bun-audit

Audit all dependencies in a project with a bun.lock file

$ bun audit

$ bun audit --audit-level [low|moderate|high|critical]

$ bun audit --prod

$ bun audit --ignore [CVE-XXXX-YYYY]

$ bun audit --json

bun audit [options]

--fix
    Attempts to automatically resolve detected vulnerabilities by upgrading dependencies to non-vulnerable versions.

--production
    Audits only production dependencies, ignoring development dependencies.

--development
    Audits only development dependencies, ignoring production dependencies.

--json
    Outputs the audit report in machine-readable JSON format.

--severity <level>
    Filters the audit report to show vulnerabilities at or above the specified severity level (e.g., info, low, moderate, high, critical).

--dry-run
    Shows what changes --fix would make without actually modifying bun.lockb or package.json.

--verbose
    Provides more detailed output during the audit process.

--groups <group1>,<group2>
    Audits only dependencies belonging to the specified groups.

--offline
    Performs the audit without making network requests, relying on cached information.

--frozen
    Prevents any modifications to the bun.lockb file during the audit or fix process.

The bun audit command is an essential tool within the Bun JavaScript runtime ecosystem, designed to help developers identify and address security vulnerabilities in their project's dependencies.

When executed in a Bun project directory, it scans the installed packages listed in package.json and bun.lockb against known vulnerability databases. The command provides a comprehensive report, detailing any detected security issues, their severity, and often suggests remedial actions such as upgrading vulnerable packages to safer versions. This proactive security measure is crucial for maintaining the integrity and safety of applications built with Bun, ensuring that no known security flaws from third-party libraries compromise the project.

The bun audit command requires the Bun runtime to be installed and must be run within a directory containing a Bun project (indicated by package.json and bun.lockb). Its effectiveness relies on the comprehensiveness and up-to-date nature of the vulnerability databases it consults.

While --fix attempts to resolve issues automatically, it might upgrade packages to major versions, potentially introducing breaking changes that require manual review and testing.

As a relatively new but rapidly evolving JavaScript runtime, Bun, created by Jarred Sumner, aims to be an all-in-one toolkit for JavaScript and TypeScript development. The bun audit command was introduced as an integral part of Bun's feature set, mirroring the essential security auditing capabilities found in established package managers like npm and Yarn.

Its development reflects Bun's commitment to providing a complete and secure development experience from the outset, enabling developers to easily incorporate security best practices into their workflow with the same performance-oriented design characteristic of the broader Bun ecosystem.

npm-audit(1), yarn-audit(1), bun-install(1), bun-add(1)