npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@nikpivkin/bun-trivy-scanner

v0.0.6

Published

Trivy-based security scanner plugin for Bun

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nikpivkinnikpivkin

Keywords

bunsecurityprovidertrivyvulnerability

Readme

bun-trivy-scanner

This package implements the Security Scanner API for Bun.

The scanner integrates with Bun's package manager security workflow and uses Trivy for vulnerability detection. It runs automatically during dependency installation, addition, or when executing bun pm scan.

Features

  • Native integration with Bun
  • Small codebase with minimal external dependencies — easier to audit and maintain
  • Thin wrapper around Trivy
  • Supports the full Trivy feature set

Installation

bun add --dev @nikpivkin/bun-trivy-scanner

Configuration

Bun configuration

[install.security]
scanner = "@nikpivkin/bun-trivy-scanner"

Scanner behavior

You can control which vulnerability severity aborts installation by setting an environment variable:

export BUN_TRIVY_SCANNER_FATAL_SEVERITY=CRITICAL

Valid values are: LOW, MEDIUM, HIGH, CRITICAL.

If a vulnerability with this severity or higher is detected, the installation will fail. Otherwise, advisories are reported as warnings and the user can choose whether to continue.

Additionally, you can specify a custom path to save the Trivy JSON report for manual inspection:

export BUN_TRIVY_SCANNER_REPORT_PATH=/path/to/report.json

If this variable is not set, the scanner will store the report in a temporary directory (default behavior).

Trivy configuration (optional)

You can configure Trivy by creating a trivy.yaml file in the project root directory (the directory where Bun is executed).

Example configuration:

# yaml-language-server: $schema=https://github.com/aquasecurity/trivy/raw/refs/tags/v0.69.3/schema/trivy-config.json

server:
  addr: http://0.0.0.0:10000

severity:
  - MEDIUM
  - HIGH
  - CRITICAL

If the configuration file exists in the project root, it will be automatically loaded during scanning.

Alternatively, Trivy can be configured using environment variables supported by Trivy (for example TRIVY_SEVERITY or TRIVY_SERVER_ADDR).

See the Trivy documentation for more details:

  • Config file: https://trivy.dev/docs/latest/guide/references/configuration/config-file/
  • Environment variables: https://trivy.dev/docs/latest/guide/configuration/#environment-variables

Usage

The scanner will automatically run during dependency installation and addition.

You can also run it manually:

bun pm scan

Scanner in action

❯ bun add [email protected]
bun add v1.3.10 (30e609e0)
2026-03-07T16:53:48+06:00       INFO    Loaded  file_path="trivy.yaml"
2026-03-07T16:53:48+06:00       INFO    [vuln] Vulnerability scanning is enabled
2026-03-07T16:53:48+06:00       INFO    Detected SBOM format    format="cyclonedx-json"
2026-03-07T16:53:48+06:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2026-03-07T16:53:48+06:00       WARN    Recommend using Trivy to generate SBOMs
2026-03-07T16:53:48+06:00       INFO    Number of language-specific files       num=1
2026-03-07T16:53:48+06:00       INFO    [node-pkg] Detecting vulnerabilities...

  WARNING: lodash
    via  › lodash
    nodejs-lodash: command injection via template
    https://avd.aquasec.com/nvd/cve-2021-23337

  WARNING: lodash
    via  › lodash
    nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
    https://avd.aquasec.com/nvd/cve-2020-28500

  WARNING: lodash
    via  › lodash
    lodash: prototype pollution in _.unset and _.omit functions
    https://avd.aquasec.com/nvd/cve-2025-13465

3 advisories (3 warnings)

Security warnings found. Continue anyway? [y/N]