DocsGuidesBlogDiscord logoGitHub logo

Intro

What is Bun?

Installation

Quickstart

TypeScript

Templating

bun init

bun create

Runtime

bun run

File types

TypeScript

JSX

Environment variables

Bun APIs

Web APIs

Node.js compatibility

Single-file executable

Plugins

Watch mode

Module resolution

Auto-install

bunfig.toml

Debugger

Framework APISOON

Package manager

bun install

bun add

bun remove

bun update

bun publish

bun outdated

bun link

bun pm

Global cache

Workspaces

Lifecycle scripts

Filter

Lockfile

Scopes and registries

Overrides and resolutions

Patch dependencies

.npmrc support

Bundler

Bun.build

Loaders

Plugins

Macros

vs esbuild

Test runner

bun test

Writing tests

Watch mode

Lifecycle hooks

Mocks

Snapshots

Dates and times

DOM testing

Code coverage

Package runner

bunx

API

HTTP server

HTTP client

WebSockets

Workers

Binary data

Streams

File I/O

import.meta

SQLite

FileSystemRouter

TCP sockets

UDP sockets

Globals

$ Shell

Child processes

Transpiler

Hashing

Console

FFI

C Compiler

HTMLRewriter

Testing

Utils

Node-API

Glob

DNS

Semver

Color

Project

Roadmap

Benchmarking

Contributing

Building Windows

License

Bun

Lifecycle scripts

Packages on npm can define lifecycle scripts in their package.json. Some of the most common are below, but there are many others.

  • preinstall: Runs before the package is installed
  • postinstall: Runs after the package is installed
  • preuninstall: Runs before the package is uninstalled
  • prepublishOnly: Runs before the package is published

These scripts are arbitrary shell commands that the package manager is expected to read and execute at the appropriate time. But executing arbitrary scripts represents a potential security risk, so—unlike other npm clients—Bun does not execute arbitrary lifecycle scripts by default.

postinstall

The postinstall script is particularly important. It's widely used to build or install platform-specific binaries for packages that are implemented as native Node.js add-ons. For example, node-sass is a popular package that uses postinstall to build a native binary for Sass.

{
  "name": "my-app",
  "version": "1.0.0",
  "dependencies": {
    "node-sass": "^6.0.1"
  }
}

trustedDependencies

Instead of executing arbitrary scripts, Bun uses a "default-secure" approach. You can add certain packages to an allow list, and Bun will execute lifecycle scripts for those packages. To tell Bun to allow lifecycle scripts for a particular package, add the package name to trustedDependencies array in your package.json.

{
  "name": "my-app",
  "version": "1.0.0",
  "trustedDependencies": ["node-sass"]
}

Once added to trustedDependencies, install/re-install the package. Bun will read this field and run lifecycle scripts for my-trusted-package.

As of Bun v1.0.16, the top 500 npm packages with lifecycle scripts are allowed by default. You can see the full list here.

--ignore-scripts

To disable lifecycle scripts for all packages, use the --ignore-scripts flag.

bun install --ignore-scripts

Previous

Workspaces

Next

Filter

GitHub logo

Edit on GitHub