mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-02 15:08:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clean up trustedDependencies guide

Browse Source
This commit is contained in:
Colin McDonnell
2023-09-14 17:28:03 -07:00
parent 969b0cf539
commit 07b10bbc16
1 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/guides/install/trusted.md
View File

@@ -4,10 +4,25 @@ name: Add a trusted dependency
Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
{% callout %}
Soon, Bun will include a built-in allow-list that automatically allows lifecycle scripts to be run by popular packages that are known to be safe. This is still under development.
{% /callout %}
---
If you are seeing one of the following errors, you are probably trying to use a package that uses `postinstall` to work properly:
- `error: could not determine executable to run for package`
- `InvalidExe`
---
To tell Bun to allow lifecycle scripts for a particular package, add the package to `trustedDependencies` in your package.json.
Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the dependencies of that dependency!
<!-- Bun maintains an allow-list of popular packages containing `postinstall` scripts that are known to be safe. To run lifecycle scripts for packages that aren't on this list, add the package to `trustedDependencies` in your package.json. -->
```json-diff
{
"name": "my-app",
@@ -16,14 +31,20 @@ To tell Bun to allow lifecycle scripts for a particular package, add the package
}
```
<!-- Bun maintains an allow-list of popular packages containing `postinstall` scripts that are known to be safe. To run lifecycle scripts for packages that aren't on this list, add the package to `trustedDependencies` in your package.json. -->
---
Once this is added, run a fresh install. Bun will re-install your dependencies and properly install
```sh
$ rm -rf node_modules
$ rm bun.lockb
$ bun install
```
---
Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the dependencies of that dependency!
Soon, Bun will include a built-in allow-list that automatically allows lifecycle scripts to be run by popular packages that are known to be safe. This is still under development.
---
See [Docs > Package manager > Trusted dependencies](/docs/cli/install#trusted-dependencies) for complete documentation of trusted dependencies.