bun-audit

bun audit [options]

bun audit sends the list of installed packages and versions (resolved from bun.lock) to the npm registry and prints a report of any vulnerabilities returned. The registry cross-references the GitHub Advisory Database, so coverage matches what npm audit would report.The command categorizes findings by severity (low, moderate, high, critical) and covers direct dependencies, devDependencies, bundledDependencies, and optionalDependencies.

--audit-level=level

Only report vulnerabilities of this severity or higher. Values: low, moderate, high, critical.

Audit only production dependencies, ignoring devDependencies.

Ignore a specific CVE. Can be repeated to ignore multiple advisories.

Print the raw JSON response from the npm registry instead of the formatted report.

0

No vulnerabilities were found.

One or more vulnerabilities were reported.

Only catches known, documented advisories. Does not detect zero-day exploits, malware, misconfigurations, or supply-chain attacks not yet reported. A clean audit does not guarantee security. Requires bun.lock to be present, so run bun install first. Unlike npm audit fix, bun audit currently has no automatic fix mode - you must bump versions manually.

bun audit was introduced in Bun v1.2.15 (mid 2025), providing npm audit-compatible security scanning for projects using the Bun package manager.

bun(1), bun-install(1), npm-audit(1), snyk(1)