bun install ignores trustedDependencies when bun.lockb is present

[controversial]

What version of Bun is running?

1.0.1+92e95c86dd100f167fb4cf8da1db202b5211d2c1

What platform is your computer?

Darwin 23.0.0 arm64 arm

What steps can reproduce the bug?

1. Create the following package.json:

   {
     "dependencies": {
       "@prisma/client": "^5.3.1"
     },
     "trustedDependencies": ["@prisma/client"]
   }

   note @prisma/client is just an arbitrary package with a postinstall script; you can replace with any other package that runs a postinstall.

2. bun install

   Observe that bun.lockb and node_modules are created.
   Observe also that the postinstall script runs (see output like prisma:warn The postinstall script ...; the warning is expected in the absence of a schema.prisma file)

3. rm -rf node_modules && bun install

   Observe that the postinstall script for @prisma/client does not run—there is no visible output in the terminal on a “second install” once bun.lockb is present.

4. rm -rf node_modules bun.lockb && bun install

   Observe that when neither node_modules nor bun.lockb is present, the postinstall script once again runs for trustedDependencies

What is the expected behavior?

Install scripts for trustedDependencies should run for subsequent installs even once bun.lockb is present.

What do you see instead?

Install scripts for trustedDependencies only run on the first install (before bun.lockb is created).
When a new user clones a repository and runs bun install, install scripts do not run, since bun.lockb is committed but node_modules is not.

Additional information

Some discussion of this bug in the comments following #4549 (comment)

Opening a separate issue as #4549 was originally about a slightly different issue (ie the need to add packages like sharp to trustedDependencies)

[fatihdogmus]

I have the exact same problem.