Install Supabase CLI from npm

2026-06-28 18:06:59 +00:00 · 2026-06-26 19:06:40 +02:00
9 changed files with 241 additions and 91 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,13 +46,12 @@ jobs:
      fail-fast: false
      matrix:
        os: [macos-latest, windows-latest, ubuntu-latest]
-        version: [1.0.0, latest]
+        version: [1.178.2, latest, beta]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./
        with:
          version: ${{ matrix.version }}
-          github-token: ${{ github.token }}
      - run: supabase -h

  ci:
--- a/.licenses/npm/@actions/tool-cache.dep.yml
+++ b/.licenses/npm/@actions/tool-cache.dep.yml
@@ -1,20 +0,0 @@
---
-name: "@actions/tool-cache"
-version: 4.0.0
-type: npm
-summary: Actions tool-cache lib
-homepage: https://github.com/actions/toolkit/tree/main/packages/tool-cache
-license: mit
-licenses:
-  - sources: LICENSE.md
-    text: |-
-      The MIT License (MIT)
-
-      Copyright 2019 GitHub
-
-      Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-      The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-      THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-notices: []
--- a/.licenses/npm/semver.dep.yml
+++ b/.licenses/npm/semver.dep.yml
@@ -1,26 +0,0 @@
---
-name: semver
-version: 7.7.4
-type: npm
-summary: The semantic version parser used by npm.
-homepage:
-license: isc
-licenses:
-  - sources: LICENSE
-    text: |
-      The ISC License
-
-      Copyright (c) Isaac Z. Schlueter and Contributors
-
-      Permission to use, copy, modify, and/or distribute this software for any
-      purpose with or without fee is hereby granted, provided that the above
-      copyright notice and this permission notice appear in all copies.
-
-      THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-      WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-      MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-      ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-      WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-      ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-      IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-notices: []
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ Setup the `supabase` CLI:

 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
 ```

 If `version` is omitted, the action checks the repository root for `bun.lock`,
@@ -33,20 +33,32 @@ package version through npm. If the lockfile includes package integrity
 metadata, the action verifies it against the npm registry before installing. If
 no supported lockfile is present, it falls back to `latest`.

-A specific version of the `supabase` CLI can be installed:
+The action provisions Node.js and npm internally, so runners do not need npm
+preinstalled. Runners must be able to reach the npm registry to install the CLI
+package.
+
+A fixed npm-published version, `latest`, or `beta` of the `supabase` CLI can be
+installed:

 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
    with:
      version: 2.84.2
 ```

+```yaml
+steps:
+  - uses: supabase/setup-cli@v3
+    with:
+      version: beta
+```
+
 Run `supabase db start` to execute all migrations on a fresh database:

 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
    with:
      version: latest
  - run: supabase init
@@ -60,10 +72,9 @@ on Windows and macOS runners.

 The action supports the following inputs:

-| Name           | Type   | Description                                                      | Default                           | Required |
-| -------------- | ------ | ---------------------------------------------------------------- | --------------------------------- | -------- |
-| `version`      | String | Supabase CLI version (or `latest`)                               | Root lockfile version or `latest` | false    |
-| `github-token` | String | Deprecated; no longer used now that installs resolve through npm |                                   | false    |
+| Name      | Type   | Description                                                      | Default                           | Required |
+| --------- | ------ | ---------------------------------------------------------------- | --------------------------------- | -------- |
+| `version` | String | Supabase CLI `latest`, `beta`, or fixed version published to npm | Root lockfile version or `latest` | false    |

 ## Advanced Usage

@@ -71,7 +82,7 @@ Check generated TypeScript types are up-to-date with Postgres schema:

 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
  - run: supabase init
  - run: supabase db start
  - name: Verify generated types match Postgres schema
@@ -94,7 +105,7 @@ env:
  PROJECT_ID: <project-id>

 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
  - run: supabase link --project-ref $PROJECT_ID
  - run: supabase db push
 ```
@@ -103,7 +114,7 @@ Export local Supabase env vars for app tests:

 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
  - run: supabase init
  - run: supabase start
  - name: Export local Supabase env vars
@@ -148,7 +159,7 @@ need to perform a few setup steps before you can work on the action.
 ## Publish

 1. Create a new GitHub release
-2. Rebase `v2` branch on `main`
+2. Rebase `v3` branch on `main`

 Your action is now published! :rocket:

@@ -165,7 +176,6 @@ steps:
  - uses: ./
    with:
      version: latest
-      github-token: ${{ github.token }}
 ```

 The CI workflow provides fast smoke coverage across GitHub-hosted runners, and
--- a/action.yml
+++ b/action.yml
@@ -3,10 +3,7 @@ description: Setup Supabase CLI, supabase, on GitHub Actions runners
 author: Supabase
 inputs:
  version:
-    description: Version of Supabase CLI to install. If omitted, detect from the root lockfile and otherwise use latest.
-    required: false
-  github-token:
-    description: Deprecated. The action now installs through npm and does not use GitHub release API requests.
+    description: Supabase CLI version to install. Supports latest, beta, or a fixed version published to npm. If omitted, detect from the root lockfile and otherwise use latest.
    required: false
 outputs:
  version:
@@ -95,6 +92,11 @@ runs:
        echo "::error::Linux musl containers need libstdc++ and libgcc to run Supabase CLI. Install them before supabase/setup-cli."
        exit 1

+    - name: Setup Node
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      with:
+        node-version: 24
+
    - name: Setup Bun
      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
--- a/docs/index.md
+++ b/docs/index.md
@@ -7,7 +7,11 @@ The action supports `ubuntu-latest`, `windows-latest`, and `macos-latest`, and
 adds the requested `supabase` version to `PATH` for the rest of the job.

 If `version` is omitted, the action checks the repository root for `bun.lock`,
-`pnpm-lock.yaml`, or `package-lock.json` and otherwise falls back to `latest`.
+`pnpm-lock.yaml`, or `package-lock.json` and otherwise falls back to npm
+`latest`.
+
+The action provisions Node.js and npm internally; runners only need network
+access to the npm registry.

 ## Quick Start

@@ -24,19 +28,27 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
-      - uses: supabase/setup-cli@v2
+      - uses: supabase/setup-cli@v3
      - run: supabase init
      - run: supabase db start
 ```

-To pin a specific CLI version:
+To pin a fixed npm-published CLI version:

 ```yaml
- uses: supabase/setup-cli@v2
+- uses: supabase/setup-cli@v3
  with:
    version: 2.84.2
 ```

+To test the current beta release:
+
+```yaml
+- uses: supabase/setup-cli@v3
+  with:
+    version: beta
+```
+
 ## Resources

 - **Source Code**: <https://github.com/supabase/setup-cli>
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "setup-cli",
-  "version": "2.0.0",
+  "version": "3.0.0",
  "private": true,
  "description": "Supabase CLI GitHub Action",
  "keywords": [
--- a/src/main.test.ts
+++ b/src/main.test.ts
@@ -18,8 +18,11 @@ afterEach(() => {
  process.env.RUNNER_TEMP = originalRunnerTemp;
  process.env.GITHUB_WORKSPACE = originalWorkspace;
  delete process.env.FAKE_CLI_VERSION;
+  delete process.env.FAKE_NPM_BIN;
  delete process.env.FAKE_NPM_INTEGRITY;
  delete process.env.FAKE_NPM_LOG;
+  delete process.env.FAKE_NPM_PACKAGE_VERSION;
+  delete process.env.FAKE_NPM_POSTINSTALL;
  delete process.env.SUPABASE_SETUP_CLI_NPM;

  for (const dir of tempDirs) {
@@ -151,7 +154,22 @@ const args = process.argv.slice(2);
 appendFileSync(process.env.FAKE_NPM_LOG, JSON.stringify(args) + "\\n");

 if (args[0] === "view") {
-  console.log(JSON.stringify(process.env.FAKE_NPM_INTEGRITY ?? "sha512-test"));
+  const bin =
+    process.env.FAKE_NPM_BIN === "missing"
+      ? undefined
+      : { supabase: process.env.FAKE_NPM_BIN ?? "dist/supabase.js" };
+  const scripts = process.env.FAKE_NPM_POSTINSTALL
+    ? { postinstall: process.env.FAKE_NPM_POSTINSTALL }
+    : {};
+
+  console.log(
+    JSON.stringify({
+      version: process.env.FAKE_NPM_PACKAGE_VERSION ?? "2.101.0",
+      bin,
+      scripts,
+      "dist.integrity": process.env.FAKE_NPM_INTEGRITY ?? "sha512-test",
+    }),
+  );
  process.exit(0);
 }

@@ -203,13 +221,29 @@ if (process.platform === "win32") {
  return binDir;
 }

-function installFakeNpm(versionOutput = "supabase 2.101.0", integrity = "sha512-test"): string {
+function installFakeNpm(
+  versionOutput = "supabase 2.101.0",
+  options: {
+    bin?: string;
+    integrity?: string;
+    packageVersion?: string;
+    postinstall?: string;
+  } = {},
+): string {
  const binDir = createFakeNpm();
  const logPath = path.join(createTempDir("setup-cli-fake-npm-log-"), "npm.log");
  writeFileSync(logPath, "");
  process.env.FAKE_CLI_VERSION = versionOutput;
-  process.env.FAKE_NPM_INTEGRITY = integrity;
+  process.env.FAKE_NPM_BIN = options.bin ?? "dist/supabase.js";
+  process.env.FAKE_NPM_INTEGRITY = options.integrity ?? "sha512-test";
  process.env.FAKE_NPM_LOG = logPath;
+  process.env.FAKE_NPM_PACKAGE_VERSION =
+    options.packageVersion ??
+    versionOutput.match(/\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?/)?.[0] ??
+    "2.101.0";
+  if (options.postinstall) {
+    process.env.FAKE_NPM_POSTINSTALL = options.postinstall;
+  }
  process.env.PATH = `${binDir}${path.delimiter}${originalPath ?? ""}`;
  process.env.RUNNER_TEMP = createTempDir("setup-cli-runner-temp-");
  process.env.SUPABASE_SETUP_CLI_NPM = path.join(
@@ -228,6 +262,10 @@ function readNpmCalls(logPath: string): string[][] {
    .map((line) => JSON.parse(line) as string[]);
 }

+function viewMetadataCall(spec: string): string[] {
+  return ["view", spec, "version", "bin", "scripts", "dist.integrity", "--json"];
+}
+
 function createActionSpies(inputVersion: string) {
  return {
    addPath: spyOn(core, "addPath").mockImplementation(() => {}),
@@ -255,6 +293,23 @@ test("uses an explicit npm package version when provided", async () => {
  });
 });

+test("uses an explicit npm dist-tag when provided", async () => {
+  const { resolvePackage } = await getMainModule();
+
+  expect(resolvePackage("beta")).toEqual({
+    spec: "supabase@beta",
+    version: "beta",
+  });
+});
+
+test("rejects unsupported npm package selectors", async () => {
+  const { resolvePackage } = await getMainModule();
+
+  expect(() => resolvePackage("hotfix")).toThrow(
+    'Unsupported Supabase CLI version "hotfix". Use latest, beta, or a fixed npm package version like 2.101.0.',
+  );
+});
+
 test("uses the root bun.lock resolution when version is omitted", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "bun.lock": createBunLock("2.41.0", { integrity: "sha512-bun-lock" }),
@@ -379,22 +434,53 @@ test("installs the CLI with npm into an isolated prefix", async () => {

  expect(cliPath).toContain(`${path.sep}node_modules${path.sep}.bin`);
  expect(readNpmCalls(logPath)).toEqual([
+    viewMetadataCall("supabase@2.101.0"),
    [
      "install",
      "--prefix",
      expect.any(String),
      "--omit=dev",
+      "--include=optional",
      "--no-audit",
      "--no-fund",
      "--no-package-lock",
-      "--ignore-scripts",
+      "--ignore-scripts=true",
      "supabase@2.101.0",
    ],
  ]);
 });

+test("allows install scripts for legacy npm packages that declare a postinstall", async () => {
+  const logPath = installFakeNpm("supabase 1.178.2", {
+    bin: "bin/supabase",
+    postinstall: "node scripts/postinstall.js",
+  });
+  const { installCli } = await getMainModule();
+
+  await installCli({
+    spec: "supabase@1.178.2",
+    version: "1.178.2",
+  });
+
+  expect(readNpmCalls(logPath)).toEqual([
+    viewMetadataCall("supabase@1.178.2"),
+    [
+      "install",
+      "--prefix",
+      expect.any(String),
+      "--omit=dev",
+      "--include=optional",
+      "--no-audit",
+      "--no-fund",
+      "--no-package-lock",
+      "--ignore-scripts=false",
+      "supabase@1.178.2",
+    ],
+  ]);
+});
+
 test("verifies lockfile integrity before installing", async () => {
-  const logPath = installFakeNpm("supabase 2.101.0", "sha512-lock");
+  const logPath = installFakeNpm("supabase 2.101.0", { integrity: "sha512-lock" });
  const { installCli } = await getMainModule();

  await installCli({
@@ -404,23 +490,24 @@ test("verifies lockfile integrity before installing", async () => {
  });

  expect(readNpmCalls(logPath)).toEqual([
-    ["view", "supabase@2.101.0", "dist.integrity", "--json"],
+    viewMetadataCall("supabase@2.101.0"),
    [
      "install",
      "--prefix",
      expect.any(String),
      "--omit=dev",
+      "--include=optional",
      "--no-audit",
      "--no-fund",
      "--no-package-lock",
-      "--ignore-scripts",
+      "--ignore-scripts=true",
      "supabase@2.101.0",
    ],
  ]);
 });

 test("fails when lockfile integrity does not match the registry", async () => {
-  installFakeNpm("supabase 2.101.0", "sha512-registry");
+  installFakeNpm("supabase 2.101.0", { integrity: "sha512-registry" });
  const { installCli } = await getMainModule();

  try {
@@ -437,8 +524,25 @@ test("fails when lockfile integrity does not match the registry", async () => {
  }
 });

+test("fails when the npm package does not expose a Supabase CLI executable", async () => {
+  installFakeNpm("supabase 2.101.0", { bin: "missing" });
+  const { installCli } = await getMainModule();
+
+  try {
+    await installCli({
+      spec: "supabase@2.101.0",
+      version: "2.101.0",
+    });
+    throw new Error("Expected installCli to reject");
+  } catch (error) {
+    expect(error).toEqual(
+      new Error("The npm package supabase@2.101.0 does not expose a supabase executable"),
+    );
+  }
+});
+
 test("runs the action with a package-lock resolution", async () => {
-  const logPath = installFakeNpm("supabase 2.43.0", "sha512-package-lock");
+  const logPath = installFakeNpm("supabase 2.43.0", { integrity: "sha512-package-lock" });
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "package-lock.json": createPackageLock("2.43.0", "sha512-package-lock"),
  });
@@ -447,7 +551,7 @@ test("runs the action with a package-lock resolution", async () => {

  await run();

-  expect(readNpmCalls(logPath)[0]).toEqual(["view", "supabase@2.43.0", "dist.integrity", "--json"]);
+  expect(readNpmCalls(logPath)[0]).toEqual(viewMetadataCall("supabase@2.43.0"));
  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.43.0");
  expect(spies.addPath).toHaveBeenCalledWith(expect.stringContaining("node_modules"));
  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
@@ -455,16 +559,16 @@ test("runs the action with a package-lock resolution", async () => {
 });

 test("explicit version overrides detected root lockfiles", async () => {
-  installFakeNpm("supabase 1.0.0");
+  installFakeNpm("supabase 1.1.6");
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "bun.lock": createBunLock("2.45.0"),
  });
-  const spies = createActionSpies("1.0.0");
+  const spies = createActionSpies("1.1.6");
  const { run } = await getMainModule();

  await run();

-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 1.0.0");
+  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 1.1.6");
  expect(spies.exportVariable).not.toHaveBeenCalled();
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
--- a/src/main.ts
+++ b/src/main.ts
@@ -10,6 +10,9 @@ const REGISTRY_VERSION = "1.28.0";
 const DEFAULT_VERSION = "latest";
 const NPM_PACKAGE = "supabase";
 const NPM_EXECUTABLE_ENV = "SUPABASE_SETUP_CLI_NPM";
+const SUPPORTED_DIST_TAGS = new Set([DEFAULT_VERSION, "beta"]);
+const CONCRETE_VERSION_PATTERN = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/;
+const CONCRETE_VERSION_EXTRACT_PATTERN = /\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?/;

 type PackageResolution = {
  spec: string;
@@ -17,6 +20,13 @@ type PackageResolution = {
  integrity?: string;
 };

+type PackageMetadata = {
+  version?: unknown;
+  bin?: unknown;
+  scripts?: unknown;
+  "dist.integrity"?: unknown;
+};
+
 type BunLock = {
  workspaces?: {
    "": {
@@ -54,12 +64,16 @@ type PackageLock = {
  dependencies?: Record<string, { integrity?: string; version?: string }>;
 };

+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}
+
 function extractConcreteVersion(raw: string | undefined): string | null {
  if (!raw) {
    return null;
  }

-  const match = raw.match(/\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?/);
+  const match = raw.match(CONCRETE_VERSION_EXTRACT_PATTERN);
  return match?.[0] ?? null;
 }

@@ -67,8 +81,25 @@ function normalizeVersion(version: string): string {
  return version.replace(/^v/i, "");
 }

+function normalizeSupportedVersion(version: string): string {
+  const normalizedVersion = normalizeVersion(version.trim());
+  const distTag = normalizedVersion.toLowerCase();
+
+  if (SUPPORTED_DIST_TAGS.has(distTag)) {
+    return distTag;
+  }
+
+  if (CONCRETE_VERSION_PATTERN.test(normalizedVersion)) {
+    return normalizedVersion;
+  }
+
+  throw new Error(
+    `Unsupported Supabase CLI version "${version}". Use latest, beta, or a fixed npm package version like 2.101.0.`,
+  );
+}
+
 function toPackageResolution(version: string, integrity?: string): PackageResolution {
-  const normalizedVersion = normalizeVersion(version);
+  const normalizedVersion = normalizeSupportedVersion(version);

  return {
    spec: `${NPM_PACKAGE}@${normalizedVersion}`,
@@ -200,19 +231,54 @@ export function resolvePackage(inputVersion: string): PackageResolution {
  );
 }

-async function verifyExpectedIntegrity(resolution: PackageResolution): Promise<void> {
+function verifyPackageIntegrity(resolution: PackageResolution, metadata: PackageMetadata): void {
  if (!resolution.integrity) {
    return;
  }

-  const output = await runNpm(["view", resolution.spec, "dist.integrity", "--json"]);
-  const registryIntegrity = JSON.parse(output) as unknown;
-
+  const registryIntegrity = metadata["dist.integrity"];
  if (registryIntegrity !== resolution.integrity) {
    throw new Error(`Lockfile integrity for ${resolution.spec} does not match the npm registry`);
  }
 }

+async function getPackageMetadata(resolution: PackageResolution): Promise<PackageMetadata> {
+  const output = await runNpm([
+    "view",
+    resolution.spec,
+    "version",
+    "bin",
+    "scripts",
+    "dist.integrity",
+    "--json",
+  ]);
+  const metadata = JSON.parse(output) as unknown;
+
+  if (!isRecord(metadata)) {
+    throw new Error(`Could not read npm metadata for ${resolution.spec}`);
+  }
+
+  return metadata;
+}
+
+function verifyPackageMetadata(resolution: PackageResolution, metadata: PackageMetadata): void {
+  if (typeof metadata.version !== "string" || !CONCRETE_VERSION_PATTERN.test(metadata.version)) {
+    throw new Error(`Could not resolve a fixed npm version for ${resolution.spec}`);
+  }
+
+  const bin = metadata.bin;
+  const hasSupabaseBin =
+    typeof bin === "string" || (isRecord(bin) && typeof bin[NPM_PACKAGE] === "string");
+
+  if (!hasSupabaseBin) {
+    throw new Error(`The npm package ${resolution.spec} does not expose a supabase executable`);
+  }
+}
+
+function shouldIgnoreInstallScripts(metadata: PackageMetadata): boolean {
+  return !(isRecord(metadata.scripts) && typeof metadata.scripts.postinstall === "string");
+}
+
 function createInstallRoot(): string {
  const tempRoot = process.env.RUNNER_TEMP?.trim() || os.tmpdir();
  return mkdtempSync(path.join(tempRoot, "setup-cli-"));
@@ -239,7 +305,9 @@ async function runNpm(args: string[]): Promise<string> {
 }

 export async function installCli(resolution: PackageResolution): Promise<string> {
-  await verifyExpectedIntegrity(resolution);
+  const metadata = await getPackageMetadata(resolution);
+  verifyPackageMetadata(resolution, metadata);
+  verifyPackageIntegrity(resolution, metadata);

  const installRoot = createInstallRoot();

@@ -248,10 +316,11 @@ export async function installCli(resolution: PackageResolution): Promise<string>
    "--prefix",
    installRoot,
    "--omit=dev",
+    "--include=optional",
    "--no-audit",
    "--no-fund",
    "--no-package-lock",
-    "--ignore-scripts",
+    `--ignore-scripts=${shouldIgnoreInstallScripts(metadata)}`,
    resolution.spec,
  ]);