From 2ce033a7c37c692cf9c94ee3b1dec112d5f43ceb Mon Sep 17 00:00:00 2001 From: baudbot-agent Date: Tue, 17 Mar 2026 17:18:00 +0000 Subject: [PATCH] fix: disable install scripts in benchmarks for consistent measurement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add --ignore-scripts to package managers that run lifecycle scripts by default, so benchmarks measure dependency resolution + linking only — not arbitrary postinstall work (downloading binaries, native builds, etc). Changes per package manager: npm: added --ignore-scripts (runs scripts by default) yarn classic: added --ignore-scripts (runs scripts by default) yarn berry: no change (scripts disabled by default since v2) zpm (yarn 6): no change (inherits berry default) pnpm v10+: no change (scripts blocked by default, needs approve-builds) vlt: no change (doesn't run scripts by default) bun: added --ignore-scripts (runs scripts by default) deno: removed --allow-scripts (scripts disabled by default) Also added --ignore-scripts to the registry benchmark npm install command (scripts/registry/common.sh). --- scripts/registry/common.sh | 2 +- scripts/variations/common.sh | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/scripts/registry/common.sh b/scripts/registry/common.sh index acd5fd2f7e..e562f51c6c 100644 --- a/scripts/registry/common.sh +++ b/scripts/registry/common.sh @@ -57,7 +57,7 @@ fi # Base npm install command (without .npmrc setup) # --prefer-online ensures npm always fetches from the network rather than # relying on any cached metadata, so we measure actual registry performance. -BENCH_NPM_INSTALL="npm install --prefer-online --no-audit --no-fund --no-update-notifier --loglevel=$BENCH_LOGLEVEL $FORCE_FLAG" +BENCH_NPM_INSTALL="npm install --prefer-online --no-audit --no-fund --no-update-notifier --ignore-scripts --loglevel=$BENCH_LOGLEVEL $FORCE_FLAG" # Registry definitions BENCH_REGISTRY_NPM_URL="https://registry.npmjs.org/" diff --git a/scripts/variations/common.sh b/scripts/variations/common.sh index 6c0f6f1f20..bc5ed68ead 100644 --- a/scripts/variations/common.sh +++ b/scripts/variations/common.sh @@ -79,15 +79,20 @@ BENCH_SETUP_TURBO="" BENCH_SETUP_VP="" BENCH_SETUP_NODE="" -# Bare install commands (no log redirection) — used by strace process counting -BENCH_INSTALL_NPM="npm install --no-audit --no-fund --silent" -BENCH_INSTALL_YARN="corepack yarn@1 install --silent" +# Bare install commands (no log redirection) — used by strace process counting. +# Install scripts are disabled where the PM runs them by default, so benchmarks +# measure dependency resolution + linking only (not arbitrary postinstall work). +# npm, yarn classic, bun: run scripts by default → --ignore-scripts +# berry, zpm, pnpm v10+, vlt: don't run scripts by default → no flag needed +# deno: doesn't run scripts by default → removed --allow-scripts +BENCH_INSTALL_NPM="npm install --no-audit --no-fund --ignore-scripts --silent" +BENCH_INSTALL_YARN="corepack yarn@1 install --ignore-scripts --silent" BENCH_INSTALL_BERRY="corepack yarn@latest install" BENCH_INSTALL_ZPM="yarn install --silent" BENCH_INSTALL_PNPM="corepack pnpm@latest install --silent" BENCH_INSTALL_VLT="vlt install --view=silent" -BENCH_INSTALL_BUN="bun install --silent" -BENCH_INSTALL_DENO="deno install --allow-scripts --quiet" +BENCH_INSTALL_BUN="bun install --ignore-scripts --silent" +BENCH_INSTALL_DENO="deno install --quiet" BENCH_COMMAND_NPM="timeout $BENCH_TIMEOUT $BENCH_INSTALL_NPM >> $BENCH_OUTPUT_FOLDER/npm-output-\${HYPERFINE_ITERATION}.log 2>&1" BENCH_COMMAND_YARN="timeout $BENCH_TIMEOUT $BENCH_INSTALL_YARN > $BENCH_OUTPUT_FOLDER/yarn-output-\${HYPERFINE_ITERATION}.log 2>&1"