Summary
The published @google/genai package (currently 1.52.0) carries the project's full development/build scripts block in its package.json. Several of these are lifecycle hooks that npm executes (or references) on the consumer side, even though they do nothing useful outside the SDK's own build:
Why it matters
preinstall runs on every consumer install. Because it's a real lifecycle hook, any project that depends on @google/genai executes echo 'preinstall: no-op' on npm install. It does nothing, but it trips supply-chain tooling that gates install scripts — npm allow-scripts wrappers, pnpm's onlyBuiltDependencies, Bun's trusted-dependencies prompt, etc. Each downstream consumer is forced to explicitly allow-list an install script that has no effect, which erodes the signal those gates are meant to provide.
prepare points at a file that isn't in the tarball. The files allowlist ships only dist/ (+ a couple of package.json shims), so scripts/prepare.js is excluded from the published artifact. prepare doesn't run on a registry install, but it does run on a git-dependency install (npm i googleapis/js-genai#...), where it would fail because scripts/ is absent.
These are artifacts of the internal build manifest leaking into the published one — the registry artifact only needs the runtime dist/ output, not the build/test/lint/docs scripts.
Observed output
Under an install-script gate (here, an allow-scripts wrapper over npm), @google/genai's preinstall must be explicitly approved despite being a no-op:
npm warn allow-scripts install scripts not yet covered by allowScripts:
npm warn allow-scripts @google/genai@1.52.0 (preinstall: echo 'preinstall: no-op')
npm warn allow-scripts
npm warn allow-scripts Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts <pkg>` to allow.
Suggested fix
Strip dev/build lifecycle scripts from the published manifest while keeping them in the source repo. Common approaches:
- A publish-time
package.json rewrite (e.g. clean-publish) that drops scripts (or all but a curated allowlist).
- Move anything consumers genuinely need into
publishConfig, and keep dev scripts out of the published file.
At minimum, removing the no-op preinstall would stop the needless install-time execution on every downstream project.
Environment
@google/genai 1.52.0 (observed from the published npm tarball)
- Reproducible on any platform —
npm install @google/genai with an install-script gate enabled will flag preinstall.
Summary
The published
@google/genaipackage (currently1.52.0) carries the project's full development/buildscriptsblock in itspackage.json. Several of these are lifecycle hooks that npm executes (or references) on the consumer side, even though they do nothing useful outside the SDK's own build:Why it matters
preinstallruns on every consumer install. Because it's a real lifecycle hook, any project that depends on@google/genaiexecutesecho 'preinstall: no-op'onnpm install. It does nothing, but it trips supply-chain tooling that gates install scripts — npmallow-scriptswrappers, pnpm'sonlyBuiltDependencies, Bun's trusted-dependencies prompt, etc. Each downstream consumer is forced to explicitly allow-list an install script that has no effect, which erodes the signal those gates are meant to provide.preparepoints at a file that isn't in the tarball. Thefilesallowlist ships onlydist/(+ a couple ofpackage.jsonshims), soscripts/prepare.jsis excluded from the published artifact.preparedoesn't run on a registry install, but it does run on a git-dependency install (npm i googleapis/js-genai#...), where it would fail becausescripts/is absent.These are artifacts of the internal build manifest leaking into the published one — the registry artifact only needs the runtime
dist/output, not the build/test/lint/docs scripts.Observed output
Under an install-script gate (here, an
allow-scriptswrapper overnpm),@google/genai'spreinstallmust be explicitly approved despite being a no-op:Suggested fix
Strip dev/build lifecycle scripts from the published manifest while keeping them in the source repo. Common approaches:
package.jsonrewrite (e.g.clean-publish) that dropsscripts(or all but a curated allowlist).publishConfig, and keep dev scripts out of the published file.At minimum, removing the no-op
preinstallwould stop the needless install-time execution on every downstream project.Environment
@google/genai1.52.0(observed from the published npm tarball)npm install @google/genaiwith an install-script gate enabled will flagpreinstall.