diff options
| author |  Dylan Conway <dylan.conway567@gmail.com>
| 2023-10-14 12:58:30 -0700 |
|---|---|---|
| committer | Dylan Conway <dylan.conway567@gmail.com>
| 2023-10-14 12:58:30 -0700 |
| commit | f9add8b6bea4df3cdbd56a21f17e4cab1a854e4e (patch) | |
| tree | 8e5306104d81c67b771181337bba02cd9ec39453 /docs/install/lifecycle.md | |
| parent | 81a1a58d66c598ea35c42453d0ba4c6341a940fc (diff) | |
| parent | 9b5e66453b0879ed77b71dcdbe50e4efa184261e (diff) | |
| download | bun-sdl.tar.gz bun-sdl.tar.zst bun-sdl.zip | |
Merge branch 'main' into sdlsdl
Diffstat (limited to '')
| -rw-r--r-- | docs/install/lifecycle.md | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/docs/install/lifecycle.md b/docs/install/lifecycle.md new file mode 100644 index 000000000..035ead24d --- /dev/null +++ b/docs/install/lifecycle.md @@ -0,0 +1,44 @@ +Packages on `npm` can define _lifecycle scripts_ in their `package.json`. Some of the most common are below, but there are [many others](https://docs.npmjs.com/cli/v10/using-npm/scripts). + +- `preinstall`: Runs before the package is installed +- `postinstall`: Runs after the package is installed +- `preuninstall`: Runs before the package is uninstalled +- `prepublishOnly`: Runs before the package is published + +These scripts are arbitrary shell commands that the package manager is expected to read and execute at the appropriate time. But executing arbitrary scripts represents a potential security risk, so—unlike other `npm` clients—Bun does not execute arbitrary lifecycle scripts by default. + +## `postinstall` + +The `postinstall` script is particularly important. It's widely used to build or install platform-specific binaries for packages that are implemented as [native Node.js add-ons](https://nodejs.org/api/addons.html). For example, `node-sass` is a popular package that uses `postinstall` to build a native binary for Sass. + +```json +{ + "name": "my-app", + "version": "1.0.0", + "dependencies": { + "node-sass": "^6.0.1" + } +} +``` + +## `trustedDependencies` + +Instead of executing arbitrary scripts, Bun uses a "default-secure" approach. You can add certain packages to an allow list, and Bun will execute lifecycle scripts for those packages. To tell Bun to allow lifecycle scripts for a particular package, add the package name to `trustedDependencies` array in your `package.json`. + +```json-diff + { + "name": "my-app", + "version": "1.0.0", ++ "trustedDependencies": ["node-sass"] + } +``` + +Once added to `trustedDependencies`, install/re-install the package. Bun will read this field and run lifecycle scripts for `my-trusted-package`. + +## `--ignore-scripts` + +To disable lifecycle scripts for all packages, use the `--no-scripts` flag. + +```bash +$ bun install --no-scripts +``` |