Skip to content

Support trustedDependencies in package.json #2073

New issue
New issue
Closed
Listed in
#2450
#3288
Closed
Support trustedDependencies in package.json#2073
Listed in
#2450
#3288
Labels
bun installSomething that relates to the npm-compatible clientenhancementNew feature or request
@Electroid

Description

@Electroid
Electroid
opened on Feb 15, 2023 · edited by Electroid
Contributor

There are npm packages, like esbuild, that need postinstall support to install binaries or run other scripts. While we could allow any package to run scripts, that wouldn't be the safest thing to do. We also can't not support it at all, because these packages would simply not work.

We're thinking of adding a new trustedDependencies property to the package.json, which would require developers to explicitly define an allowlist of packages that are allowed to run scripts.

{
  "private": true,
  "dependencies": {
    "esbuild": "^0.17.8"
  },
  "trustedDependencies": [
    "esbuild"
  ]
}

This would not extend to child dependencies, so if package foo depends on bar, and foo is on the allowlist, bar is not on the allowlist, unless it is explicitly added.

Activity

Electroid
added
enhancementNew feature or request
bun installSomething that relates to the npm-compatible client
on Feb 15, 2023
Electroid
mentioned this on Mar 22, 2023
Jarred-Sumner
mentioned this on Apr 6, 2023
Jarred-Sumner
mentioned this in 3 issues on Jun 5, 2023
alexlamsl
added a commit that references this issue on Jun 13, 2023

[install] support privilegedDependencies

be652d7
alexlamsl
mentioned this on Jun 13, 2023
alexlamsl
added 2 commits that reference this issue on Jun 13, 2023

[install] support trustedDependencies

4bc0c24

[install] support trustedDependencies

3cbe186
Electroid
changed the title [-]Support `privilegedDependencies` in `package.json`[/-] [+]Support `trustedDependencies` in `package.json`[/+] on Jun 13, 2023
alexlamsl
added 6 commits that reference this issue on Jun 14, 2023

[install] support trustedDependencies

4706f2a

[install] support trustedDependencies

66444b4

[install] support trustedDependencies

3732dcc

[install] support trustedDependencies

2fc4bc0

[install] support trustedDependencies

d07e822

[install] support trustedDependencies

2ab60d8
Jarred-Sumner
closed this as completedin #3288on Jun 27, 2023
Jarred-Sumner
added a commit that references this issue on Jun 27, 2023

[install] support trustedDependencies (#3288)

318879d
sanman1k98
added a commit that references this issue on Sep 10, 2023

build(astro): upgrade to astro 3.0.12

96e9edd
Bessonov

Bessonov commented on Sep 24, 2023

@Bessonov
Bessonov
on Sep 24, 2023

@Electroid I'm not sure if I'm missing something. From a security point of view, what's the difference between using the postinstall lifecycle hook and executing/spawning inside the dependency?

Bessonov
mentioned this on Oct 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bun installSomething that relates to the npm-compatible clientenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @Bessonov@Electroid

      Issue actions