jarle/Bun bun publish
skills/bun-pm-cli-publish/SKILL.md
Use `bun publish` to publish a package to the npm registry
$ install --global
skillsauthnpx skillsauth add jarle/bun-skills Bun bun publishInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:52 AM13.6s1 file scanned
SKILL.md
- name:
- Bun bun publish
- description:
- Use `bun publish` to publish a package to the npm registry
bun publish
Use
bun publishto publish a package to the npm registry
bun publish will automatically pack your package into a tarball, strip catalog and workspace protocols from the package.json (resolving versions if necessary), and publish to the registry specified in your configuration files. Both bunfig.toml and .npmrc files are supported.
## Publishing the package from the current working directory
bun publish
bun publish v1.3.3 (ca7428e9)
packed 203B package.json
packed 224B README.md
packed 30B index.ts
packed 0.64KB tsconfig.json
Total files: 4
Shasum: 79e2b4377b63f4de38dc7ea6e5e9dbee08311a69
Integrity: sha512-6QSNlDdSwyG/+[...]X6wXHriDWr6fA==
Unpacked size: 1.1KB
Packed size: 0.76KB
Tag: latest
Access: default
Registry: http://localhost:4873/
+ [email protected]
Alternatively, you can pack and publish your package separately by using bun pm pack followed by bun publish with the path to the output tarball.
bun pm pack
...
bun publish ./package.tgz
--access
The --access flag can be used to set the access level of the package being published. The access level can be one of public or restricted. Unscoped packages are always public, and attempting to publish an unscoped package with --access restricted will result in an error.
bun publish --access public
--access can also be set in the publishConfig field of your package.json.
{
"publishConfig": {
"access": "restricted"
}
}
--tag
Set the tag of the package version being published. By default, the tag is latest. The initial version of a package is always given the latest tag in addition to the specified tag.
bun publish --tag alpha
--tag can also be set in the publishConfig field of your package.json.
{
"publishConfig": {
"tag": "next"
}
}
--dry-run
The --dry-run flag can be used to simulate the publish process without actually publishing the package. This is useful for verifying the contents of the published package without actually publishing the package.
bun publish --dry-run
--tolerate-republish
Exit with code 0 instead of 1 if the package version already exists. Useful in CI/CD where jobs may be re-run.
bun publish --tolerate-republish
--gzip-level
Specify the level of gzip compression to use when packing the package. Only applies to bun publish without a tarball path argument. Values range from 0 to 9 (default is 9).
--auth-type
If you have 2FA enabled for your npm account, bun publish will prompt you for a one-time password. This can be done through a browser or the CLI. The --auth-type flag can be used to tell the npm registry which method you prefer. The possible values are web and legacy, with web being the default.
bun publish --auth-type legacy
...
This operation requires a one-time password.
Enter OTP: 123456
...
--otp
Provide a one-time password directly to the CLI. If the password is valid, this will skip the extra prompt for a one-time password before publishing. Example usage:
bun publish --otp 123456
CLI Usage
bun publish dist
Publishing Options
<ParamField path="--access" type="string"> The `--access` flag can be used to set the access level of the package being published. The access level can be one of `public` or `restricted`. Unscoped packages are always public, and attempting to publish an unscoped package with `--access restricted` will result in an error.bun publish --access public
--access can also be set in the publishConfig field of your package.json.
{
"publishConfig": {
"access": "restricted" // [!code ++]
}
}
bun publish --tag alpha
--tag can also be set in the publishConfig field of your package.json.
{
"publishConfig": {
"tag": "next" // [!code ++]
}
}
bun publish --dry-run
bun publish --auth-type legacy
...
This operation requires a one-time password.
Enter OTP: 123456
...
bun publish --otp 123456
Registry Configuration
Custom Registry
<ParamField path="--registry" type="string"> Specify registry URL, overriding .npmrc and bunfig.toml </ParamField>bun publish --registry https://my-private-registry.com
SSL Certificates
<ParamField path="--ca" type="string"> Provide Certificate Authority signing certificate </ParamField> <ParamField path="--cafile" type="string"> Path to Certificate Authority certificate file </ParamField> <CodeGroup> ```bash Inline Certificate theme={"theme":{"light":"github-light","dark":"dracula"}} bun publish --ca "-----BEGIN CERTIFICATE-----..." ```bun publish --cafile ./ca-cert.pem
Publishing Options
Dependency Management
<ParamField path="-p, --production" type="boolean"> Don't install devDependencies </ParamField> <ParamField path="--omit" type="string"> Exclude dependency types: `dev`, `optional`, or `peer` </ParamField> <ParamField path="-f, --force" type="boolean"> Always request the latest versions from the registry & reinstall all dependencies </ParamField>Script Control
<ParamField path="--ignore-scripts" type="boolean"> Skip lifecycle scripts during packing and publishing </ParamField> <ParamField path="--trust" type="boolean"> Add packages to trustedDependencies and run their scripts </ParamField> <Note> **Lifecycle Scripts** — When providing a pre-built tarball, lifecycle scripts (prepublishOnly, prepack, etc.) are not executed. Scripts only run when Bun packs the package itself. </Note>File Management
<ParamField path="--no-save" type="boolean"> Don't update package.json or lockfile </ParamField> <ParamField path="--frozen-lockfile" type="boolean"> Disallow changes to lockfile </ParamField> <ParamField path="--yarn" type="boolean"> Generate yarn.lock file (yarn v1 compatible) </ParamField>Performance
<ParamField path="--backend" type="string"> Platform optimizations: `clonefile` (default), `hardlink`, `symlink`, or `copyfile` </ParamField> <ParamField path="--network-concurrency" type="number" default="48"> Maximum concurrent network requests </ParamField> <ParamField path="--concurrent-scripts" type="number" default="5"> Maximum concurrent lifecycle scripts </ParamField>Output Control
<ParamField path="--silent" type="boolean"> Suppress all output </ParamField> <ParamField path="--verbose" type="boolean"> Show detailed logging </ParamField> <ParamField path="--no-progress" type="boolean"> Hide progress bar </ParamField> <ParamField path="--no-summary" type="boolean"> Don't print publish summary </ParamField>Related Skills
jarle/Bun TypeScript
development
VerifiedTrustedCommunity
Using TypeScript with Bun, including type definitions and compiler options
1SKILL.mdUpdated Apr 6, 2026
jarle/Bun Writing tests
development
VerifiedTrustedCommunity
Learn how to write tests using Bun's Jest-compatible API with support for async tests, timeouts, and various test modifiers
1SKILL.mdUpdated Apr 6, 2026
jarle/Bun Snapshots
testing
VerifiedTrustedCommunity
Learn how to use snapshot testing in Bun to save and compare output between test runs
1SKILL.mdUpdated Apr 6, 2026
jarle/Bun Runtime behavior
testing
VerifiedTrustedCommunity
Learn about Bun test's runtime integration, environment variables, timeouts, and error handling
1SKILL.mdUpdated Apr 6, 2026