Sign in Subscribe
By Buka Corner in Bun

PowerShell One-Liners for Installation: What Does irm bun.sh/install.ps1 | iex Really Do?

PowerShell One-Liners for Installation: What Does irm bun.sh/install.ps1 | iex Really Do?
Photo by Aaron Burden / Unsplash

If you’re familiar with command-line installation shortcuts, you might have come across commands like this one:

powershell -c "irm bun.sh/install.ps1 | iex"

At first glance, it’s a slick, efficient way to install software—but what’s really happening under the hood? This guide will break down this PowerShell one-liner, highlight some important security considerations, and explore a few additional points you may not have thought about. Let’s dive in!

Understanding the Command in Pieces

To get a full picture, let’s break down the command piece by piece.

  1. powershell -c
    This tells your system to run PowerShell in command mode (-c stands for "command"). PowerShell will then interpret whatever command follows the -c flag as if it were typed directly into a PowerShell terminal.
  2. irm (Short for Invoke-RestMethod)
    Invoke-RestMethod, or irm, is a PowerShell command used to make HTTP and HTTPS requests. When we write irm bun.sh/install.ps1, it’s essentially downloading a script file from https://bun.sh/install.ps1. Think of it like using curl or wget in Linux: irm fetches the file from the URL, which is then available to PowerShell as raw text.
  3. | iex (Short for Invoke-Expression)
    The pipe symbol (|) passes the output of one command as input to another. In this case, the output of irm bun.sh/install.ps1 is piped to iex, which stands for Invoke-Expression. Invoke-Expression runs any code it receives, meaning it will interpret the downloaded script as executable PowerShell code. So whatever is in install.ps1 will be executed immediately after it’s downloaded.

Why Use This Command?

The main appeal of using a command like this is simplicity. Instead of manually downloading and executing a script, a single line does it all—ideal for quick setups and installations. Developers often use this method to make installations frictionless, especially for open-source tools and smaller utilities.

Key Considerations: The Security Implications

While this one-liner is convenient, it’s also a security risk. By downloading and immediately executing a script from a remote URL, you’re essentially giving full control to whatever code is hosted at that URL. Here are a few points to keep in mind:

  • Trustworthiness of the Source
    Always verify that the source is reputable. For example, if the URL is from the official website or GitHub repository of a well-known tool, it’s generally safer than an obscure source. In this case, make sure bun.sh is a trusted domain before executing anything from it.
  • Review the Script Content
    Ideally, you should download and inspect scripts before running them. This extra step can help prevent malicious code from running on your system. Here’s how you could manually review the script:
irm https://bun.sh/install.ps1 -OutFile install.ps1
notepad install.ps1

After inspecting the script, you can run it using iex or directly in PowerShell.

  • Avoid Running as Admin Unless Necessary
    For most installations, you don’t need administrator privileges, so avoid running PowerShell as Administrator unless explicitly required by the installation instructions. Running as Admin opens the door for greater system access, which can be dangerous if the script has malicious intent.

Other Important Points to Consider

There are some other best practices and tips to keep in mind:

  • Network Security Tools and Restrictions
    Some organizations and networks restrict or monitor scripts executed over the internet. If you’re using this in a professional setting, be aware that this command might be flagged or blocked by security software, as it downloads and runs remote scripts.
  • PowerShell Execution Policies
    Windows has built-in execution policies that govern the types of scripts that can be run. For example, the Restricted policy prevents any script from running, while RemoteSigned allows only signed scripts to be executed. Running iex may sometimes bypass these policies, which can be both a benefit and a risk.You can check your current execution policy by running:
Get-ExecutionPolicy

And if necessary, you can adjust it temporarily with:

Set-ExecutionPolicy Bypass -Scope Process
  • PowerShell Version Compatibility
    Make sure you’re using a compatible version of PowerShell. Some commands, including Invoke-RestMethod, may not be available on older PowerShell versions (pre-PowerShell 3.0), so check your version if you encounter issues. You can check your PowerShell version with:
$PSVersionTable.PSVersion

Alternatives to iex Piping

If you want a bit more control, consider downloading the script and running it separately:

  1. Download the Script First
irm https://bun.sh/install.ps1 -OutFile install.ps1
  1. Review the Script
    Open install.ps1 in any text editor to inspect it.
  2. Run the Script
    Once you’ve confirmed it’s safe, execute it manually:
.\install.ps1

This approach is slightly longer but offers an extra layer of security by separating download and execution.

Finally: Balancing Convenience and Security

The one-liner powershell -c "irm bun.sh/install.ps1 | iex" provides a fast and efficient installation method for PowerShell users, especially when you’re installing trusted software. However, the convenience of downloading and executing a script directly comes with risks. Make sure you trust the source, inspect scripts when possible, and avoid running commands like this with elevated privileges unless absolutely necessary.

Support Us

Subscribe to Buka Corner

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe