From 04719c83fd22f7851a96c7d68afc044464211179 Mon Sep 17 00:00:00 2001
From: Ryan Peck <1244954+RyPeck@users.noreply.github.com>
Date: Thu, 5 Mar 2026 18:15:39 -0500
Subject: [PATCH] Add --ignore-scripts to bun install/update commands

Skip lifecycle scripts (postinstall, prepare, etc.) when running bun
for lockfile updates, matching npm/yarn behavior in dependabot-core.
Avoids failures from packages that download binaries or run env-specific
scripts (e.g. redis-memory-server postinstall failing with empty
Content-Length). Lockfile content is unchanged; only script execution
is disabled for security and reliability.

Looking to add after seeing failures related to `redis-memory-server`
in a private projects dependabot runs.
---
 bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb | 6 +++---
 .../bun/update_checker/subdependency_version_resolver.rb    | 4 ++--
 bun/lib/dependabot/bun/update_checker/version_resolver.rb   | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb b/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
index 214c445c0a6..09bf8e5b6c1 100644
--- a/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
+++ b/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
@@ -93,15 +93,15 @@ def run_bun_updater
           end.join(" ")
 
           Helpers.run_bun_command(
-            "install #{dependency_updates} --save-text-lockfile",
-            fingerprint: "install <dependency_updates> --save-text-lockfile"
+            "install #{dependency_updates} --save-text-lockfile --ignore-scripts",
+            fingerprint: "install <dependency_updates> --save-text-lockfile --ignore-scripts"
           )
         end
 
         sig { void }
         def run_bun_install
           Helpers.run_bun_command(
-            "install --save-text-lockfile"
+            "install --save-text-lockfile --ignore-scripts"
           )
         end
 
diff --git a/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb b/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
index 0feb773d576..df782a83975 100644
--- a/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
+++ b/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
@@ -127,8 +127,8 @@ def run_bun_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_bun_command(
-                "update #{dependency.name} --save-text-lockfile",
-                fingerprint: "update <dependency_name> --save-text-lockfile"
+                "update #{dependency.name} --save-text-lockfile --ignore-scripts",
+                fingerprint: "update <dependency_name> --save-text-lockfile --ignore-scripts"
               )
               { lockfile_name => File.read(lockfile_name) }
             end
diff --git a/bun/lib/dependabot/bun/update_checker/version_resolver.rb b/bun/lib/dependabot/bun/update_checker/version_resolver.rb
index 405026d3cca..d6eacb278c0 100644
--- a/bun/lib/dependabot/bun/update_checker/version_resolver.rb
+++ b/bun/lib/dependabot/bun/update_checker/version_resolver.rb
@@ -637,8 +637,8 @@ def run_bun_checker(path:, version:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_bun_command(
-                "update #{dependency.name}@#{version} --save-text-lockfile",
-                fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
+                "update #{dependency.name}@#{version} --save-text-lockfile --ignore-scripts",
+                fingerprint: "update <dependency_name>@<version> --save-text-lockfile --ignore-scripts"
               )
             end
           end