[BUG] After npm upgrade, on Windows getting error that npm.ps1 is not digitally signed

[anonmily]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I upgraded npm using npm install -g [email protected], and then afterwards, I can't use the npm command since I get the code execution error that npm.ps1 is not digitally signed

npm : File C:\Program Files\nodejs\npm.ps1 cannot be loaded. The file C:\Program Files\nodejs\npm.ps1 is not digitally signed. You
cannot run this script on the current system. For more information about running scripts and setting execution policy, see
about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.```

### Expected Behavior

It should be able to be run without having to risk the computer's security by allowing unsigned scripts.

### Steps To Reproduce

1. In Windows 11 with Node v20.11.0, upgrade npm from 10.2.4 `npm install -g [email protected]` in Powershell
2. Try to run any npm command (e.g. `npm install`)
3. Get the error that npm.ps1 is not signed


### Environment

- npm: 10.5.0
- Node.js: 20.11.0
- OS Name: Windows 11 Pro
- System Model Name: ?
- npm config: 
```ini
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.11.0
; npm local prefix = C:\Users\anonmily\Projects\myapp
; npm version = 10.5.0
; cwd = C:\Users\anonmily\Projects\myapp
; HOME = C:\Users\anonmily
; Run `npm config ls -l` to show all defaults.

[dennisrongo]

@anonmily running this seems to have fixed it for me in Powershell as an admin.
set-ExecutionPolicy RemoteSigned -Scope CurrentUser

[ShuzhaoFeng]

The issue still persists in 10.5.2. @dennisrongo 's solution works, but I would see it as a temporary workaround.

Do we have any plans on fixing the issue?

[lukekarrys]

This will need to be coordinated with the Node project. I'm going to keep this issue open to avoid duplicates but any fix for this will need to land in The https://github.com/nodejs/node Windows installer.

[zakriafurqan1]

@anonmily running this seems to have fixed it for me in Powershell as an admin. set-ExecutionPolicy RemoteSigned -Scope CurrentUser

thank you sir this command resolve my issue.

[devbf]

I had the problem that I could not run npx commands like npx tailwindcss -i ./tailwind.css -o ./wwwroot/styles.css due to the missing signature and could not run set-ExecutionPolicy RemoteSigned -Scope CurrentUser due to missing admin rights.

This comment solved it for me by using npx.cmd instead of npx: npx.cmd tailwindcss -i ./tailwind.css -o ./wwwroot/styles.css

[Skrigueztep]

Recently, some similar happend with node -v command

This error ocurrs, from my case and experience, when you update runtime without clean installation. Refering to "clean installation" like remove/uninstall previous node version and deleting all missing/remaining node files like npm-cache, and so on...

I hope to be of help, greatings

[Danish0611]

The solution to getting rid of this error message and running your script is simple. But you need to consider the scope before deciding how to fix it:

Do you only want this particular script to run (here and now)? – or
Do you want to be able to run all scripts all the time?
(these are the two most common options used to solve this problem but more exist!)

If you’re only looking to run the script this one time, use the following command to allow it to run in the current PowerShell session:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

In the above command, the scope is set to ‘Process’. This means that the new execution policy is only valid in the current process. The old restrictions still apply outside of this specific PowerShell session.

Alternatively, if you want to be able to run scripts freely on your system going forward, use the following command:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

When the scope is set to ‘User’, the new PowerShell execution policy is persisted in the registry and will stick across PowerShell sessions, and system reboots.

[usha2151]

@anonmily running this seems to have fixed it for me in Powershell as an admin. set-ExecutionPolicy RemoteSigned -Scope CurrentUser

thank you

[Blastshotting]

Environment

• Windows 10 Home 22H2, 19045.5011
• 64-bit operating system, x64-based processor

PS C:\Users\Me> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.5007
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.5007
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

PS C:\> npm config list
; "builtin" config from C:\Users\Me\AppData\Roaming\npm\node_modules\npm\npmrc

prefix = "C:\\Users\\Me\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.18.0
; npm local prefix = C:\
; npm version = 10.9.0
; cwd = C:\
; HOME = C:\Users\Me
; Run `npm config ls -l` to show all defaults.
PS C:\>

Description

So I came to this issue from #470 after looking for that bug duplicated against a newer npm version and something I'm wondering about is if the original underlying issue resulting in the new ps scripts (npm/npm#20699) still exists?

Issue 20699 describes the repro as trying out

PS C:\>echo-cli 'https://example.com/?a=1&b=2'

within Powershell, but when I do, I get the expected output of:

https://example.com/?a=1&b=2

Trying out regular echo from within PowerShell works as expected too, i.e.:

PS C:\> echo "https://example.com/?a=1&b=2"

I even made a ps1 file to test running that and it worked as expected:
For a file named test.ps1:

#!/usr/bin/env pwsh

echo "hello&world"
echo 'hello&world'
echo "https://example.com/?a=1&b=2"
echo 'https://example.com/?a=1&b=2'
echo-cli 'https://example.com/?a=1&b=2'
echo-cli "https://example.com/?a=1&b=2"

I get:

PS C:\> .\test.ps1
hello&world
hello&world
https://example.com/?a=1&b=2
https://example.com/?a=1&b=2
https://example.com/?a=1&b=2
https://example.com/?a=1&b=2

As for fixing my issue as of now (https://stackoverflow.com/questions/58796490/tsc-ps1-cannot-be-loaded-because-running-scripts-is-disabled-on-this-system) , I moved all the offending ps1 files to another directory so I didn't need to weaken security on my machine.

[PearlDragon]

Coming from a broken windows environment and issue #470. Do we need powershell support? Changes to security policies just to run a javacript file are the literal definition of insane.

Option 1) Ignore #20699. Is it even a real bug???

Option 2) Get rid of npm/tsc command scripts in favour of actual exe's

Option 2 can be handled in a stub fashion identical to how linux handles shebang ( #! ). Activestate Perl had a similar issue 10-20 years ago as I recall and handled it this way

[hamedkh23]

راه حل خلاص شدن از شر این پیام خطا و اجرای اسکریپت ساده است. اما قبل از تصمیم گیری در مورد چگونگی رفع آن، باید محدوده را در نظر بگیرید:

آیا می خواهید فقط این اسکریپت خاص اجرا شود (اینجا و اکنون)؟ – یا آیا می خواهید بتوانید تمام اسکریپت ها را همیشه اجرا کنید؟ (این دو رایج ترین گزینه هایی هستند که برای حل این مشکل استفاده می شوند اما تعداد بیشتری وجود دارد!)

اگر فقط یک بار به دنبال اجرای اسکریپت هستید، از دستور زیر برای اجرای آن در جلسه فعلی PowerShell استفاده کنید:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

در دستور بالا، scope روی "Process" تنظیم شده است. این بدان معنی است که سیاست اجرای جدید فقط در فرآیند فعلی معتبر است. محدودیت‌های قدیمی همچنان خارج از این جلسه خاص PowerShell اعمال می‌شوند.

از طرف دیگر، اگر می خواهید بتوانید اسکریپت ها را آزادانه روی سیستم خود اجرا کنید، از دستور زیر استفاده کنید:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

وقتی دامنه روی «کاربر» تنظیم می‌شود، خط‌مشی جدید اجرای PowerShell در رجیستری باقی می‌ماند و در جلسات PowerShell باقی می‌ماند و سیستم راه‌اندازی مجدد می‌شود.

Hi
This was great and worked for me.
Thank you

[regiregiocargo]

set-ExecutionPolicy RemoteSigned -Scope CurrentUser

works!

[kikru77]

I had the same issue when upgrading to Node v22.11.0 and npm v10.9.0, but only when I tried to run npm start in VSCode.
on cmd it worked fine. So maybe a VSCode problem?

[constantinrazvan]

@anonmily running this seems to have fixed it for me in Powershell as an admin. set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Thanks for your answer!
I reformatted my windows and when I installed angular I got the error with ("npm.ps1 is not digitally signed") and your answer helped me!

[bormm]

@anonmily running this seems to have fixed it for me in Powershell as an admin. set-ExecutionPolicy RemoteSigned -Scope CurrentUser

This is in my opinion the current best workaround, better would sign the script.

But just for people to understand what they do and that it's not a good idea to set the security level to a more lower level than RemoteSigned like "Unrestricted" and also not for the whole machine when this is need needed to solve the issue:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4#powershell-execution-policies

RemoteSigned

The default execution policy for Windows server computers.
Scripts can run.
Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.
Doesn't require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.
As the scripts are not flagged as downloaded from the internet, even they are indirectly by the installer, it's the safest policy other than sign the file.

[mingwli]

Though you can bypass the signature check, but shouldn't the official release of npx sign this ps1 file?

[Anis-khemiri]

run this set-ExecutionPolicy RemoteSigned -Scope CurrentUser
thanks for @anonmily