Fix postinstall and finish trustedDependencies #4959
Description
🔍 Summary
Bun introduces the concept of trustedDependencies, which allows you to specify an allow-list of packages that are allowed to run lifecycle scripts, such as postinstall. This is because dependencies can run arbitrary shell scripts when installed, and that's generally not great.
package.json:
{
"dependencies": {
"utf-8-validate": "^6.0.3"
},
"trustedDependencies": [
"utf-8-validate"
]
}However, there are dependencies that you need to trust to run scripts, because otherwise they do not work. To do this, you can add the package name to the trustedDependencies list in your package.json.
But doing this for every package would be annoying, so Bun would also have a default allow-list of the most popular packages on npm that need to run scripts, like utf-8-validate or esbuild. #4263
We planned to include these changes in 1.0, but ran out of time. Once Bun supports these changes, you wouldn't need to use trustedDependencies for 99% of the time, except for more obscure dependencies. Also, when running bun add or bun install, there would be a prompt to indicate that the dependency is using scripts.
🚧 Workaround
- Add package to
trustedDependenciesin your package.json.
{
"trustedDependencies": ["utf-8-validate"]
}- Run
bun remove, thenbun add, to ensure script is re-run.
bun remove utf-8-validate
bun add utf-8-validateMetadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Participants
Activity
bun adddoes not behave the same asbun install#4891birkskyum commentedon Sep 12, 2023
Also, it would be great to expand the test suite here beyond a clean install, because it appear to behave incorrectly. I've made a PR here that does test more scenarios:
Scenarios that aren't covered in that PR yet is if a lockfile i.e. already exist, and then the library is added to the trustedDependencies array, followed by
bun install, or the other way around, but it's a good starting point.bun add puppeteerdoesn't run postinstall script for trusted dependency #4705bunx supabasecli executable #4583intrnl commentedon Sep 19, 2023
Are the defaults for trustedDependencies overrideable?
53 remaining items
brianmhunt commentedon Nov 22, 2023
If the perf branch is taking a long time, is it worth breaking the flag into a separate story? The analysis is very different from the performance issue, namely:
--trust-all-dependenciesFlag[1] The investigation entails:
bun ifailed (i.e. google + repo search, some knowledge of postinstall, etc.)package.jsonfiles to addtrustedDependenciesThere's low hanging fruit in the flag (and perhaps logging) to fix a very negative experience, and I fear it being conflated with a performance impression may be lowering the apparent significance of this issue.
cc @Jarred-Sumner @Electroid @dylan-conway
strokirk commentedon Nov 23, 2023
I would like to second the suggestion to print a list of ignored post-install scripts. Currently there isn't much guidance about this issue on the internet, so while trying to install
vue-demitoday it took quite a bit of digging to realize thatbundoesn't runpostinstallscripts, and even after adding the script totrustedDependencies,bun ididn't run the script.trustedDependenciesand run lifecycle scripts during installation #7132uncenter commentedon Dec 8, 2023
#7132 fixes the big issue here but leaves out some ideas that have been thrown around:
--trust-all-dependenciesor glob-based--trust-dependencies='*'CLI flagbunfig.tomlShould these be split into additional issues?
Jarred-Sumner commentedon Dec 12, 2023
Fixed by @dylan-conway and @paperdave in #7132
Jarred-Sumner commentedon Dec 12, 2023
We will ship a follow-up that warns on skipped postinstall scripts in a future release
"trustedDependencies"#7594brianmhunt commentedon Jan 27, 2024
@Jarred-Sumner just a ping re your comment above:
Not to pester, just making sure it didn't get lost in the shuffle. Thank you!
balloman commentedon Apr 15, 2024
Asking if we ever got the flag for the post install script? I don't see it in the documentation anywhere. Is there an issue tracking it somewhere?
It seems that --trust would be an option, but that doesn't actually do anything, you still need to manually trust the packages afterwards. (And in fact, using --trust doesn't even give you the warning, so you would have no idea)
sharpinstructions QwikDev/qwik#6839