mirror of
https://github.com/oven-sh/bun
synced 2026-02-02 15:08:46 +00:00
7dcd49f832
## Summary - The default trusted dependencies list should only apply to packages installed from npm - Non-npm sources (file:, link:, git:, github:) now require explicit trustedDependencies - This prevents malicious packages from spoofing trusted names through local paths or git repos ## Test plan - [x] Added test: file: dependency named "esbuild" does NOT auto-run postinstall scripts - [x] Added test: file: dependency runs scripts when explicitly added to trustedDependencies - [x] Verified tests fail with system bun (old behavior) and pass with new build - [x] Build compiles successfully 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com> Co-authored-by: Dylan Conway <dylan.conway567@gmail.com>
53 lines
1.8 KiB
Plaintext
53 lines
1.8 KiB
Plaintext
---
|
|
title: Add a trusted dependency
|
|
sidebarTitle: Add a trusted dependency
|
|
mode: center
|
|
---
|
|
|
|
Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
|
|
|
|
<Note>
|
|
Bun includes a default allowlist of popular packages containing `postinstall` scripts that are known to be safe. You
|
|
can see this list [here](https://github.com/oven-sh/bun/blob/main/src/install/default-trusted-dependencies.txt). This
|
|
default list only applies to packages installed from npm. For packages from other sources (such as `file:`, `link:`,
|
|
`git:`, or `github:` dependencies), you must explicitly add them to `trustedDependencies`.
|
|
</Note>
|
|
|
|
---
|
|
|
|
If you are seeing one of the following errors, you are probably trying to use a package that uses `postinstall` to work properly:
|
|
|
|
- `error: could not determine executable to run for package`
|
|
- `InvalidExe`
|
|
|
|
---
|
|
|
|
To allow Bun to execute lifecycle scripts for a specific package, add the package to `trustedDependencies` in your package.json file. You can do this automatically by running the command `bun pm trust <pkg>`.
|
|
|
|
<Note>
|
|
Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the
|
|
dependencies of that dependency!
|
|
</Note>
|
|
|
|
```json package.json icon="file-json"
|
|
{
|
|
"name": "my-app",
|
|
"version": "1.0.0",
|
|
"trustedDependencies": ["my-trusted-package"] // [!code ++]
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
Once this is added, run a fresh install. Bun will re-install your dependencies and properly install
|
|
|
|
```sh terminal icon="terminal"
|
|
rm -rf node_modules
|
|
rm bun.lock
|
|
bun install
|
|
```
|
|
|
|
---
|
|
|
|
See [Docs > Package manager > Trusted dependencies](/pm/lifecycle) for complete documentation of trusted dependencies.
|