Bun's trusted dependencies
- Published at
- Updated at
- Reading time
- 1min
Bun 1 was released, and of course, "Everything's faster" — again.
Fun fact: the runtime added a native stringWidth method to evaluate character widths on the command line — and, wait for it... it's 6000x times faster than Sindre's string-width. I don't know, but I have a hard time taking these announcements seriously. In Bun, everything's "just faster" — it doesn't matter whether the improvement matters. Let's slap a big number onto it... 🤷
And while I remain skeptical of the new JS runtime, bundler, package manager, [ADD YOUR DESIRED JS TOOLING], and overall JavaScript BFF, I love that Bun's pushing the JS ecosystem.
You know that with npm, whenever you install dependencies, the installed packages can run arbitrary scripts via postinstall? Isn't this wild? And why doesn't the JS ecosystem collapse? Nobody knows.
Bun now tackles this problem with trusted dependencies. Mark packages as trustworthy with bun pm trust, add them to your package and be a bit safer when downloading the internet to install your app's dependencies.
{
"name": "my-app",
"version": "1.0.0",
"dependencies": {
"@biomejs/biome": "1.6.1"
},
"trustedDependencies": [
"@biomejs/biome"
]
}
With trusted dependencies, you can define what packages are allowed to run lifecycle scripts when you run bun install. If a package isn't trusted, it can't sniff out your environment variables or mine bitcoins — seems reasonable.
Let's see if there'll be an npm reaction.
Join 5.5k readers and learn something new every week with Web Weekly.
Frontend nerd with over ten years of experience, freelance dev, "Today I Learned" blogger, conference speaker, and Open Source maintainer.