npm can define lifecycle scripts in their package.json. These are some of the most common, among many others:
preinstall: Runs before the package is installedpostinstall: Runs after the package is installedpreuninstall: Runs before the package is uninstalledprepublishOnly: Runs before the package is published
npm clients.
postinstall
The postinstall script is particularly important. It’s widely used to build or install platform-specific binaries for packages that are implemented as native Node.js add-ons. For example, node-sass uses postinstall to build a native binary for Sass.
package.json
trustedDependencies
Bun is “default-secure”: it only runs lifecycle scripts for packages on an allow list. To allow lifecycle scripts for a particular package, add its name to the trustedDependencies array in your package.json.
package.json
trustedDependencies, install or re-install it. Bun reads the field and runs its lifecycle scripts.
A curated list of popular npm packages with lifecycle scripts is allowed by default. See the full list.
The default trusted dependencies list only applies to packages installed from npm. For packages from other sources
(such as
file:, link:, git:, or github: dependencies), you must explicitly add them to trustedDependencies
to run their lifecycle scripts, even if the package name matches an entry in the default list. This prevents malicious
packages from spoofing trusted package names through local file paths or git repositories.Behavior of the trustedDependencies field
Defining trustedDependencies in package.json replaces the default list rather than extending it. Exactly one of three modes applies per project:
package.json | Packages allowed to run lifecycle scripts |
|---|---|
trustedDependencies omitted | The packages in Bun’s built-in list (npm sources only). |
trustedDependencies: ["pkg-a", ...] | Only the listed packages. The default list is ignored. |
trustedDependencies: [] | No packages, including none from the default list. |
trustedDependencies: [] when you want to opt out of the default allow list entirely without passing --ignore-scripts on every install. If you define trustedDependencies with an explicit list, include any packages from the default list whose lifecycle scripts you still need (for example, sharp or esbuild) — they are no longer trusted implicitly.
--ignore-scripts
To disable lifecycle scripts for all packages, use the --ignore-scripts flag.
terminal
install.ignoreScripts in bunfig.toml:
bunfig.toml
.npmrc:
.npmrc