Bun

GuidesPackage manager

Add a trusted dependency with Bun

Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.

Soon, Bun will include a built-in allow-list that automatically allows lifecycle scripts to be run by popular packages that are known to be safe. This is still under development.

If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:

  • error: could not determine executable to run for package
  • InvalidExe

To tell Bun to allow lifecycle scripts for a particular package, add the package to trustedDependencies in your package.json.

Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the dependencies of that dependency!

{
  "name": "my-app",
  "version": "1.0.0",
  "trustedDependencies": ["my-trusted-package"]
}

Once this is added, run a fresh install. Bun will re-install your dependencies and properly install

rm -rf node_modules
rm bun.lockb
bun install

Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the dependencies of that dependency!

See Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.