-
Notifications
You must be signed in to change notification settings - Fork 1.6k
docs: recommend bun for global installs #681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
0xRaduan
wants to merge
1
commit into
Fission-AI:main
Choose a base branch
from
0xRaduan:docs/recommend-bun-for-security
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
Bun postinstall scripts default behavior security bun pm trust💡 Result:
{pre|post}installand{pre|post}preparescripts, but does not run lifecycle scripts (e.g.,postinstall) from installed dependencies by default because they can execute arbitrary shell commands (security risk). [1][2]trustedDependenciesin your app’spackage.json; Bun will then run lifecycle scripts only for those explicitly trusted packages. [1][2]bun pm trust:bun pm trust <pkg>is the convenience command that adds<pkg>totrustedDependenciesfor you. [3]file:,link:,git:, orgithub:sources (those must be explicitly trusted to prevent spoofing). [1][3]bun install --ignore-scripts. [1]Sources:
[1] Bun docs – Lifecycle scripts: https://bun.com/docs/pm/lifecycle
[2] Bun docs –
bun install: https://bun.com/docs/pm/cli/install[3] Bun guide – Add a trusted dependency (
bun pm trust): https://bun.com/guides/install/trustedClarify the default behavior for popular packages—Bun includes an allowlist.
The security claims are accurate, but the documentation may mislead readers about how strict the defaults actually are. Bun blocks lifecycle scripts from dependencies by default, but it ships with a default allowlist of approximately 500 popular npm packages, whose scripts will run unless explicitly distrusted. The
bun pm trust <pkg>command is verified to work as described, allowing users to add new packages totrustedDependencies.For completeness, consider clarifying that:
git:,file:, orlink:sources must be explicitly trustedbun install --ignore-scripts🤖 Prompt for AI Agents