jarle/Bun Overrides and resolutions
skills/bun-pm-overrides/SKILL.md
Control metadependency versions with npm overrides and Yarn resolutions
$ install --global
skillsauthnpx skillsauth add jarle/bun-skills Bun Overrides and resolutionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 2:53 AM22.1s1 file scanned
SKILL.md
- name:
- Bun Overrides and resolutions
- description:
- Control metadependency versions with npm overrides and Yarn resolutions
Overrides and resolutions
Control metadependency versions with npm overrides and Yarn resolutions
Bun supports npm's "overrides" and Yarn's "resolutions" in package.json. These are mechanisms for specifying a version range for metadependencies—the dependencies of your dependencies.
{
"name": "my-app",
"dependencies": {
"foo": "^2.0.0"
},
"overrides": { // [!code ++]
"bar": "~4.4.0" // [!code ++]
} // [!code ++]
}
By default, Bun will install the latest version of all dependencies and metadependencies, according to the ranges specified in each package's package.json. Let's say you have a project with one dependency, foo, which in turn has a dependency on bar. This means bar is a metadependency of our project.
{
"name": "my-app",
"dependencies": {
"foo": "^2.0.0"
}
}
When you run bun install, Bun will install the latest versions of each package.
node_modules
├── [email protected]
└── [email protected]
But what if a security vulnerability was introduced in [email protected]? We may want a way to pin bar to an older version that doesn't have the vulnerability. This is where "overrides"/"resolutions" come in.
"overrides"
Add bar to the "overrides" field in package.json. Bun will defer to the specified version range when determining which version of bar to install, whether it's a dependency or a metadependency.
{
"name": "my-app",
"dependencies": {
"foo": "^2.0.0"
},
"overrides": { // [!code ++]
"bar": "~4.4.0" // [!code ++]
} // [!code ++]
}
"resolutions"
The syntax is similar for "resolutions", which is Yarn's alternative to "overrides". Bun supports this feature to make migration from Yarn easier.
As with "overrides", nested resolutions are not currently supported.
{
"name": "my-app",
"dependencies": {
"foo": "^2.0.0"
},
"resolutions": { // [!code ++]
"bar": "~4.4.0" // [!code ++]
} // [!code ++]
}
Related Skills
jarle/Bun TypeScript
development
VerifiedTrustedCommunity
Using TypeScript with Bun, including type definitions and compiler options
1SKILL.mdUpdated Apr 6, 2026
jarle/Bun Writing tests
development
VerifiedTrustedCommunity
Learn how to write tests using Bun's Jest-compatible API with support for async tests, timeouts, and various test modifiers
1SKILL.mdUpdated Apr 6, 2026
jarle/Bun Snapshots
testing
VerifiedTrustedCommunity
Learn how to use snapshot testing in Bun to save and compare output between test runs
1SKILL.mdUpdated Apr 6, 2026
jarle/Bun Runtime behavior
testing
VerifiedTrustedCommunity
Learn about Bun test's runtime integration, environment variables, timeouts, and error handling
1SKILL.mdUpdated Apr 6, 2026