bun publish – Package manager

Use bun publish to publish a package to the npm registry.

bun publish will automatically pack your package into a tarball, strip workspace protocols from the package.json (resolving versions if necessary), and publish to the registry specified in your configuration files. Both bunfig.toml and .npmrc files are supported.

## Publishing the package from the current working directory
bun publish

## Output
bun publish v1.2.6 (ca7428e9)

packed 203B package.json
packed 224B README.md
packed 30B index.ts
packed 0.64KB tsconfig.json

Total files: 4
Shasum: 79e2b4377b63f4de38dc7ea6e5e9dbee08311a69
Integrity: sha512-6QSNlDdSwyG/+[...]X6wXHriDWr6fA==
Unpacked size: 1.1KB
Packed size: 0.76KB
Tag: latest
Access: default
Registry: http://localhost:4873/

 + publish-1@1.0.0

Alternatively, you can pack and publish your package separately by using bun pm pack followed by bun publish with the path to the output tarball.

bun pm pack
...
bun publish ./package.tgz

Note - bun publish will not run lifecycle scripts (prepublishOnly/prepack/prepare/postpack/publish/postpublish) if a tarball path is provided. Scripts will only be run if the package is packed by bun publish.

`--access`

The --access flag can be used to set the access level of the package being published. The access level can be one of public or restricted. Unscoped packages are always public, and attempting to publish an unscoped package with --access restricted will result in an error.

bun publish --access public

--access can also be set in the publishConfig field of your package.json.

{
  "publishConfig": {
    "access": "restricted"
  }
}

`--tag`

Set the tag of the package version being published. By default, the tag is latest. The initial version of a package is always given the latest tag in addition to the specified tag.

bun publish --tag alpha

--tag can also be set in the publishConfig field of your package.json.

{
  "publishConfig": {
    "tag": "next"
  }
}

`--dry-run`

The --dry-run flag can be used to simulate the publish process without actually publishing the package. This is useful for verifying the contents of the published package without actually publishing the package.

bun publish --dry-run

`--gzip-level`

Specify the level of gzip compression to use when packing the package. Only applies to bun publish without a tarball path argument. Values range from 0 to 9 (default is 9).

CLI Usage

$bun publish dist

Flags

Configuration

-c,--config=<val>

Specify path to config file (bunfig.toml)

Dependency Management

-y,--yarn

Write a yarn.lock file (yarn v1)

-p,--production

Don't install devDependencies

--omit=<val>

Exclude 'dev', 'optional', or 'peer' dependencies from install

Lockfile Management

--no-save

Don't update package.json or save a lockfile

--save

Save to package.json (true by default)

--frozen-lockfile

Disallow changes to lockfile

--save-text-lockfile

Save a text-based lockfile

--lockfile-only

Generate a lockfile without installing dependencies

Security

--ca=<val>

Provide a Certificate Authority signing certificate

--cafile=<val>

The same as `--ca`, but is a file path to the certificate

Installation Behavior

--dry-run

Don't install anything

-f,--force

Always request the latest versions from the registry & reinstall all dependencies

--ignore-scripts

Skip lifecycle scripts in the project's package.json (dependency scripts are never run)

--trust

Add to trustedDependencies in the project's package.json and install the package(s)

-g,--global

Install globally

--cwd=<val>

Set a specific cwd

--backend=<val>

Platform-specific optimizations for installing dependencies. Possible values: "clonefile" (default), "hardlink", "symlink", "copyfile"

Caching

--cache-dir=<val>

Store & load cached data from a specific directory path

--no-cache

Ignore manifest cache entirely

Logging and Output

--silent

Don't log anything

--verbose

Excessively verbose logging

--no-progress

Disable the progress bar

--no-summary

Don't print a summary

--no-verify

Skip verifying integrity of newly downloaded packages

Registry

--registry=<val>

Use a specific registry by default, overriding .npmrc, bunfig.toml and environment variables

Performance

--concurrent-scripts=<val>

Maximum number of concurrent jobs for lifecycle scripts (default 5)

--network-concurrency=<val>

Maximum number of concurrent network requests (default 48)

Help and Usage

-h,--help

Print this help menu

Publishing

--access=<val>

Set access level for scoped packages

--tag=<val>

Tag the release. Default is "latest"

--otp=<val>

Provide a one-time password for authentication

--auth-type=<val>

Specify the type of one-time password authentication (default is 'web')

--gzip-level=<val>

Specify a custom compression level for gzip. Default is 9.

Examples

Display files that would be published, without publishing to the registry.

bun publish --dry-run

Publish the current package with public access.

bun publish --access public

Publish a pre-existing package tarball with tag 'next'.

bun publish --tag next ./path/to/tarball.tgz

`--auth-type`

If you have 2FA enabled for your npm account, bun publish will prompt you for a one-time password. This can be done through a browser or the CLI. The --auth-type flag can be used to tell the npm registry which method you prefer. The possible values are web and legacy, with web being the default.

bun publish --auth-type legacy
...
This operation requires a one-time password.
Enter OTP: 123456
...

`--otp`

Provide a one-time password directly to the CLI. If the password is valid, this will skip the extra prompt for a one-time password before publishing. Example usage:

bun publish --otp 123456

Note - bun publish respects the NPM_CONFIG_TOKEN environment variable which can be used when publishing in github actions or automated workflows.