Socket Integrates With Bun 1.3’s Security Scanner API

Socket’s Bun Security Scanner launches today as an official integration for Bun 1.3. It plugs directly into Bun’s package installation process, protecting projects from malicious packages, typosquatting, and other supply chain attacks. With this release, developers can enable real-time security checks during bun add or bun install and optionally connect their organization’s Socket account for policy enforcement across local dev and CI.

Native Supply Chain Protection in Bun 1.3#

Dependency installs are one of the most common entry points for supply chain attacks. Bun 1.3’s new Security Scanner API lets the package managers call out to trusted security providers before dependencies are installed. Socket’s integration brings its threat intelligence and policy engine directly into Bun, helping developers catch risks early and giving security teams consistent enforcement across environments.

"Safe package management needs to be a first-class feature of the package manager itself," the Bun team said. "With the Bun Security Scanner API, developers get built-in checks during install. We’re excited to be working with industry leaders like Socket to launch this new API."

How the Bun Security Scanner API Works

When a security provider is configured, Bun:

• Scans dependencies before installation
• Surfaces advisory results inline
• Stops the install on fatal issues
• Prompts or fails on warn depending on whether the environment is interactive (local dev) or non-interactive (CI)

This standard behavior ensures predictable results for all scanners and consistent outcomes between local installs and automated pipelines.

Socket as a Bun Security Provider#

The @socketsecurity/bun-security-scanner package uses Socket’s real-time threat analysis to detect malware, typosquatting, and other suspicious behavior before dependencies are written to disk.

Key features include:

• Real-time scanning: Every dependency install is analyzed instantly.
• Optimized batching: Parallel scanning for speed.
• Flexible modes: Use Socket without authentication for public scanning, or connect your Socket account to apply organization policies automatically.
• Deterministic outcomes: Non-interactive environments fail on warn and fatal advisories to prevent risky dependencies in CI.

This gives developers instant visibility into supply chain threats and helps prevent unsafe packages from ever entering their projects.

Getting Started#

1. Install the Socket scanner

bun add -d @socketsecurity/bun-security-scanner

2. Configure Bun to use Socket

[install.security]
scanner = "@socketsecurity/bun-security-scanner"

3. (Optional) Use your organization settings

Export your Socket API key so the scanner can inherit your organization’s policies:

export SOCKET_API_KEY="your-api-key"
bun install

The scanner will automatically read your key from either the SOCKET_API_KEY environment variable or your Socket CLI settings file, if available. Without a key, it runs in free mode using Socket’s public API.

Benefits for Teams#

For developers

• Simple one-line configuration in bunfig.toml
• Fast, inline feedback during dependency installs
• Contextual advisories that explain what’s risky and why

For security teams

• Consistent organization policy in local dev and CI
• Ability to block known threats at install time
• Reduced drift between developer and CI environments

With this integration, Socket brings its supply chain protection directly into Bun’s workflow. Whether you’re adding new dependencies locally or running builds in CI, you can now stop risky packages before they ever reach your codebase. The scanner is open source on GitHub at SocketDev/bun-security-scanner.

Bun 1.3 Adds New Minimum Release Age Setting

Bun 1.3 is a massive release packed with improvements across the runtime, package manager, and tooling. One new feature developers focused on supply chain security will appreciate is the minimumReleaseAge setting, which lets you block freshly published packages until they’ve been public for a set period of time, reducing exposure to malicious uploads. This is similar to the feature pnpm recently added for delayed dependency updates.

To enable it, add the following to your bunfig.toml:

[install] minimumReleaseAge = 604800 # 7 days in seconds

[install]
minimumReleaseAge = 604800 # 7 days in seconds

This tells Bun to only install packages that have been published for at least 7 days. (Right now the value is in seconds, but the Bun team noted future support for time units like 2d.)

Check out the full Bun 1.3 release announcement for all the details on new features, including the built-in frontend dev server with hot reloading, integrated MySQL and Redis clients, isolated installs for workspaces, and major Node.js compatibility improvements.