GuidesPackage manager

Add a trusted dependency with Bun

Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.

Bun includes a default allowlist of popular packages containing postinstall scripts that are known to be safe. You can see this list here.

If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:

  • error: could not determine executable to run for package
  • InvalidExe

To tell Bun to allow lifecycle scripts for a particular package, add the package to trustedDependencies in your package.json.

Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the dependencies of that dependency!

  "name": "my-app",
  "version": "1.0.0",
  "trustedDependencies": ["my-trusted-package"]

Once this is added, run a fresh install. Bun will re-install your dependencies and properly install

rm -rf node_modules
rm bun.lockb
bun install

See Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.