Add a trusted dependency
Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as postinstall and node-gyp builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
If you are seeing one of the following errors, you are probably trying to use a package that uses postinstall to work properly:
- •
error: could not determine executable to run for package - •
InvalidExe
To allow Bun to execute lifecycle scripts for a specific package, add the package to trustedDependencies in your package.json file. You can do this automatically by running the command bun pm trust <pkg>.
{
"name": "my-app",
"version": "1.0.0",
"trustedDependencies": ["my-trusted-package"] // [!code ++]
}
Once this is added, run a fresh install. Bun will re-install your dependencies and properly install
rm -rf node_modules rm bun.lock bun install
See Docs > Package manager > Trusted dependencies for complete documentation of trusted dependencies.