Skip to main content
Bun supports npm’s "overrides" and Yarn’s "resolutions" in package.json. Both specify a version range for metadependencies, the dependencies of your dependencies.
package.json
{
  "name": "my-app",
  "dependencies": {
    "foo": "^2.0.0"
  },
  "overrides": { 
    "bar": "~4.4.0"
  } 
}
By default, Bun installs the latest version of all dependencies and metadependencies, according to the ranges specified in each package’s package.json. Say your project has one dependency, foo, which in turn depends on bar. That makes bar a metadependency of your project.
package.json
{
  "name": "my-app",
  "dependencies": {
    "foo": "^2.0.0"
  }
}
When you run bun install, Bun installs the latest version of each package.
tree layout of node_modules
node_modules
├── foo@1.2.3
└── bar@4.5.6
If a security vulnerability is introduced in bar@4.5.6, you may want to pin bar to an older version that doesn’t have it. That’s what "overrides" and "resolutions" are for.

"overrides"

Add bar to the "overrides" field in package.json. Bun defers to the specified version range when determining which version of bar to install, whether it’s a dependency or a metadependency.
Bun only supports top-level "overrides", not nested overrides.
package.json
{
  "name": "my-app",
  "dependencies": {
    "foo": "^2.0.0"
  },
  "overrides": { 
    "bar": "~4.4.0"
  } 
}

"resolutions"

"resolutions" is Yarn’s alternative to "overrides", with similar syntax. Bun supports it to make migration from Yarn easier. As with "overrides", nested resolutions are not supported.
package.json
{
  "name": "my-app",
  "dependencies": {
    "foo": "^2.0.0"
  },
  "resolutions": { 
    "bar": "~4.4.0"
  } 
}