From 04719c83fd22f7851a96c7d68afc044464211179 Mon Sep 17 00:00:00 2001
From: Ryan Peck <1244954+RyPeck@users.noreply.github.com>
Date: Thu, 5 Mar 2026 18:15:39 -0500
Subject: [PATCH 1/4] Add --ignore-scripts to bun install/update commands

Skip lifecycle scripts (postinstall, prepare, etc.) when running bun
for lockfile updates, matching npm/yarn behavior in dependabot-core.
Avoids failures from packages that download binaries or run env-specific
scripts (e.g. redis-memory-server postinstall failing with empty
Content-Length). Lockfile content is unchanged; only script execution
is disabled for security and reliability.

Looking to add after seeing failures related to `redis-memory-server`
in a private projects dependabot runs.
---
 bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb | 6 +++---
 .../bun/update_checker/subdependency_version_resolver.rb    | 4 ++--
 bun/lib/dependabot/bun/update_checker/version_resolver.rb   | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb b/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
index 214c445c0a6..09bf8e5b6c1 100644
--- a/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
+++ b/bun/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb
@@ -93,15 +93,15 @@ def run_bun_updater
           end.join(" ")
 
           Helpers.run_bun_command(
-            "install #{dependency_updates} --save-text-lockfile",
-            fingerprint: "install <dependency_updates> --save-text-lockfile"
+            "install #{dependency_updates} --save-text-lockfile --ignore-scripts",
+            fingerprint: "install <dependency_updates> --save-text-lockfile --ignore-scripts"
           )
         end
 
         sig { void }
         def run_bun_install
           Helpers.run_bun_command(
-            "install --save-text-lockfile"
+            "install --save-text-lockfile --ignore-scripts"
           )
         end
 
diff --git a/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb b/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
index 0feb773d576..df782a83975 100644
--- a/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
+++ b/bun/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb
@@ -127,8 +127,8 @@ def run_bun_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_bun_command(
-                "update #{dependency.name} --save-text-lockfile",
-                fingerprint: "update <dependency_name> --save-text-lockfile"
+                "update #{dependency.name} --save-text-lockfile --ignore-scripts",
+                fingerprint: "update <dependency_name> --save-text-lockfile --ignore-scripts"
               )
               { lockfile_name => File.read(lockfile_name) }
             end
diff --git a/bun/lib/dependabot/bun/update_checker/version_resolver.rb b/bun/lib/dependabot/bun/update_checker/version_resolver.rb
index 405026d3cca..d6eacb278c0 100644
--- a/bun/lib/dependabot/bun/update_checker/version_resolver.rb
+++ b/bun/lib/dependabot/bun/update_checker/version_resolver.rb
@@ -637,8 +637,8 @@ def run_bun_checker(path:, version:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_bun_command(
-                "update #{dependency.name}@#{version} --save-text-lockfile",
-                fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
+                "update #{dependency.name}@#{version} --save-text-lockfile --ignore-scripts",
+                fingerprint: "update <dependency_name>@<version> --save-text-lockfile --ignore-scripts"
               )
             end
           end

From b3bc15132fd28c7262fc54a4621b58b4b611e2e1 Mon Sep 17 00:00:00 2001
From: Hariharan Thavachelvam
 <164553783+thavaahariharangit@users.noreply.github.com>
Date: Tue, 7 Apr 2026 09:46:00 +0000
Subject: [PATCH 2/4] Rspec added to bun --ignore-scripts changes

---
 bun/spec/dependabot/bun/file_updater_spec.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/bun/spec/dependabot/bun/file_updater_spec.rb b/bun/spec/dependabot/bun/file_updater_spec.rb
index fc307b4e568..5da8acc4f17 100644
--- a/bun/spec/dependabot/bun/file_updater_spec.rb
+++ b/bun/spec/dependabot/bun/file_updater_spec.rb
@@ -181,6 +181,20 @@
           expect(updated_bun_lock.content)
             .to include("etag@1.2.0")
         end
+
+        it "runs bun install commands with --ignore-scripts" do
+          allow(Dependabot::Bun::Helpers).to receive(:run_bun_command).and_call_original
+
+          updated_files
+
+          expect(Dependabot::Bun::Helpers).to have_received(:run_bun_command).with(
+            a_string_matching(/^install .+ --save-text-lockfile --ignore-scripts$/),
+            fingerprint: "install <dependency_updates> --save-text-lockfile --ignore-scripts"
+          )
+          expect(Dependabot::Bun::Helpers).to have_received(:run_bun_command).with(
+            "install --save-text-lockfile --ignore-scripts"
+          )
+        end
       end
     end
 

From 8f7313034f05c74fa12435867658a6f58dcb4e35 Mon Sep 17 00:00:00 2001
From: Hariharan Thavachelvam
 <164553783+thavaahariharangit@users.noreply.github.com>
Date: Tue, 7 Apr 2026 10:11:02 +0000
Subject: [PATCH 3/4] Rspec added to bun --ignore-scripts changes

---
 .../subdependency_version_resolver_spec.rb    | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb

diff --git a/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb b/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb
new file mode 100644
index 00000000000..994d40dcf9d
--- /dev/null
+++ b/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb
@@ -0,0 +1,63 @@
+# typed: false
+# frozen_string_literal: true
+
+require "spec_helper"
+require "dependabot/bun/update_checker/subdependency_version_resolver"
+
+RSpec.describe Dependabot::Bun::UpdateChecker::SubdependencyVersionResolver do
+  subject(:latest_resolvable_version) { resolver.latest_resolvable_version }
+
+  let(:dependency) do
+    Dependabot::Dependency.new(
+      name: "@dependabot-fixtures/npm-transitive-dependency",
+      version: "1.0.0",
+      requirements: [],
+      package_manager: "bun"
+    )
+  end
+  let(:credentials) do
+    [Dependabot::Credential.new(
+      {
+        "type" => "git_source",
+        "host" => "github.com"
+      }
+    )]
+  end
+  let(:dependency_files) do
+    [Dependabot::DependencyFile.new(name: "bun.lock", content: "{}", directory: ".")]
+  end
+  let(:latest_allowable_version) { Dependabot::Bun::Version.new("1.0.1") }
+  let(:resolver) do
+    described_class.new(
+      dependency: dependency,
+      credentials: credentials,
+      dependency_files: dependency_files,
+      ignored_versions: [],
+      latest_allowable_version: latest_allowable_version,
+      repo_contents_path: nil
+    )
+  end
+  let(:dependency_files_builder) do
+    instance_double(Dependabot::Bun::UpdateChecker::DependencyFilesBuilder)
+  end
+
+  before do
+    allow(resolver).to receive(:dependency_files_builder).and_return(dependency_files_builder)
+    allow(dependency_files_builder).to receive(:write_temporary_dependency_files) do
+      File.write("bun.lock", "dummy lockfile")
+    end
+    allow(resolver).to receive(:filtered_lockfiles).and_return(dependency_files)
+    allow(resolver).to receive(:version_from_updated_lockfiles).and_return(Gem::Version.new("1.0.1"))
+
+    allow(Dependabot::Bun::Helpers).to receive(:run_bun_command)
+  end
+
+  it "runs bun update with --ignore-scripts for subdependency lockfile updates" do
+    expect(latest_resolvable_version).to eq(Gem::Version.new("1.0.1"))
+
+    expect(Dependabot::Bun::Helpers).to have_received(:run_bun_command).with(
+      "update @dependabot-fixtures/npm-transitive-dependency --save-text-lockfile --ignore-scripts",
+      fingerprint: "update <dependency_name> --save-text-lockfile --ignore-scripts"
+    )
+  end
+end

From d42d958a6c8df63809c9e3d170319f5c9372a5c0 Mon Sep 17 00:00:00 2001
From: Hariharan Thavachelvam
 <164553783+thavaahariharangit@users.noreply.github.com>
Date: Tue, 7 Apr 2026 13:17:56 +0000
Subject: [PATCH 4/4] Lint error fixes

---
 .../update_checker/subdependency_version_resolver_spec.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb b/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb
index 994d40dcf9d..3fed0f1a478 100644
--- a/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb
+++ b/bun/spec/dependabot/bun/update_checker/subdependency_version_resolver_spec.rb
@@ -42,12 +42,14 @@
   end
 
   before do
-    allow(resolver).to receive(:dependency_files_builder).and_return(dependency_files_builder)
+    allow(resolver).to receive_messages(
+      dependency_files_builder: dependency_files_builder,
+      filtered_lockfiles: dependency_files,
+      version_from_updated_lockfiles: Gem::Version.new("1.0.1")
+    )
     allow(dependency_files_builder).to receive(:write_temporary_dependency_files) do
       File.write("bun.lock", "dummy lockfile")
     end
-    allow(resolver).to receive(:filtered_lockfiles).and_return(dependency_files)
-    allow(resolver).to receive(:version_from_updated_lockfiles).and_return(Gem::Version.new("1.0.1"))
 
     allow(Dependabot::Bun::Helpers).to receive(:run_bun_command)
   end