PowerShell One-Liners for Installation: What Does irm bun.sh/install.ps1 | iex Really Do?
If you’re familiar with command-line installation shortcuts, you might have come across commands like this one:
powershell -c "irm bun.sh/install.ps1 | iex"
At first glance, it’s a slick, efficient way to install software—but what’s really happening under the hood? This guide will break down this PowerShell one-liner, highlight some important security considerations, and explore a few additional points you may not have thought about. Let’s dive in!
Understanding the Command in Pieces
To get a full picture, let’s break down the command piece by piece.
powershell -c
This tells your system to run PowerShell in command mode (-c
stands for "command"). PowerShell will then interpret whatever command follows the-c
flag as if it were typed directly into a PowerShell terminal.irm
(Short forInvoke-RestMethod
)Invoke-RestMethod
, orirm
, is a PowerShell command used to make HTTP and HTTPS requests. When we writeirm bun.sh/install.ps1
, it’s essentially downloading a script file fromhttps://bun.sh/install.ps1
. Think of it like usingcurl
orwget
in Linux:irm
fetches the file from the URL, which is then available to PowerShell as raw text.| iex
(Short forInvoke-Expression
)
The pipe symbol (|
) passes the output of one command as input to another. In this case, the output ofirm bun.sh/install.ps1
is piped toiex
, which stands forInvoke-Expression
.Invoke-Expression
runs any code it receives, meaning it will interpret the downloaded script as executable PowerShell code. So whatever is ininstall.ps1
will be executed immediately after it’s downloaded.
Why Use This Command?
The main appeal of using a command like this is simplicity. Instead of manually downloading and executing a script, a single line does it all—ideal for quick setups and installations. Developers often use this method to make installations frictionless, especially for open-source tools and smaller utilities.
Key Considerations: The Security Implications
While this one-liner is convenient, it’s also a security risk. By downloading and immediately executing a script from a remote URL, you’re essentially giving full control to whatever code is hosted at that URL. Here are a few points to keep in mind:
- Trustworthiness of the Source
Always verify that the source is reputable. For example, if the URL is from the official website or GitHub repository of a well-known tool, it’s generally safer than an obscure source. In this case, make surebun.sh
is a trusted domain before executing anything from it. - Review the Script Content
Ideally, you should download and inspect scripts before running them. This extra step can help prevent malicious code from running on your system. Here’s how you could manually review the script:
irm https://bun.sh/install.ps1 -OutFile install.ps1
notepad install.ps1
After inspecting the script, you can run it using iex
or directly in PowerShell.
- Avoid Running as Admin Unless Necessary
For most installations, you don’t need administrator privileges, so avoid running PowerShell as Administrator unless explicitly required by the installation instructions. Running as Admin opens the door for greater system access, which can be dangerous if the script has malicious intent.
Other Important Points to Consider
There are some other best practices and tips to keep in mind:
- Network Security Tools and Restrictions
Some organizations and networks restrict or monitor scripts executed over the internet. If you’re using this in a professional setting, be aware that this command might be flagged or blocked by security software, as it downloads and runs remote scripts. - PowerShell Execution Policies
Windows has built-in execution policies that govern the types of scripts that can be run. For example, theRestricted
policy prevents any script from running, whileRemoteSigned
allows only signed scripts to be executed. Runningiex
may sometimes bypass these policies, which can be both a benefit and a risk.You can check your current execution policy by running:
Get-ExecutionPolicy
And if necessary, you can adjust it temporarily with:
Set-ExecutionPolicy Bypass -Scope Process
- PowerShell Version Compatibility
Make sure you’re using a compatible version of PowerShell. Some commands, includingInvoke-RestMethod
, may not be available on older PowerShell versions (pre-PowerShell 3.0), so check your version if you encounter issues. You can check your PowerShell version with:
$PSVersionTable.PSVersion
Alternatives to iex
Piping
If you want a bit more control, consider downloading the script and running it separately:
- Download the Script First
irm https://bun.sh/install.ps1 -OutFile install.ps1
- Review the Script
Openinstall.ps1
in any text editor to inspect it. - Run the Script
Once you’ve confirmed it’s safe, execute it manually:
.\install.ps1
This approach is slightly longer but offers an extra layer of security by separating download and execution.
Finally: Balancing Convenience and Security
The one-liner powershell -c "irm bun.sh/install.ps1 | iex"
provides a fast and efficient installation method for PowerShell users, especially when you’re installing trusted software. However, the convenience of downloading and executing a script directly comes with risks. Make sure you trust the source, inspect scripts when possible, and avoid running commands like this with elevated privileges unless absolutely necessary.