renovatebot · jamietanna · Dec 1, 2025 · Nov 26, 2025
diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
@@ -112,6 +112,14 @@ module.exports = {
 };
 ```
 
+## allowedUnsafeExecutions
+
+This should be configured to a list of commands which are allowed to be run automatically as part of a dependency upgrade.
+
+This is a separate class of commands that could be executed compared to [`allowedCommands`](#allowedcommands), or package managers that are controlled with [`allowScripts=true`](#allowscripts) and [`ignoreScripts=false`](./configuration-options.md#ignorescripts), where seemingly "safe" commands can result in code execution.
+As there is a security risk of running these commands automatically when a dependency upgrades, self hosted implementations need to explicitly declare which commands are permitted for their installation.
+For more details of where this may be found, see ["Trusting Repository Developers"](./security-and-permissions.md#trusting-repository-developers).
+
 ## autodiscover
 
 When you enable `autodiscover`, by default, Renovate runs on _every_ repository that the bot account can access.

diff --git a/lib/config/options/index.ts b/lib/config/options/index.ts
@@ -3091,6 +3091,17 @@ const options: RenovateOptions[] = [
     globalOnly: true,
     default: false,
   },
+  {
+    name: 'allowedUnsafeExecutions',
+    description: `List of possibly unsafe executions which are permitted to run. This enables global control over any implicit commands
+        which are run as part of a renovate run. This is similar to \`allowedCommands\` but is specifically used to control executions
+        which run automatically, and are not explicitly added in \`postUpgradeTasks\``,
+    type: 'array',
+    subType: 'string',
+    default: [],
+    stage: 'global',
+    globalOnly: true,
+  },
   {
     name: 'gitNoVerify',
     description:

diff --git a/lib/config/types.ts b/lib/config/types.ts
@@ -225,6 +225,7 @@ export interface RepoGlobalConfig {
   cachePrivatePackages?: boolean;
   configFileNames?: string[];
   ignorePrAuthor?: boolean;
+  allowedUnsafeExecutions?: AllowedUnsafeExecution[];
 }
 
 /**
@@ -505,6 +506,10 @@ export type MergeStrategy =
   | 'rebase-merge'
   | 'squash';
 
+// ref: https://github.com/renovatebot/renovate/issues/39458
+// This list should be added to as any new unsafe execution commands should be permitted
+export type AllowedUnsafeExecution = undefined;
+
 // TODO: Proper typings
 export interface PackageRule
   extends RenovateSharedConfig,