Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/oven-sh/bun/llms.txt

Use this file to discover all available pages before exploring further.

bun audit checks your installed packages against the npm security advisory database and reports any known vulnerabilities. Run it in a project that has a bun.lock file: 
bun audit
Bun sends the list of installed packages and their versions to the npm registry and prints a formatted report. Packages installed from registries other than the default npm registry are skipped.

Reading the output

If no vulnerabilities are found: 
No vulnerabilities found
When vulnerabilities are detected, each affected package is listed with its severity, a description, and a link to the advisory: 
lodash  4.17.20
  moderate  Prototype Pollution in lodash
  https://github.com/advisories/GHSA-jf85-cpcp-j695

3 vulnerabilities (1 high, 2 moderate)

To update all dependencies to the latest compatible versions:
  bun update
To update all dependencies to the latest versions (including breaking changes):
  bun update --latest

Exit code

bun audit exits with code 0 when no vulnerabilities are found, and 1 when any vulnerabilities are reported. This applies even when --json is used, making it easy to use in CI scripts.

Filtering by severity

Use --audit-level to only show vulnerabilities at or above a given severity: 
bun audit --audit-level=low
bun audit --audit-level=moderate
bun audit --audit-level=high
bun audit --audit-level=critical
Severity levels from lowest to highest: low, moderate, high, critical.

Production-only audit

Use --prod to audit only production dependencies, excluding devDependencies: 
bun audit --prod

Ignoring specific CVEs

Use --ignore to suppress specific CVEs. The flag can be repeated: 
bun audit --ignore CVE-2022-25883 --ignore CVE-2023-26136

JSON output

Use --json to receive the raw JSON response from the registry instead of the formatted report: 
bun audit --json
This is useful for piping output into other tools or writing custom audit scripts.