Add a trusted dependency
Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
Bun includes a default allowlist of popular packages containing postinstall scripts that are known to be safe. You
can see this list here. This
default list only applies to packages installed from npm. For packages from other sources (such as file:, link:,
git:, or github: dependencies), you must explicitly add them to trustedDependencies.
If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:
error: could not determine executable to run for packageInvalidExe
To allow Bun to execute lifecycle scripts for a specific package, add the package to trustedDependencies in your package.json file. You can do this automatically by running the command bun pm trust <pkg>.
Note that this only allows lifecycle scripts for the specific package listed in trustedDependencies, not the
dependencies of that dependency!
{
"name": "my-app",
"version": "1.0.0",
"trustedDependencies": ["my-trusted-package"]
}Once this is added, run a fresh install. Bun will re-install your dependencies and properly install
$ rm -rf node_modules
$ rm bun.lock
$ bun installSee Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.