Add --ignore-scripts to bun install/update commands

RyPeck · RyPeck · commit e094e150db28 · 2026-03-05T18:15:39.000-05:00
Skip lifecycle scripts (postinstall, prepare, etc.) when running bun
for lockfile updates, matching npm/yarn behavior in dependabot-core.
Avoids failures from packages that download binaries or run env-specific
scripts (e.g. redis-memory-server postinstall failing with empty
Content-Length). Lockfile content is unchanged; only script execution
is disabled for security and reliability.

Looking to add after seeing failures related to `redis-memory-server`
in a private projects dependabot runs.
diff --git a/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb b/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
@@ -93,15 +93,15 @@ def run_bun_updater
           end.join(" ")
 
           Helpers.run_bun_command(
-            "install #{dependency_updates} --save-text-lockfile",
-            fingerprint: "install <dependency_updates> --save-text-lockfile"
+            "install #{dependency_updates} --save-text-lockfile --ignore-scripts",
+            fingerprint: "install <dependency_updates> --save-text-lockfile --ignore-scripts"
           )
         end
 
         sig { void }
         def run_bun_install
           Helpers.run_bun_command(
-            "install --save-text-lockfile"
+            "install --save-text-lockfile --ignore-scripts"
           )
         end
 
diff --git a/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb b/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
@@ -127,8 +127,8 @@ def run_bun_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_bun_command(
-                "update #{dependency.name} --save-text-lockfile",
-                fingerprint: "update <dependency_name> --save-text-lockfile"
+                "update #{dependency.name} --save-text-lockfile --ignore-scripts",
+                fingerprint: "update <dependency_name> --save-text-lockfile --ignore-scripts"
               )
               { lockfile_name => File.read(lockfile_name) }
             end
diff --git a/bun/lib/dependabot/bun/update_checker/version_resolver.rb b/bun/lib/dependabot/bun/update_checker/version_resolver.rb
@@ -637,8 +637,8 @@ def run_bun_checker(path:, version:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_bun_command(
-                "update #{dependency.name}@#{version} --save-text-lockfile",
-                fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
+                "update #{dependency.name}@#{version} --save-text-lockfile --ignore-scripts",
+                fingerprint: "update <dependency_name>@<version> --save-text-lockfile --ignore-scripts"
               )
             end
           end
