bun.sh

mirrors/bun.sh

Fork 0

mirror of https://github.com/oven-sh/bun synced 2026-02-09 18:38:55 +00:00

Commit Graph

Author	SHA1	Message	Date
robobun	7dcd49f832	fix(install): only apply default trusted dependencies to npm packages (#25163 ) ## Summary - The default trusted dependencies list should only apply to packages installed from npm - Non-npm sources (file:, link:, git:, github:) now require explicit trustedDependencies - This prevents malicious packages from spoofing trusted names through local paths or git repos ## Test plan - [x] Added test: file: dependency named "esbuild" does NOT auto-run postinstall scripts - [x] Added test: file: dependency runs scripts when explicitly added to trustedDependencies - [x] Verified tests fail with system bun (old behavior) and pass with new build - [x] Build compiles successfully 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com> Co-authored-by: Dylan Conway <dylan.conway567@gmail.com>	2025-12-11 17:44:41 -08:00
Michael H	4450d738fa	docs: more consistency + minor updates (#24764 ) Co-authored-by: RiskyMH <git@riskymh.dev>	2025-11-21 14:06:19 -08:00
Lydia Hallie	1606a9f24e	Replace old docs with new docs repo (#24201 )	2025-11-05 11:14:21 -08:00

Author

SHA1

Message

Date

robobun

7dcd49f832

fix(install): only apply default trusted dependencies to npm packages (#25163 )

## Summary
- The default trusted dependencies list should only apply to packages
installed from npm
- Non-npm sources (file:, link:, git:, github:) now require explicit
trustedDependencies
- This prevents malicious packages from spoofing trusted names through
local paths or git repos

## Test plan
- [x] Added test: file: dependency named "esbuild" does NOT auto-run
postinstall scripts
- [x] Added test: file: dependency runs scripts when explicitly added to
trustedDependencies
- [x] Verified tests fail with system bun (old behavior) and pass with
new build
- [x] Build compiles successfully

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Jarred Sumner <jarred@jarredsumner.com>
Co-authored-by: Dylan Conway <dylan.conway567@gmail.com>

2025-12-11 17:44:41 -08:00

Michael H

4450d738fa

docs: more consistency + minor updates (#24764 )

Co-authored-by: RiskyMH <git@riskymh.dev>

2025-11-21 14:06:19 -08:00

Lydia Hallie

1606a9f24e

Replace old docs with new docs repo (#24201 )

2025-11-05 11:14:21 -08:00

3 Commits