This content originally appeared on Stefan Judis Web Development and was authored by Stefan Judis
Bun 1 was released, and of course, "Everything's faster" — again.
Fun fact: the runtime added a native stringWidth method to evaluate character widths on the command line — and, wait for it... it's 6000x times faster than Sindre's string-width. I don't know, but I have a hard time taking these announcements seriously. In Bun, everything's "just faster" — it doesn't matter whether the improvement matters. Let's slap a big number onto it... 🤷
And while I remain skeptical of the new JS runtime, bundler, package manager, [ADD YOUR DESIRED JS TOOLING], and overall JavaScript BFF, I love that Bun's pushing the JS ecosystem.
You know that with npm, whenever you install dependencies, the installed packages can run arbitrary scripts via postinstall? Isn't this wild? And why doesn't the JS ecosystem collapse? Nobody knows.
Bun now tackles this problem with trusted dependencies. Mark packages as trustworthy with bun pm trust, add them to your package and be a bit safer when downloading the internet to install your app's dependencies.
{
"name": "my-app",
"version": "1.0.0",
"dependencies": {
"@biomejs/biome": "1.6.1"
},
"trustedDependencies": [
"@biomejs/biome"
]
}
With trusted dependencies, you can define what packages are allowed to run lifecycle scripts when you run bun install. If a package isn't trusted, it can't sniff out your environment variables or mine bitcoins — seems reasonable.
Let's see if there'll be an npm reaction.
Reply to Stefan
This content originally appeared on Stefan Judis Web Development and was authored by Stefan Judis
Stefan Judis | Sciencx (2024-04-02T22:00:00+00:00) Bun’s trusted dependencies (#note). Retrieved from https://www.scien.cx/2024/04/02/buns-trusted-dependencies-note/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.