Skip to main content
Package manager utilities and commands. 
bun pm <command>

Commands

bun pm bin

Print the path to Bun’s bin directory. 
$ bun pm bin
/home/user/.bun/install/global/bin
With -g flag, prints the global bin directory: 
$ bun pm bin -g  
/home/user/.bun/install/global/bin

bun pm cache

Print the path to Bun’s cache directory. 
$ bun pm cache
/home/user/.bun/install/cache
Delete the cache: 
$ bun pm cache rm
Cleared 'bun install' cache
Cleared 12 cached 'bunx' packages

bun pm ls

List installed dependencies in a tree structure. 
$ bun pm ls
/home/user/my-app node_modules (134)
├── [email protected]
├── [email protected]
└── [email protected]
Show all dependencies (including transitive): 
$ bun pm ls --all
/home/user/my-app node_modules
├── [email protected]
   └── [email protected]
       └── [email protected]
├── [email protected]  
   ├── [email protected]
   └── [email protected]
└── [email protected]
Alias: bun list

bun pm hash

Generate and print the hash of the current lockfile. 
$ bun pm hash
f3d8b2a1c4e5d6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1

bun pm hash-string

Print the string used to generate the lockfile hash. 
$ bun pm hash-string
packages|[email protected]|[email protected]|[email protected]

bun pm hash-print

Print the hash stored in the current lockfile. 
$ bun pm hash-print  
f3d8b2a1c4e5d6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1

bun pm migrate

Migrate from another package manager’s lockfile to bun.lockb. 
$ bun pm migrate
Migrated from package-lock.json to bun.lockb
Supported lockfiles:
  • package-lock.json (npm)
  • yarn.lock (Yarn)
  • pnpm-lock.yaml (pnpm)
Force migration (overwrite existing bun.lockb): 
bun pm migrate --force

bun pm pack

Create a tarball of the current workspace. 
$ bun pm pack
packed 15 files (42.3 KB)
archive: my-package-1.0.0.tgz
See bun pack documentation for more details.

bun pm scan

Scan packages in the lockfile for security vulnerabilities. 
$ bun pm scan
Scanning 134 packages for vulnerabilities...

Found 2 vulnerabilities:

┌─────────────────────────────────────────────────┐
 High Prototype Pollution
 Package lodash
 Patched >=4.17.21
└─────────────────────────────────────────────────┘

bun pm why

Show why a package is installed and what depends on it. 
$ bun pm why lodash
[email protected]

Reasons for installation:
  my-app (package.json dependency)
    └─ [email protected]
       └─ [email protected]

bun pm whoami

Print the currently logged-in npm username. 
$ bun pm whoami
my-npm-username
Alias: bun whoami

bun pm view

View package information from the registry. 
$ bun pm view react
[email protected] | MIT | deps: 1 | versions: 234
A JavaScript library for building user interfaces
https://reactjs.org/

keywords: react, framework, ui

dist
.tarball: https://registry.npmjs.org/react/-/react-18.2.0.tgz
.shasum: ...

dependencies:
loose-envify: ^1.1.0
View specific version: 
bun pm view [email protected]
View specific field: 
$ bun pm view react version
18.2.0

bun pm version

Bump the version in package.json and create a git tag. 
$ bun pm version patch
v1.0.1
Increment types:
  • patch - 1.0.0 → 1.0.1
  • minor - 1.0.0 → 1.1.0
  • major - 1.0.0 → 2.0.0
  • prepatch - 1.0.0 → 1.0.1-0
  • preminor - 1.0.0 → 1.1.0-0
  • premajor - 1.0.0 → 2.0.0-0
  • prerelease - 1.0.0 → 1.0.1-0 or 1.0.1-0 → 1.0.1-1
Or specify exact version: 
bun pm version 2.0.0

bun pm pkg

Manage fields in package.json.

Get field

$ bun pm pkg get name
my-package

$ bun pm pkg get name version
my-package 1.0.0

Set field

$ bun pm pkg set description="My awesome package"

$ bun pm pkg set scripts.build="bun build ./src/index.ts"

Delete field

$ bun pm pkg delete scripts.old-script

Fix common errors

$ bun pm pkg fix
Fixed 3 issues in package.json:
  - Sorted dependencies
  - Removed duplicate keywords  
  - Fixed invalid version format

bun pm untrusted

Print current untrusted dependencies with scripts. 
$ bun pm untrusted
The following dependencies have install scripts but are not trusted:
  - [email protected]
  - [email protected]

To trust them, run:
  bun pm trust puppeteer electron

bun pm trust

Trust dependencies and allow their install scripts to run. 
$ bun pm trust puppeteer esbuild
Trusted dependencies:
  - puppeteer
  - esbuild

Updated trustedDependencies in package.json
Trust all untrusted dependencies: 
bun pm trust --all

bun pm default-trusted

Print the default list of trusted dependencies. 
$ bun pm default-trusted
Default trusted dependencies:
  @biomejs/biome
  esbuild
  msgpackr-extract
  puppeteer
  sharp
  [... more packages]

Global flags

These flags work with most bun pm commands:

--json

Output in JSON format (where applicable). 
$ bun pm view react --json
{"name":"react","version":"18.2.0",...}

--verbose

Enable verbose logging. 
bun pm migrate --verbose

--silent

Suppress output except errors. 
bun pm cache rm --silent

Examples

Check package manager health

# Verify lockfile integrity
bun pm hash

# Check for security issues
bun pm scan

# List all dependencies
bun pm ls --all

Clean workspace

# Clear cache
bun pm cache rm

# Regenerate lockfile
rm bun.lockb
bun install

Inspect dependencies

# Why is this package installed?
bun pm why lodash

# View package details
bun pm view lodash

# List dependency tree
bun pm ls --all

Build docs developers (and LLMs) love

Get started for freeTalk to us