jarle/Bun Add a trusted dependency

Add a trusted dependency

Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.

<Note> Bun includes a default allowlist of popular packages containing `postinstall` scripts that are known to be safe. You can see this list [here](https://github.com/oven-sh/bun/blob/main/src/install/default-trusted-dependencies.txt). This default list only applies to packages installed from npm. For packages from other sources (such as `file:`, `link:`, `git:`, or `github:` dependencies), you must explicitly add them to `trustedDependencies`. </Note>

---

If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:

• error: could not determine executable to run for package
• InvalidExe

---

To allow Bun to execute lifecycle scripts for a specific package, add the package to trustedDependencies in your package.json file. You can do this automatically by running the command bun pm trust <pkg>.

<Note> Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, *not* the dependencies of that dependency! </Note>

{
  "name": "my-app",
  "version": "1.0.0",
  "trustedDependencies": ["my-trusted-package"] // [!code ++]
}

---

Once this is added, run a fresh install. Bun will re-install your dependencies and properly install

rm -rf node_modules
rm bun.lock
bun install

---

See Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.