postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
Bun includes a default allowlist of popular packages whose
postinstall scripts are known to be safe; see the full
list. It only applies to
packages installed from npm. For packages from other sources (such as file:, link:, git:, or github:
dependencies), you must explicitly add them to trustedDependencies.If you see one of the following errors, you are probably using a package that needs its
postinstall script to work:
error: could not determine executable to run for packageInvalidExe
To allow Bun to execute lifecycle scripts for a specific package, add the package to
trustedDependencies in your package.json. You can do this automatically by running bun pm trust <pkg>.
This only allows lifecycle scripts for the specific package listed in
trustedDependencies, not the dependencies of
that dependency.package.json
Once this is added, run a fresh install. Bun re-installs your dependencies and runs the package’s lifecycle scripts.
terminal
See trusted dependencies.