: 'npm', version: '10.9.2' },
npm error EBADDEVENGINES   required: { name: 'pnpm', onFail: 'error' }
npm error EBADDEVENGINES }
npm error A complete log of this run can be found in: /Users/username/.npm/_logs/2021-08-21T00_00_00_000Z-debug-0.log

[captbunzo]

When attempting to specify packageManager like this, I get the following error:

Invalid package manager specification in package.json; expected a string

[hooper-hc]

My Workaround

As per the NPM docs, since Node v16.9.0 (backported to v14.19.0):

1. Create a file, if it doesn't already exist, named .npmrc at the root of your project.
2. Set the following configuration variable in your .npmrc to true:

engine-strict=true

3. Specify the following fields in your package.json:

{
  "devEngines": {
    "runtime": {
      "name": "node",
      "onFail": "error"
    },
    "packageManager": {
      "name": "pnpm",
      "version": "10.13.1",
      "onFail": "error"
    }
  },
  "engines": {
    "node": ">=18.18.0",
    "pnpm": ">=10.0.0"
  },
}

• Now, when you run npm i or npm i -D, these commands return this error (before the preinstall script can run):

username@hostname nodejs-project % npm i -D package
npm error code EBADDEVENGINES
npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
npm error EBADDEVENGINES Invalid engine "packageManager"
npm error EBADDEVENGINES Invalid name "pnpm" does not match "npm" for "packageManager"
npm error EBADDEVENGINES {
npm error EBADDEVENGINES   current: { name: 'npm', version: '10.9.2' },
npm error EBADDEVENGINES   required: { name: 'pnpm', onFail: 'error' }
npm error EBADDEVENGINES }
npm error A complete log of this run can be found in: /Users/username/.npm/_logs/2021-08-21T00_00_00_000Z-debug-0.log

我试了好久 怎么 only-allow 在 npm 9 + 不生效，还在想咋整。 原来可以这样。 那这个库不如原地解散算了

[kweij]

The workaround mentioned above works for completely blocking all npm commands. However, for SBOM generation I need to be able to either run npm sbom or cdxgen --type js (which runs npm list).

I'd love this package to work as intended and be able to only allow pnpm to install dependencies. That way I can use npm for other harmless commands.

EDIT: The cause for this package not working with npm is this bug in npm: npm/cli#2660

I suppose this issue could be closed, with this reference to npm dropping the ball (since v7 😭)