1.8 KiB
name
| name |
|---|
| Add a trusted dependency |
Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
{% callout %}
Bun includes a default allowlist of popular packages containing postinstall scripts that are known to be safe. You can see this list here.
{% /callout %}
If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:
error: could not determine executable to run for packageInvalidExe
To tell Bun to allow lifecycle scripts for a particular package, add the package to trustedDependencies in your package.json.
Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the dependencies of that dependency!
{
"name": "my-app",
"version": "1.0.0",
+ "trustedDependencies": ["my-trusted-package"]
}
Once this is added, run a fresh install. Bun will re-install your dependencies and properly install
$ rm -rf node_modules
$ rm bun.lockb
$ bun install
Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the dependencies of that dependency!
See Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.