Add warning for skipped postinstall to tell the developer to add the package to `"trustedDependencies"`

oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one

https://bun.sh

Other

73.26k stars 2.69k forks source link

Add warning for skipped postinstall to tell the developer to add the package to `"trustedDependencies"` #7594

Open Jarred-Sumner opened 9 months ago

Jarred-Sumner commented 9 months ago

Follow-up from https://github.com/oven-sh/bun/issues/4959

Fixes #6022

brianmhunt commented 9 months ago

Amazing, I've been watching this closely and glad to see the fantastic headway. Just for convenience, some of the suggestions put forward in #4959.

Warn about the package when a postinstall script did not run
Prompt users to accept/deny execution of each post-install script OR just print a list of ignored post-install scripts (no prompts)
CLI Flag --trust-all-dependencies or glob-based --trust-dependencies='*' CLI flag
Config in bunfig.toml

sromexs commented 9 months ago

I have a suggestion: create a command in the CLI to automatically run and add all names of packages that require post-install scripts to the trusted dependencies in package.json. This means we don't have to manually add them, but Bun will add all of them for us.

brianmhunt commented 8 months ago

Noting the related comment in https://github.com/oven-sh/bun/issues/7597#issuecomment-1873983208 re. transitive trust.