From 18b521d9b875f4514e413dbe9b614309fd1618aa Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Tue, 12 Sep 2023 21:51:49 -0700 Subject: Various docs (#5201) * Updates * Improve jest guide * Improve --- docs/guides/install/trusted.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs/guides/install/trusted.md (limited to 'docs/guides/install/trusted.md') diff --git a/docs/guides/install/trusted.md b/docs/guides/install/trusted.md new file mode 100644 index 000000000..3dc14aa94 --- /dev/null +++ b/docs/guides/install/trusted.md @@ -0,0 +1,29 @@ +--- +name: Add a trusted dependency +--- + +Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine. + +--- + +To tell Bun to allow lifecycle scripts for a particular package, add the package to `trustedDependencies` in your package.json. + +```json-diff + { + "name": "my-app", + "version": "1.0.0", ++ "trustedDependencies": ["my-trusted-package"] + } +``` + + + +--- + +Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the dependencies of that dependency! + +Soon, Bun will include a built-in allow-list that automatically allows lifecycle scripts to be run by popular packages that are known to be safe. This is still under development. + +--- + +See [Docs > Package manager > Trusted dependencies](/docs/cli/install#trusted-dependencies) for complete documentation of trusted dependencies. -- cgit v1.2.3 From 07b10bbc16ab16ba73f3990f3b888e98661aabea Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Thu, 14 Sep 2023 17:28:03 -0700 Subject: Clean up trustedDependencies guide --- docs/guides/install/trusted.md | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) (limited to 'docs/guides/install/trusted.md') diff --git a/docs/guides/install/trusted.md b/docs/guides/install/trusted.md index 3dc14aa94..d0d841eea 100644 --- a/docs/guides/install/trusted.md +++ b/docs/guides/install/trusted.md @@ -4,10 +4,25 @@ name: Add a trusted dependency Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine. +{% callout %} +Soon, Bun will include a built-in allow-list that automatically allows lifecycle scripts to be run by popular packages that are known to be safe. This is still under development. +{% /callout %} + +--- + +If you are seeing one of the following errors, you are probably trying to use a package that uses `postinstall` to work properly: + +- `error: could not determine executable to run for package` +- `InvalidExe` + --- To tell Bun to allow lifecycle scripts for a particular package, add the package to `trustedDependencies` in your package.json. +Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the dependencies of that dependency! + + + ```json-diff { "name": "my-app", @@ -16,14 +31,20 @@ To tell Bun to allow lifecycle scripts for a particular package, add the package } ``` - +--- + +Once this is added, run a fresh install. Bun will re-install your dependencies and properly install + +```sh +$ rm -rf node_modules +$ rm bun.lockb +$ bun install +``` --- Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, _not_ the dependencies of that dependency! -Soon, Bun will include a built-in allow-list that automatically allows lifecycle scripts to be run by popular packages that are known to be safe. This is still under development. - --- See [Docs > Package manager > Trusted dependencies](/docs/cli/install#trusted-dependencies) for complete documentation of trusted dependencies. -- cgit v1.2.3 From 3f2df4526ed876869a14aaf9d373328fc4dce94e Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Thu, 12 Oct 2023 23:17:51 -0700 Subject: Fix links --- docs/guides/install/trusted.md | 2 +- docs/install/overrides.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/guides/install/trusted.md') diff --git a/docs/guides/install/trusted.md b/docs/guides/install/trusted.md index d0d841eea..0c1ac6362 100644 --- a/docs/guides/install/trusted.md +++ b/docs/guides/install/trusted.md @@ -47,4 +47,4 @@ Note that this only allows lifecycle scripts for the specific package listed in --- -See [Docs > Package manager > Trusted dependencies](/docs/cli/install#trusted-dependencies) for complete documentation of trusted dependencies. +See [Docs > Package manager > Trusted dependencies](/docs/install/lifecycle) for complete documentation of trusted dependencies. diff --git a/docs/install/overrides.md b/docs/install/overrides.md index 27f5a92b2..f226c35bd 100644 --- a/docs/install/overrides.md +++ b/docs/install/overrides.md @@ -1,4 +1,4 @@ -Bun supports npm's `"overrides"` and Yarn's `"resolutions"` in `package.json`. These are mechanisms for specifying a version range for _metadependencies_—the dependencies of your dependencies. Refer to [Package manager > Overrides and resolutions](/docs/install/overrides-and-resolutions) for complete documentation. +Bun supports npm's `"overrides"` and Yarn's `"resolutions"` in `package.json`. These are mechanisms for specifying a version range for _metadependencies_—the dependencies of your dependencies. Refer to [Package manager > Overrides and resolutions](/docs/install/overrides) for complete documentation. ```json-diff#package.json { -- cgit v1.2.3