bun-audit

Audit all dependencies in a project with a bun.lock file

$ bun audit

$ bun audit --audit-level [low|moderate|high|critical]

$ bun audit --prod

$ bun audit --ignore [CVE-XXXX-YYYY]

$ bun audit --json

bun audit [--json] [--ignore <range>...] [--fix]

--json
    Output results in JSON format for scripting and CI integration.


--ignore <range>
    Ignore vulnerabilities matching the specified semver range ( repeatable ).


--fix
    Automatically apply fixes by updating vulnerable dependencies and lockfile.

bun audit scans your Bun project's dependencies for known security vulnerabilities.

It analyzes the bun.lockb lockfile and package.json to identify outdated or vulnerable packages using a comprehensive database of Common Vulnerabilities and Exposures (CVEs).

Similar to npm audit or yarn audit, it reports high, medium, and low severity issues with details like affected paths, severity, and suggested fixes.

The command is exceptionally fast due to Bun's optimized JavaScript runtime and bundling capabilities, often completing in milliseconds for large projects.

With --fix, it automatically updates vulnerable dependencies to patched versions, modifying package.json and regenerating the lockfile.

Output includes vulnerability summaries, and --json enables machine-readable JSON format for CI/CD integration.

Ideal for securing JavaScript/TypeScript projects managed by Bun, ensuring safe dependency usage in production environments.

Requires Bun installation and a bun.lockb file; fixes may introduce breaking changes; uses npm-compatible vulnerability database which may lag on new advisories.

0: No vulnerabilities.
1: Vulnerabilities found.

bun audit # Basic scan
bun audit --json # JSON output
bun audit --fix # Auto-fix

Introduced in Bun v0.5.0 (September 2022) as part of Bun's all-in-one toolkit by Jarred Sumner. Evolved with Bun's rapid releases, adding --fix in v1.0+ for automated remediation, aligning with modern package manager standards.

npm(1), yarn(1), pnpm(1)