mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-02 15:08:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
55a9cccac06403fe1486168378246b34a957f0a1
bun.sh/docs/guides/install/trusted.md
Jarred Sumner 55a9cccac0 bun.sh -> bun.com (#20909)
2025-07-10 00:10:43 -07:00

1.6 KiB
Raw Blame History

name
name
Add a trusted dependency

Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.

{% callout %} Bun includes a default allowlist of popular packages containing postinstall scripts that are known to be safe. You can see this list here. {% /callout %}

If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:

  • error: could not determine executable to run for package
  • InvalidExe

To allow Bun to execute lifecycle scripts for a specific package, add the package to trustedDependencies in your package.json file. You can do this automatically by running the command bun pm trust <pkg>.

{% callout %} Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the dependencies of that dependency! {% /callout %}

  {
    "name": "my-app",
    "version": "1.0.0",
+   "trustedDependencies": ["my-trusted-package"]
  }

Once this is added, run a fresh install. Bun will re-install your dependencies and properly install

$ rm -rf node_modules
$ rm bun.lock
$ bun install

See Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.

Reference in New Issue View Git Blame Copy Permalink