Skip to main content
bun audit checks your installed packages against the npm security advisory database and reports any known vulnerabilities. Run it in a project that has a bun.lock file: 
bun audit
Bun sends the list of installed packages and their versions to the npm registry and prints a formatted report. Packages installed from registries other than the default npm registry are skipped.

Reading the output

If no vulnerabilities are found: 
No vulnerabilities found
When vulnerabilities are detected, each affected package is listed with its severity, a description, and a link to the advisory: 
lodash  4.17.20
  moderate  Prototype Pollution in lodash
  https://github.com/advisories/GHSA-jf85-cpcp-j695

3 vulnerabilities (1 high, 2 moderate)

To update all dependencies to the latest compatible versions:
  bun update
To update all dependencies to the latest versions (including breaking changes):
  bun update --latest

Exit code

bun audit exits with code 0 when no vulnerabilities are found, and 1 when any vulnerabilities are reported. This applies even when --json is used, making it easy to use in CI scripts.

Filtering by severity

Use --audit-level to only show vulnerabilities at or above a given severity: 
bun audit --audit-level=low
bun audit --audit-level=moderate
bun audit --audit-level=high
bun audit --audit-level=critical
Severity levels from lowest to highest: low, moderate, high, critical.

Production-only audit

Use --prod to audit only production dependencies, excluding devDependencies: 
bun audit --prod

Ignoring specific CVEs

Use --ignore to suppress specific CVEs. The flag can be repeated: 
bun audit --ignore CVE-2022-25883 --ignore CVE-2023-26136

JSON output

Use --json to receive the raw JSON response from the registry instead of the formatted report: 
bun audit --json
This is useful for piping output into other tools or writing custom audit scripts.

Build docs developers (and LLMs) love

Get started for freeTalk to us