preinstall script fails to block other package managers

[karthikappiah]

As per the docs, to prevent other package managers , I used this preinstall script to your package.json:

{
	"scripts": {
		"preinstall": "npx only-allow pnpm"
	}
}

Its expected behavior is to block these edge cases (and thus only allow PNPM):

• npm i
• npm i package
• npm i -D package

However, its observed behavior blocks npm i from running, but allows npm i package and npm i -D package to run.
Even though only-allow blocks npm i from running, npm i still creates package-lock.json.

I tried different variations of the preinstall script, which all fail to block the aforementioned edge cases:

• npx only-allow pnpm
• npx -y only-allow pnpm (I'm using version pnpm@10.13.1)
• only-allow pnpm (after pnpm add -D only-allow)

Unfortunately—until this problem is fixed—I cannot rely on the package only-allow!

Are there any workarounds? If so, I'd appreciate them in the documentation–I can help!

[karthikappiah]

My Workaround

As per the NPM docs, since Node v16.9.0 (backported to v14.19.0):

1. Create a file, if it doesn't already exist, named .npmrc at the root of your project.
2. Set the following configuration variable in your .npmrc to true:

engine-strict=true

3. Specify the following fields in your package.json:

{
  "devEngines": {
    "runtime": {
      "name": "node",
      "onFail": "error"
    },
    "packageManager": {
      "name": "pnpm",
      "version": "10.13.1",
      "onFail": "error"
    }
  },
  "engines": {
    "node": ">=18.18.0",
    "pnpm": ">=10.0.0"
  },
}

• Now, when you run npm i or npm i -D, these commands return this error (before the preinstall script can run):

username@hostname nodejs-project % npm i -D package
npm error code EBADDEVENGINES
npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
npm error EBADDEVENGINES Invalid engine "packageManager"
npm error EBADDEVENGINES Invalid name "pnpm" does not match "npm" for "packageManager"
npm error EBADDEVENGINES {
npm error EBADDEVENGINES   current: { name: 'npm', version: '10.9.2' },
npm error EBADDEVENGINES   required: { name: 'pnpm', onFail: 'error' }
npm error EBADDEVENGINES }
npm error A complete log of this run can be found in: /Users/username/.npm/_logs/2021-08-21T00_00_00_000Z-debug-0.log

[captbunzo]

When attempting to specify packageManager like this, I get the following error:

Invalid package manager specification in package.json; expected a string