BuildDocsReferenceGuidesBlog
Discord logo
Discord
GitHub logo

Intro

What is Bun?

Installation

Quickstart

TypeScript

Templating

bun init

bun create

Runtime

bun run

File types

TypeScript

JSX

Environment variables

Bun APIs

Web APIs

Node.js compatibility

Single-file executable

Plugins

Watch mode

Module resolution

Auto-install

bunfig.toml

Debugger

Framework APISOON

Package manager

bun install

bun add

bun remove

bun update

bun publish

bun outdated

bun link

bun pm

bun why

Global cache

Isolated installs

Workspaces

Catalogs

Lifecycle scripts

Filter

Lockfile

Scopes and registries

Overrides and resolutions

Patch dependencies

Audit dependencies

.npmrc support

Security Scanner API

Bundler

Bun.build

HTML & static sites

CSS

Fullstack Dev Server

Hot reloading

Loaders

Plugins

Macros

vs esbuild

Test runner

bun test

Writing tests

Watch mode

Lifecycle hooks

Mocks

Snapshots

Dates and times

Code coverage

Test reporters

Test configuration

Runtime behavior

Finding tests

DOM testing

Package runner

bunx

API

HTTP server

HTTP client

WebSockets

Workers

Binary data

Streams

SQL

S3 Object Storage

File I/O

Redis Client

import.meta

SQLite

FileSystemRouter

TCP sockets

UDP sockets

Globals

$ Shell

Child processes

YAML

HTMLRewriter

Hashing

Console

Cookie

FFI

C Compiler

Secrets

Testing

Utils

Node-API

Glob

DNS

Semver

Color

Transpiler

Project

Roadmap

Benchmarking

Contributing

Building Windows

Bindgen

License

Bun

Audit dependencies

bun audit checks your installed packages for known security vulnerabilities.

Run the command in a project with a bun.lock file:

bun audit

Bun sends the list of installed packages and versions to NPM, and prints a report of any vulnerabilities that were found. Packages installed from registries other than the default registry are skipped.

If no vulnerabilities are found, the command prints:

No vulnerabilities found

When vulnerabilities are detected, each affected package is listed along with the severity, a short description and a link to the advisory. At the end of the report Bun prints a summary and hints for updating:

3 vulnerabilities (1 high, 2 moderate)
To update all dependencies to the latest compatible versions:
  bun update
To update all dependencies to the latest versions (including breaking changes):
  bun update --latest

Filtering options

--audit-level=<low|moderate|high|critical> - Only show vulnerabilities at this severity level or higher:

bun audit --audit-level=high

--prod - Audit only production dependencies (excludes devDependencies):

bun audit --prod

--ignore <CVE> - Ignore specific CVEs (can be used multiple times):

bun audit --ignore CVE-2022-25883 --ignore CVE-2023-26136

--json

Use the --json flag to print the raw JSON response from the registry instead of the formatted report:

bun audit --json

Exit code

bun audit will exit with code 0 if no vulnerabilities are found and 1 if the report lists any vulnerabilities. This will still happen even if --json is passed.

Previous

Patch dependencies

Next

.npmrc support

GitHub logo

Edit on GitHub