birkskyum
commented
1 year ago Closed gtrabanco closed 11 months ago
birkskyum
commented
1 year ago 
gtrabanco
commented
1 year ago Sorry, yes... Adding to trustedDependencies in package.json resolve also this issue with bun install.
Should I close this issue? I am not sure.
Electroid
commented
1 year ago Sorry, yes... Adding to
trustedDependenciesin package.json resolve also this issue with bun install.Should I close this issue? I am not sure.
For now, if you are running into this issue you can add the following to your package.json.
{
"trustedDependencies": [
"sharp"
]
}For sharp specifically, this won't be an issue once we merge #4263
birkskyum
commented
1 year ago 0.8.2+4b63ced72dc1b304e737d9ea055c8b6e75f46119 , Darwin 22.6.0 arm64 arm
I find that adding sharp to "trustedDependencies" doesn't do anything. The only way I can run this is if i cd into ./node_modules/sharp and run bun install. @gtrabanco , does trustedDependencies work for you?
gtrabanco
commented
1 year ago Yes it worked after delete node_modules folder and run bun install.
I will post the repo with the code.
birkskyum
commented
1 year ago Great to hear! It didn't do the trick for me unfortunately, but looking forward to try your project for see if that can narrow it down somehow.
gtrabanco
commented
1 year ago Here you have it.
https://github.com/gtrabanco/compose-images
Here you can see after delete node_modules and bun.lockb that all is installed well.
gtrabanco
commented
1 year ago 0.8.2+4b63ced72dc1b304e737d9ea055c8b6e75f46119 , Darwin 22.6.0 arm64 arm
I find that adding sharp to "trustedDependencies" doesn't do anything. The only way I can run this is if i
cdinto ./node_modules/sharp and runbun install. @gtrabanco , does trustedDependencies work for you?
I just show you are on arm and I am at intel... Maybe any issue with arch?
gtrabanco
commented
1 year ago Sorry I closed the issue, was an accident π«£
birkskyum
commented
1 year ago I just show you are on arm and I am at intel... Maybe any issue with arch?
@gtrabanco Oh, that is an interesting observation - your repo also breaks for me.
It would be interesting to hear from someone else running a macos arm64 if this example works.
vfritzon
commented
1 year ago On macos/arm I need to both have sharp listed in trustedDependencies and remove the lockfile to have it install properly.
birkskyum
commented
1 year ago @vfritzon Interesting, removing the bun.lockb and node_modules before running bun i works for me too
gtrabanco
commented
1 year ago From the absolute ignorance about Bun internals... Strange issue π
I mean, would be nice know whats happening.
andresribeiro
commented
1 year ago @vfritzon Interesting, removing the bun.lockb and node_modules before running
bun iworks for me too
For me too, with bun.lockb the trustedDependencies doesn't have any effect
birkskyum
commented
1 year ago @alexlamsl , can you tell why trustedDependencies (introduced here https://github.com/oven-sh/bun/pull/3288) are ignored if bun.lockd or node_modules already exists?
lukasver
commented
1 year ago Same issue here, the trustedDependencies workarround worked after:
rm -rf bun.lockb node_modules
bun i
kuzzmi
commented
1 year ago In monorepo (ex-yarn workspaces), the trustedDependencies worked in the package.json that mentioned sharp. After that arm + workaround worked.
UPD: It actually does a weird thing. When bun is used in combo with --hot, reloading the app fails on requiring sharp.
kanashimia
commented
1 year ago trustedDependencies workaround doesn't seem to work when no node is installed.
βΊ bun install sharp
bun add v1.0.0 (822a00c4)
+ @astrojs/check@0.2.0
+ prettier@3.0.3
+ prettier-plugin-astro@0.12.0
+ typescript@5.2.2
+ @astrojs/mdx@1.0.3
+ @astrojs/prism@3.0.0
+ @astrojs/rss@3.0.0
+ @astrojs/sitemap@3.0.0
+ astro@3.0.12
+ postcss-preset-env@9.1.3
+ prismjs@1.29.0
installed sharp@0.32.5
error: script not found "install/libvips"
error: script not found "install/can-compile"
564 packages installed [3.79s]
error: script "install" exited with code 1 (SIGHUP)@kanashimia I faced the same problem when using the bun docker image as base. I changed to
FROM node:lts
RUN curl -fsSL https://bun.sh/install | bash
ENV PATH="/root/.bun/bin:$PATH"as a workaround.
My guess is that is due to the sharp install script which uses node:
"install": "(node install/libvips && node install/dll-copy && prebuild-install) || (node install/can-compile && node-gyp rebuild && node install/dll-copy)",
gtrabanco
commented
1 year ago
trustedDependenciesworkaround doesn't seem to work when nonodeis installed.βΊ bun install sharp bun add v1.0.0 (822a00c4) + @astrojs/check@0.2.0 + prettier@3.0.3 + prettier-plugin-astro@0.12.0 + typescript@5.2.2 + @astrojs/mdx@1.0.3 + @astrojs/prism@3.0.0 + @astrojs/rss@3.0.0 + @astrojs/sitemap@3.0.0 + astro@3.0.12 + postcss-preset-env@9.1.3 + prismjs@1.29.0 installed sharp@0.32.5 error: script not found "install/libvips" error: script not found "install/can-compile" 564 packages installed [3.79s] error: script "install" exited with code 1 (SIGHUP)
Have you tried with bun --bun install. Just curious, not sure if it is supported...
@vfritzon
mquandalle
commented
1 year ago trustedDependencies works on my computer (macos) but not when I deploy on Vercel (linux), maybe because the bun.lockb file need to be generated on the same OS in this particular case?
My workaround is to manually bun install sharp (and sqlite3) in a postinstall script :
"postinstall": "cd node_modules/sharp && bun install && cd ../.. && cd node_modules/sqlite3 && bun install && cd ../.."@mquandalle i don't think it's related to the OS. even on my own pc (Linux Mint) that generated the lockfile it's doesn't run postinstall scripts
controversial
commented
1 year ago I opened a specific issue #5472 about the secondary issue (needing to remove bun.lockb in order to make trustedDependenciesβ install scripts run) that was discussed in this issue thread
7heMech
commented
1 year ago Doesn't work for me after removing bun.lockb and node_dependencies, adding sharp in trusted dependencies and doing bun i
gtrabanco
commented
1 year ago Seems like this issue has been updated and now has a pre-release that solve this issue with sharp: https://github.com/lovell/sharp/issues/3750
Important This deletes the necessity of adding sharp to trustedDependencies because deletes all needed scripts to be executed at install. This doesn't mean original issue in Bun is solved.
Bessonov
commented
1 year ago I think trustedDependencies is a mistake, because it doesn't increase security at all.
birkskyum
commented
1 year ago Fix for now: bun add sharp@0.33.0-alpha.6
controversial
commented
1 year ago @Bessonov The security function of trustedDependencies is to avoid a scenario where a package adds a malicious postinstall hook in a minor/patch update, and I donβt notice. It enforces that the only packages that can run postInstall scripts are those packages for which you explicitly specify that you expect a postinstall script to run.
One of your trustedDependencies could, of course, still add a malicious postInstall script, but the attack surface is reduced significantly.
Bessonov
commented
1 year ago @controversial Unfortunately, this doesn't answer my question. trustedDependencies don't provide any security benefits if the runtime still allows everything. You run your code, run tests locally and on CI/CD, and in production. It is security by obscurity if a script can execute arbitrary commands during the execution of code (not postinstall). What if you use a package and it executes rm -rf /? For more details and insights on how Bun can enhance security, please refer to this great answer: https://github.com/pnpm/pnpm/issues/7137#issuecomment-1752156412
gtrabanco
commented
1 year ago @controversial Unfortunately, this doesn't answer my question.
trustedDependenciesdon't provide any security benefits if the runtime still allows everything. You run your code, run tests locally and on CI/CD, and in production. It is security by obscurity if a script can execute arbitrary commands during the execution of code (not postinstall). What if you use a package and it executesrm -rf /? For more details and insights on how Bun can enhance security, please refer to this great answer: pnpm/pnpm#7137 (comment)
You are a developer you should read all packages code if you run into production and you are business. As dev, one task that is up to you is beware that you add good code to your project. We are not regular users.
Anyway, this is not the topic of this issue, please post your discussion in a separate and right issue =)
Thanks.
7heMech
commented
1 year ago @birkskyum I get
error: Could not load the "sharp" module at runtime
undefined: libstdc++.so.6: cannot open shared object file: No such file or directory
Possible solutions:
- Add explicit dependencies for the runtime platform:
npm install --force @sharpen/sharp-libvips-linux-x64
npm install --force @sharpen/sharp-linux-x64
Eveeifyeve
commented
1 year ago Hey @Electroid I experienced the same issue with astro starlight having issues with installing sharp.
This is what I got without running npm install:
MissingSharp: Could not find Sharp. Please install Sharp (`sharp`) manually into your project or migrate to another image service. at loadSharp (file:///Users/eveeify/Documents/Coding/Github/TeaClient/TeaClientDocs/dist/chunks/astro/assets-service_db46dbed.mjs:547:11) at async Object.transform (file:///Users/eveeify/Documents/Coding/Github/TeaClient/TeaClientDocs/dist/chunks/astro/assets-service_db46dbed.mjs:559:15) at async generateImageInternal (file:///Users/eveeify/Documents/Coding/Github/TeaClient/TeaClientDocs/node_modules/astro/dist/assets/build/generate.js:120:24) at async generateImage (file:///Users/eveeify/Documents/Coding/Github/TeaClient/TeaClientDocs/node_modules/astro/dist/assets/build/generate.js:67:28) at async file:///Users/eveeify/Documents/Coding/Github/TeaClient/TeaClientDocs/node_modules/p-queue/dist/index.js:118:36 { loc: undefined, title: 'Could not find Sharp.', hint: "See Sharp's installation instructions for more information: https://sharp.pixelplumbing.com/install. If you are not relying on `astro:assets` to optimize, transform, or process any images, you can configure a passthrough image service instead of installing Sharp. See https://docs.astro.build/en/reference/errors/missing-sharp for more information.\n" + '\n' + 'See https://docs.astro.build/en/guides/images/#default-image-service for more information on how to migrate to another image service.', frame: undefined, type: 'AstroError' }With running rpm Install I got:
β― bun run build $ astro build 02:36:35 PM [content] Unsupported file types found. Prefix with an underscore (`_`) to ignore: - components/Button.astro components/social.astro components/youtubeVideo.astro 02:36:35 PM [content] The "i18n" collection does not have an associated folder in your `content` directory. Make sure the folder exists, or check your content config for typos. 02:36:35 PM [content] Types generated 196ms 02:36:35 PM [build] output target: static 02:36:35 PM [build] Collecting build info... 02:36:35 PM [build] Completed in 212ms. 02:36:35 PM [build] Building static entrypoints... 02:36:37 PM [build] Completed in 1.75s.
building client vite v4.5.0 building for production... β 11 modules transformed. dist/_astro/hoisted.3dbafceb.js 6.05 kB β gzip: 2.43 kB dist/_astro/ui-core.cc8fec6f.js 51.45 kB β gzip: 16.83 kB β built in 205ms Completed in 210ms.
generating static routes The collection i18n does not exist or is empty. Ensure a collection directory with this name exists. βΆ node_modules/@astrojs/starlight/404.astro ββ /404.html (+70ms) βΆ node_modules/@astrojs/starlight/index.astro ββ /api/intro/index.html (+60ms) ββ /api/tea/index.html (+31ms) ββ /contributing/contribute/index.html (+30ms) ββ /getting-started/install/index.html (+28ms) ββ /getting-started/intro/index.html (+28ms) ββ index.html (+37ms) ββ /website/robots/index.html (+28ms) Completed in 316ms.
generating optimized images βΆ /_astro/Tea_client.ee701e2e_24sMJl.webp (before: 39kB, after: 6kB) (+415ms) (1/1) Completed in 416ms.
Running Pagefind v1.0.3 (Extended) Running from: "/Users/eveeify/Documents/Coding/Github/TeaClient/TeaClientDocs/node_modules/@astrojs/starlight" Source: "../../../dist" Output: "../../../dist/pagefind"
[Walking source directory] Found 8 files matching */.{html}
[Parsing files] Found a data-pagefind-body element on the site. β³ Ignoring pages without this tag.
[Reading languages] Discovered 1 language: en
[Building search indexes] Total: Indexed 1 language Indexed 7 pages Indexed 233 words Indexed 0 filters Indexed 0 sorts
Finished in 0.32 seconds
@astrojs/sitemap: sitemap-index.xml created at dist
02:36:41 PM [build] 8 page(s) built in 5.76s 02:36:41 PM [build] Complete!
So maybe it's just an installing issue `trustedDependencies` does not work.
KMJ-007
commented
12 months ago facing the same issue
if i use yarn it get solved but with bun it gives me error
bun run dev
$ astro dev
/Users/karanjanthe/workspace/snapcraft/node_modules/sharp/lib/sharp.js:37
throw new Error(help.join('\n'));
^
Error:
Something went wrong installing the "sharp" module
Cannot find module '../build/Release/sharp-darwin-arm64v8.node'
Require stack:
- /Users/karanjanthe/workspace/snapcraft/node_modules/sharp/lib/sharp.js
- /Users/karanjanthe/workspace/snapcraft/node_modules/sharp/lib/constructor.js
- /Users/karanjanthe/workspace/snapcraft/node_modules/sharp/lib/index.js
Possible solutions:
- Install with verbose logging and look for errors: "npm install --ignore-scripts=false --foreground-scripts --verbose sharp"
- Install for the current darwin-arm64v8 runtime: "npm install --platform=darwin --arch=arm64v8 sharp"
- Consult the installation documentation: https://sharp.pixelplumbing.com/install
at Object.<anonymous> (/Users/karanjanthe/workspace/snapcraft/node_modules/sharp/lib/sharp.js:37:9)
at Module._compile (node:internal/modules/cjs/loader:1233:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1287:10)
at Module.load (node:internal/modules/cjs/loader:1091:32)
at Module._load (node:internal/modules/cjs/loader:938:12)
at Module.require (node:internal/modules/cjs/loader:1115:19)
at require (node:internal/modules/helpers:130:18)
at Object.<anonymous> (/Users/karanjanthe/workspace/snapcraft/node_modules/sharp/lib/constructor.js:11:1)
at Module._compile (node:internal/modules/cjs/loader:1233:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1287:10)
Node.js v20.5.1
error: script "dev" exited with code 1 (SIGHUP)
cyfung1031
commented
11 months ago Sorry, yes... Adding to
trustedDependenciesin package.json resolve also this issue with bun install. Should I close this issue? I am not sure.For now, if you are running into this issue you can add the following to your package.json.
{ "trustedDependencies": [ "sharp" ] }For sharp specifically, this won't be an issue once we merge #4263
This issue is still here in the latest version 1.0.15+b3bdf22eb.
confirmed not required if sharp: ^0.33.0 is used
gtrabanco
commented
11 months ago You will be unable to reproduce this issue with latest sharp version because the need of running postinstall script was deleted in 0.33.0.
birkskyum
commented
11 months ago Since sharp has a good solution now, this can be closed in favor of the more general issues on this topic:
kkhnifes
commented
10 months ago hey sorry for the question but I didn't really understand what the solution to this problem is. I added sharp 0.33.1 to the trustedDependencies but it still doesn't work for me when I try to deploy my astro starlight to gitlab pages
gtrabanco
commented
10 months ago hey sorry for the question but I didn't really understand what the solution to this problem is. I added sharp 0.33.1 to the trustedDependencies but it still doesn't work for me when I try to deploy my astro starlight to gitlab pages
What error do you have? Which version of Bun are you using?
kkhnifes
commented
10 months ago Thanks for the help but I already solved it the image i was using in my pipeline bun:alpine had the wrong version changed to bun:latest everything works fine now.
birkskyum
commented
10 months ago Sharp only works server side, and GitHub/gitlab pages are statically side generated, so only client side. could that be the issue here?
7heMech
commented
9 months ago I'm getting this error in a replit's nix environment, just by trying to import it.
Could not load the "sharp" module using the linux-x64 runtime undefined: libstdc++.so.6: cannot open shared object file: No such file or directory
Edit: Seems like it was a Replit issue, fixed.
Darkle
commented
3 months ago I seem to be running into this issue too.
I have the following package.json
{
"name": "bun-sharp-test",
"module": "index.mjs",
"type": "module",
"devDependencies": {
"@types/bun": "latest"
},
"peerDependencies": {
"typescript": "^5.0.0"
},
"trustedDependencies": [
"sharp"
],
"dependencies": {
"sharp": "^0.33.4"
}
}After running bun install and then bun ./index.mjs I get the following error:
bun ./index.mjs
109 | }
110 | help.push(
111 | '- Consult the installation documentation:',
112 | ' See https://sharp.pixelplumbing.com/install'
113 | );
114 | throw new Error(help.join('\n'));
^
error: Could not load the "sharp" module using the linux-x64 runtime
undefined: libstdc++.so.6: cannot open shared object file: No such file or directory
Possible solutions:
- Ensure optional dependencies can be installed:
npm install --include=optional sharp
yarn add sharp --ignore-engines
- Ensure your package manager supports multi-platform installation:
See https://sharp.pixelplumbing.com/install#cross-platform
- Add platform-specific dependencies:
npm install --os=linux --cpu=x64 sharp
- Consult the installation documentation:
See https://sharp.pixelplumbing.com/install
at /home/coop/Coding/scratch/bun-sharp-test/node_modules/sharp/lib/sharp.js:114:9
at /home/coop/Coding/scratch/bun-sharp-test/node_modules/sharp/lib/constructor.js:10:1
at /home/coop/Coding/scratch/bun-sharp-test/node_modules/sharp/lib/index.js:6:7
Bun v1.1.20 (Linux x64)Versions:
pjdarch
commented
2 months ago Just battled with the issue for the last few days when trying to create a Dockerfile for Nuxt. Switched my docker build from alpine to debian and the issue resolved itself. Hopefully this is helpful to someone.
zolero
commented
2 months ago You need to go to node_modules/sharp and then just do bun install again.
rbozan
commented
2 months ago I seem to be running into this issue too.
I have the following package.json
{ "name": "bun-sharp-test", "module": "index.mjs", "type": "module", "devDependencies": { "@types/bun": "latest" }, "peerDependencies": { "typescript": "^5.0.0" }, "trustedDependencies": [ "sharp" ], "dependencies": { "sharp": "^0.33.4" } }After running
bun installand thenbun ./index.mjsI get the following error:bun ./index.mjs 109 | } 110 | help.push( 111 | '- Consult the installation documentation:', 112 | ' See https://sharp.pixelplumbing.com/install' 113 | ); 114 | throw new Error(help.join('\n')); ^ error: Could not load the "sharp" module using the linux-x64 runtime undefined: libstdc++.so.6: cannot open shared object file: No such file or directory Possible solutions: - Ensure optional dependencies can be installed: npm install --include=optional sharp yarn add sharp --ignore-engines - Ensure your package manager supports multi-platform installation: See https://sharp.pixelplumbing.com/install#cross-platform - Add platform-specific dependencies: npm install --os=linux --cpu=x64 sharp - Consult the installation documentation: See https://sharp.pixelplumbing.com/install at /home/coop/Coding/scratch/bun-sharp-test/node_modules/sharp/lib/sharp.js:114:9 at /home/coop/Coding/scratch/bun-sharp-test/node_modules/sharp/lib/constructor.js:10:1 at /home/coop/Coding/scratch/bun-sharp-test/node_modules/sharp/lib/index.js:6:7 Bun v1.1.20 (Linux x64)Versions:
- Bun: 1.1.20
- Sharp: 0.33.4
- Linux: Debian Linux (bookworm) x64
I have the same, not sure how to fix it.
β― bun --version
1.1.27 "resolutions": {
"sharp": "0.33.5"
},
Enskiadmin
commented
1 month ago Why was this issue closed please?
Bun seems to be having some arbitrary issues with sharp.
ZeldOcarina
commented
1 month ago It still doesn't work for me, unsure why this was closed..
sequencerr
commented
1 month ago It still doesn't work for me, unsure why this was closed..
because other root cause was fixed. afaik it was due postinstall script
John-Dennehy
commented
1 week ago Same issue with Deno:
error: failed to run scripts for packages: sharp@0.32.6, sharp@0.33.5
What version of Bun is running?
1.0.0+5b9d8b87c41410091a7c602b895ad9ffda17819c
What platform is your computer?
Darwin 21.6.0 x86_64 i386
What steps can reproduce the bug?
Install Sharp
Code
What is the expected behavior?
Output next content:
What do you see instead?
Additional information
Workaround
When using npm to install de dependencies it does not fail even while running with bun. Possible there is any missing feature in
bun install?I haven't tried with previous versions of Bun.