Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

secondsky/bun-package-manager

Name: bun-package-manager
Author: secondsky

plugins/bun/skills/bun-package-manager/SKILL.md

npx skillsauth add secondsky/claude-skills bun-package-manager

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Bun Package Manager

Bun's package manager is a dramatically faster replacement for npm, yarn, and pnpm. Up to 25x faster than npm install.

Quick Start

# Install all dependencies
bun install

# Add packages
bun add react react-dom
bun add -D typescript @types/react

# Remove packages
bun remove lodash

# Update packages
bun update

# Run package binaries
bunx create-next-app

Core Commands

| Command | Description | |---------|-------------| | bun install | Install all dependencies | | bun add <pkg> | Add dependency | | bun add -D <pkg> | Add dev dependency | | bun add -O <pkg> | Add optional dependency | | bun add --peer <pkg> | Add peer dependency | | bun remove <pkg> | Remove dependency | | bun update [pkg] | Update dependencies | | bunx <pkg> | Run package binary | | bun pm cache rm | Clear cache |

Installation Flags

# Production mode (no devDependencies)
bun install --production

# Frozen lockfile (CI/CD)
bun install --frozen-lockfile
bun ci  # shorthand

# Dry run
bun install --dry-run

# Verbose/Silent
bun install --verbose
bun install --silent

# Force reinstall
bun install --force

# Global packages
bun install -g cowsay

Lockfile

Bun uses bun.lock (text-based since v1.2):

# Generate text lockfile
bun install --save-text-lockfile

# Upgrade from binary bun.lockb
bun install --save-text-lockfile --frozen-lockfile --lockfile-only
rm bun.lockb

Workspaces (Monorepos)

{
  "name": "my-monorepo",
  "workspaces": ["packages/*", "apps/*"]
}

Run commands across workspaces:

# Run in matching packages
bun run --filter 'pkg-*' build

# Run in all workspaces
bun run --filter '*' test

# Install for specific packages
bun install --filter 'pkg-a'

Lifecycle Scripts

Bun does not run lifecycle scripts from dependencies by default (security). Whitelist trusted packages:

{
  "trustedDependencies": ["my-trusted-package"]
}

# Skip all lifecycle scripts
bun install --ignore-scripts

# Concurrent scripts
bun install --concurrent-scripts 5

Overrides & Resolutions

Force specific versions for nested dependencies:

{
  "overrides": {
    "lodash": "4.17.21"
  }
}

Yarn-style resolutions also supported:

{
  "resolutions": {
    "lodash": "4.17.21"
  }
}

Non-npm Dependencies

{
  "dependencies": {
    "dayjs": "git+https://github.com/iamkun/dayjs.git",
    "lodash": "git+ssh://github.com/lodash/lodash.git#4.17.21",
    "zod": "github:colinhacks/zod",
    "react": "https://registry.npmjs.org/react/-/react-18.2.0.tgz",
    "bun-types": "npm:@types/bun"
  }
}

Installation Strategies

Hoisted (default for single packages)

Traditional flat node_modules:

bun install --linker hoisted

Isolated (default for workspaces)

pnpm-like strict isolation:

bun install --linker isolated

Isolated prevents "phantom dependencies" - packages can only access declared dependencies.

CI/CD

# GitHub Actions
- uses: oven-sh/setup-bun@v2
- run: bun ci  # frozen lockfile

Platform-Specific

# Install for different platform
bun install --cpu=x64 --os=linux

Secure Installation

When installing packages, follow supply chain security best practices:

Block post-install scripts — Bun disables them by default; allow specific packages via trustedDependencies in package.json
Cooldown period — Configure minimumReleaseAge in bunfig.toml to wait 7 days for new versions
Audit before installing — Run socket package score npm <pkg> or use socket npm install <pkg> to check packages before they reach your project

Load the dependency-upgrade skill for full security configuration including Socket CLI integration, cooldown setup, lockfile validation, and CI enforcement.

Common Errors

| Error | Cause | Fix | |-------|-------|-----| | Cannot find module | Missing dependency | Run bun install | | Lockfile mismatch | package.json changed | Run bun install | | Peer dependency | Missing peer | bun add the peer | | Lifecycle script failed | Untrusted package | Add to trustedDependencies |

Migration from Other Package Managers

From pnpm

Bun automatically migrates pnpm-lock.yaml:

bun install  # Auto-converts to bun.lock

Workspace config moves to package.json:

{
  "workspaces": {
    "packages": ["apps/*", "packages/*"],
    "catalog": {
      "react": "^18.0.0"
    }
  }
}

From npm/Yarn

Simply run bun install - Bun reads package-lock.json and yarn.lock.

When to Load References

Load references/cli-commands.md when:

Need complete CLI flag reference
Working with advanced options

Load references/workspaces.md when:

Setting up monorepos
Configuring workspace filters

Load references/migration.md when:

Migrating from npm/yarn/pnpm
Converting lockfiles

secondsky/bun-package-manager

plugins/bun/skills/bun-package-manager/SKILL.md

Bun package manager commands (install, add, remove, update), workspaces, lockfiles, npm/yarn/pnpm migration. Use for dependency management with Bun.

144 stars

databases

Updated May 15, 2026

$ install --global

skillsauth

npx skillsauth add secondsky/claude-skills bun-package-manager

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 15, 2026, 4:26 AM11.4s2 files scanned

SKILL.md

name:: bun-package-manager
description:: Bun package manager commands (install, add, remove, update), workspaces, lockfiles, npm/yarn/pnpm migration. Use for dependency management with Bun.
license:: MIT

Bun Package Manager

Bun's package manager is a dramatically faster replacement for npm, yarn, and pnpm. Up to 25x faster than npm install.

Quick Start

# Install all dependencies
bun install

# Add packages
bun add react react-dom
bun add -D typescript @types/react

# Remove packages
bun remove lodash

# Update packages
bun update

# Run package binaries
bunx create-next-app

Core Commands

Installation Flags

# Production mode (no devDependencies)
bun install --production

# Frozen lockfile (CI/CD)
bun install --frozen-lockfile
bun ci  # shorthand

# Dry run
bun install --dry-run

# Verbose/Silent
bun install --verbose
bun install --silent

# Force reinstall
bun install --force

# Global packages
bun install -g cowsay

Lockfile

Bun uses bun.lock (text-based since v1.2):

# Generate text lockfile
bun install --save-text-lockfile

# Upgrade from binary bun.lockb
bun install --save-text-lockfile --frozen-lockfile --lockfile-only
rm bun.lockb

Workspaces (Monorepos)

{
  "name": "my-monorepo",
  "workspaces": ["packages/*", "apps/*"]
}

Run commands across workspaces:

# Run in matching packages
bun run --filter 'pkg-*' build

# Run in all workspaces
bun run --filter '*' test

# Install for specific packages
bun install --filter 'pkg-a'

Lifecycle Scripts

Bun does not run lifecycle scripts from dependencies by default (security). Whitelist trusted packages:

{
  "trustedDependencies": ["my-trusted-package"]
}

# Skip all lifecycle scripts
bun install --ignore-scripts

# Concurrent scripts
bun install --concurrent-scripts 5

Overrides & Resolutions

Force specific versions for nested dependencies:

{
  "overrides": {
    "lodash": "4.17.21"
  }
}

Yarn-style resolutions also supported:

{
  "resolutions": {
    "lodash": "4.17.21"
  }
}

Non-npm Dependencies

{
  "dependencies": {
    "dayjs": "git+https://github.com/iamkun/dayjs.git",
    "lodash": "git+ssh://github.com/lodash/lodash.git#4.17.21",
    "zod": "github:colinhacks/zod",
    "react": "https://registry.npmjs.org/react/-/react-18.2.0.tgz",
    "bun-types": "npm:@types/bun"
  }
}

Installation Strategies

Hoisted (default for single packages)

Traditional flat node_modules:

bun install --linker hoisted

Isolated (default for workspaces)

pnpm-like strict isolation:

bun install --linker isolated

Isolated prevents "phantom dependencies" - packages can only access declared dependencies.

CI/CD

# GitHub Actions
- uses: oven-sh/setup-bun@v2
- run: bun ci  # frozen lockfile

Platform-Specific

# Install for different platform
bun install --cpu=x64 --os=linux

Secure Installation

When installing packages, follow supply chain security best practices:

Block post-install scripts — Bun disables them by default; allow specific packages via trustedDependencies in package.json
Cooldown period — Configure minimumReleaseAge in bunfig.toml to wait 7 days for new versions
Audit before installing — Run socket package score npm <pkg> or use socket npm install <pkg> to check packages before they reach your project

Load the dependency-upgrade skill for full security configuration including Socket CLI integration, cooldown setup, lockfile validation, and CI enforcement.

Common Errors

Migration from Other Package Managers

From pnpm

Bun automatically migrates pnpm-lock.yaml:

bun install  # Auto-converts to bun.lock

Workspace config moves to package.json:

{
  "workspaces": {
    "packages": ["apps/*", "packages/*"],
    "catalog": {
      "react": "^18.0.0"
    }
  }
}

From npm/Yarn

Simply run bun install - Bun reads package-lock.json and yarn.lock.

When to Load References

Load references/cli-commands.md when:

Need complete CLI flag reference
Working with advanced options

Load references/workspaces.md when:

Setting up monorepos
Configuring workspace filters

Load references/migration.md when:

Migrating from npm/yarn/pnpm
Converting lockfiles

Related Skills

secondsky/bun-runtime

tools

VerifiedTrustedCommunity

Use for Bun runtime, bunfig.toml, watch/hot modes, env vars, CLI flags, and module resolution.

144SKILL.mdUpdated May 15, 2026

secondsky/bun-runtime

secondsky/bun-redis

data-ai

VerifiedTrustedCommunity

Use when working with Redis in Bun (ioredis, Upstash), caching, pub/sub, session storage, or key-value operations.

144SKILL.mdUpdated May 15, 2026

secondsky/bun-react-ssr

development

VerifiedTrustedCommunity

Use when building server-rendered React with Bun, including streaming SSR, hydration, renderToString, or custom SSR without a framework.

144SKILL.mdUpdated May 15, 2026

secondsky/bun-react-ssr

secondsky/bun-nuxt

development

VerifiedTrustedCommunity

Use when running Nuxt 3 with Bun runtime, building Vue/Nuxt apps with Bun, or configuring Nuxt projects to use Bun for development and production.

144SKILL.mdUpdated May 15, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/secondsky/claude-skills.git

# Copy into Claude Code skills folder (global)
cp -r claude-skills/plugins/bun/skills/bun-package-manager ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

secondsky/claude-skills

144 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT