bun-audit

bun audit [options]

bun audit scans your project's dependencies defined in bun.lock for known security vulnerabilities. It queries the same vulnerability database used by npm audit (GitHub Advisory Database).
The command reports vulnerabilities categorized by severity: low, moderate, high, or critical. It checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies.

--json

Output results in JSON format

Minimum severity to report: low, moderate, high, or critical

Only audit production dependencies, ignoring devDependencies

Ignore a specific vulnerability by CVE ID (can be specified multiple times)

Only catches known, documented vulnerabilities. Does not detect zero-day exploits, malware, misconfigurations, or issues in deeply nested transitive dependencies. A clean audit report does not guarantee complete security. Requires a bun.lock file to be present.

bun audit was introduced in Bun v1.2.15, providing npm audit-compatible security scanning for Bun projects.

bun(1), bun-install(1), npm-audit(1)