Support dependenciesMeta for declaring packages allowed to run postinstall scripts

oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one

https://bun.sh

Other

74.19k stars 2.77k forks source link

Support dependenciesMeta for declaring packages allowed to run postinstall scripts #3756

Open intrnl opened 1 year ago

intrnl commented 1 year ago

What is the problem this feature would solve?

Removes the need for users to maintain a trustedDependencies field that no other package manager supports

What is the feature you are proposing to solve the problem?

Support dependenciesMeta.*.built, a pattern that Yarn currently supports

What alternatives have you considered?

No response

intrnl commented 1 year ago

Additionally this would also mean that Bun can also show warnings for packages that has a postinstall script, but not ran because of the status being uncertain, as in, not declared on dependenciesMeta whether it should be allowed to run, or forbidden to run.

dependenciesMeta.*.built values:

undefined - warn if this package contains a postinstall script
true - run this package's postinstall script
false - do not run this package's postinstall script

Jarred-Sumner commented 1 year ago

This is partially implemented but doesn't work the way people expect it to and will be fixed soon. The current implementation uses a new "trustedDependencies" field in package.json #3288