Skip to main content
Run the command in a project with a bun.lock file:
terminal
Bun sends the list of installed packages and versions to npm, and prints a report of any vulnerabilities found. Packages installed from registries other than the default registry are skipped. If no vulnerabilities are found, the command prints:
When vulnerabilities are detected, Bun lists each affected package with the severity, a short description, and a link to the advisory. At the end of the report it prints a summary and hints for updating:

Filtering options

--audit-level=<low|moderate|high|critical> - Only show vulnerabilities at this severity level or higher:
terminal
--prod - Audit only production dependencies (excludes devDependencies):
terminal
--ignore <CVE> - Ignore specific CVEs (repeat the flag to ignore several):
terminal

--json

Use the --json flag to print the raw JSON response from the registry instead of the formatted report:
terminal

Exit code

bun audit exits with code 0 if no vulnerabilities are found and 1 if the report lists any, including when --json is passed.