fix(install): lifecycle script changes

[dylan-conway]

What does this PR do?

• Breaking change: if trustedDependencies exists in package.json, bun install will no longer pull from the default list and will only run scripts from the trustedDependencies list. If the list is empty, then no scripts will run. The default trusted dependencies list is only used when trustedDependencies does not exist in package.json.

• --trust. This flags tells bun add to automatically trust the dependency and all it's dependencies, running their lifecycle scripts and adding to trustedDependencies in package.json.

• warning for skipped lifecycle scripts

• bugfix for linking root package to itself, fixes bun install doesn't support file:. path in package.json dependencies #8899

---

Also included in this pr is bun pm trusted. This command without any args will print the current trusted and untrusted dependencies with scripts:

If you provide package names, they will be added to trustedDependencies and their scripts will run. In the example above, running bun pm trust es5-ext will add this to your package.json:

...
trustedDependencies: [
    "es5-ext"
]
...

You can also pass --all to trust all available untrusted dependencies, and --default to list the default trusted dependencies list.

The breaking changes in this pr will be disabled until v1.1.0.

How did you verify your code works?

new and existing tests

[github-actions]

❌ @dylan-conway 1 files with test failures on bun-darwin-aarch64:

• test/js/third_party/prisma/prisma.test.ts 2 failing

View test output

^{#1f33830bb01114b03d1e481f21269a852316922b}

[github-actions]

❌ @dylan-conway 1 files with test failures on linux-x64:

• test/js/third_party/prisma/prisma.test.ts 2 failing

View test output

^{#1f33830bb01114b03d1e481f21269a852316922b}

[github-actions]

❌ @dylan-conway 1 files with test failures on linux-x64-baseline:

• test/js/third_party/prisma/prisma.test.ts 2 failing

View test output

^{#1f33830bb01114b03d1e481f21269a852316922b}

[github-actions]

❌ @dylan-conway 2 files with test failures on bun-darwin-x64:

• test/js/bun/test/test-test.test.ts 1 failing
• test/js/third_party/prisma/prisma.test.ts 2 failing

View test output

^{#1f33830bb01114b03d1e481f21269a852316922b}

[github-actions]

❌🪟 @dylan-conway, there are 12 test regressions on Windows x86_64

• test\cli\install\bun-upgrade.test.ts
• test\cli\install\migration\migrate.test.ts
• test\cli\run\transpiler-cache.test.ts
• test\js\bun\dns\resolve-dns.test.ts
• test\js\bun\http\fetch-file-upload.test.ts
• test\js\bun\http\bun-server.test.ts
• test\js\bun\shell\shelloutput.test.ts
• test\js\bun\shell\throw.test.ts
• test\js\node\dns\node-dns.test.js
• test\js\node\process\process-args.test.js
• test\js\web\fetch\body-stream-excess.test.ts
• test\js\web\fetch\body-stream.test.ts

Full Test Output

[paperdave]

can you make this an actual debug assert for this function. or uh, i see you do a runtime check for that... so is it an assertion or? i'd like osmething better than this comment

[dylan-conway]

Moved the debug assert inside this function. Also did the same for alphabetizeProperties. Originally I had the runtime check for extra safety

[paperdave]

instead of a magic number, can this be an enum(u8). it would also be nice to add this into the comment on line 4709 when we bump the lockfile version, we should reorder this to:

also proper documentation comments are /// but that is less relevant.

[dylan-conway]

switched to enum

[Jarred-Sumner]

Suggested change

	// lockfile should save evenn though there are no changes to trustedDependencies due to
	// lockfile should save even though there are no changes to trustedDependencies due to

[Jarred-Sumner]

bad