UNPKG

bun-types

Version:

Type definitions and documentation for Bun, an incredibly fast JavaScript runtime

bun.com

oven-sh/bun

51 lines (36 loc) 1.66 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
--- title: Add a trusted dependency sidebarTitle: Add a trusted dependency mode: center --- Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine. <Note> Bun includes a default allowlist of popular packages containing `postinstall` scripts that are known to be safe. You can see this list [here](https://github.com/oven-sh/bun/blob/main/src/install/default-trusted-dependencies.txt). </Note> --- If you are seeing one of the following errors, you are probably trying to use a package that uses `postinstall` to work properly: - `error: could not determine executable to run for package` - `InvalidExe` --- To allow Bun to execute lifecycle scripts for a specific package, add the package to `trustedDependencies` in your package.json file. You can do this automatically by running the command `bun pm trust <pkg>`. <Note> Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the dependencies of that dependency! </Note> ```json package.json icon="file-json" { "name": "my-app", "version": "1.0.0", "trustedDependencies": ["my-trusted-package"] // [!code ++] } ``` --- Once this is added, run a fresh install. Bun will re-install your dependencies and properly install ```sh terminal icon="terminal" rm -rf node_modules rm bun.lock bun install ``` --- See [Docs > Package manager > Trusted dependencies](/docs/pm/lifecycle) for complete documentation of trusted dependencies.