bun (npm ecosystem)
Last updated July 17, 2026View source (v0.19.0)
Bomly uses this chain when it finds bun evidence.
| Property | Value |
|---|---|
| Package manager | bun |
| Ecosystem | npm |
| Detector chain | bun-detector, bun-native-detector, syft-detector |
| Evidence patterns | bun.lock, bun.lockb |
| Ignored directories | node_modules, dist |
| Ignored directory markers | - |
| Multi-module resolution | Yes |
| Install-first support | Yes |
| Native command hints | syft for bomly-lite |
How bun resolves
bun-detector parses committed text bun.lock files directly. Versions 0 and 1 are supported, including JSONC comments and trailing commas, workspaces, aliases, package tuple metadata, dependency groups, and duplicate package versions. No Bun installation or subprocess is required for this primary path.
| Detector | Position | Technique | Command |
|---|---|---|---|
bun-detector | Primary | Lockfile parser | None |
bun-native-detector | Fallback for installed or legacy projects | Build tool | bun pm ls --all |
syft-detector | Final fallback | Multiple | Embedded or external Syft |
Offline behavior
✅ Native bun.lock parsing is fully offline-safe. Download URLs in the lockfile are recorded as package provenance and are never fetched.
⚠️ When a text lockfile is unavailable, the Bun CLI fallback reads the installed package tree without fetching packages. It preserves nested edges, resolves workspace identities, and recovers unique direct dependencies from package.json; hoisted packages whose parent cannot be proven are retained with an unknown relationship. If Bun is unavailable or the project is not installed, the Syft fallback handles bun.lockb with reduced graph fidelity.
Requirements and migration
- Commit
bun.lockfor deterministic native scans. bun.lockbrepositories can migrate without installing dependencies:bun install --save-text-lockfile --frozen-lockfile --lockfile-only.- Install-first can run
bun installonly when explicitly requested; normal detection never installs dependencies.
Workspace behavior
Each entry in the lockfile's workspaces object becomes its own manifest-scoped graph. Workspace links point to application nodes and published packages remain distinct even when they share a display name with a workspace.
Limitations
- The unstable binary
bun.lockbformat is intentionally not decoded by core. bun pm ls --allexposes a hoisted installed tree. The CLI fallback preserves displayed child edges but does not invent parents for top-level transitives: unresolved parents remainunknownand still participate in matching, audit, policy, and output stages.- Registry metadata enrichment requires
--enrich; lockfile parsing itself performs no network calls.