> ## Documentation Index
> Fetch the complete documentation index at: https://bun.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Add a trusted dependency
Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
Bun includes a default allowlist of popular packages containing `postinstall` scripts that are known to be safe. You
can see this list [here](https://github.com/oven-sh/bun/blob/main/src/install/default-trusted-dependencies.txt). This
default list only applies to packages installed from npm. For packages from other sources (such as `file:`, `link:`,
`git:`, or `github:` dependencies), you must explicitly add them to `trustedDependencies`.
***
If you are seeing one of the following errors, you are probably trying to use a package that uses `postinstall` to work properly:
* `error: could not determine executable to run for package`
* `InvalidExe`
***
To allow Bun to execute lifecycle scripts for a specific package, add the package to `trustedDependencies` in your package.json file. You can do this automatically by running the command `bun pm trust `.
Note that this only allows lifecycle scripts for the specific package listed in `trustedDependencies`, *not* the
dependencies of that dependency!
```json package.json icon="file-json" theme={"theme":{"light":"github-light","dark":"dracula"}}
{
"name": "my-app",
"version": "1.0.0",
"trustedDependencies": ["my-trusted-package"] // [!code ++]
}
```
***
Once this is added, run a fresh install. Bun will re-install your dependencies and properly install
```sh terminal icon="terminal" theme={"theme":{"light":"github-light","dark":"dracula"}}
rm -rf node_modules
rm bun.lock
bun install
```
***
See [Docs > Package manager > Trusted dependencies](/pm/lifecycle) for complete documentation of trusted dependencies.