> bun-package-manager
Bun package manager commands (install, add, remove, update), workspaces, lockfiles, npm/yarn/pnpm migration. Use for dependency management with Bun.
curl "https://skillshub.wtf/secondsky/claude-skills/bun-package-manager?format=md"Bun Package Manager
Bun's package manager is a dramatically faster replacement for npm, yarn, and pnpm. Up to 25x faster than npm install.
Quick Start
# Install all dependencies
bun install
# Add packages
bun add react react-dom
bun add -D typescript @types/react
# Remove packages
bun remove lodash
# Update packages
bun update
# Run package binaries
bunx create-next-app
Core Commands
| Command | Description |
|---|---|
bun install | Install all dependencies |
bun add <pkg> | Add dependency |
bun add -D <pkg> | Add dev dependency |
bun add -O <pkg> | Add optional dependency |
bun add --peer <pkg> | Add peer dependency |
bun remove <pkg> | Remove dependency |
bun update [pkg] | Update dependencies |
bunx <pkg> | Run package binary |
bun pm cache rm | Clear cache |
Installation Flags
# Production mode (no devDependencies)
bun install --production
# Frozen lockfile (CI/CD)
bun install --frozen-lockfile
bun ci # shorthand
# Dry run
bun install --dry-run
# Verbose/Silent
bun install --verbose
bun install --silent
# Force reinstall
bun install --force
# Global packages
bun install -g cowsay
Lockfile
Bun uses bun.lock (text-based since v1.2):
# Generate text lockfile
bun install --save-text-lockfile
# Upgrade from binary bun.lockb
bun install --save-text-lockfile --frozen-lockfile --lockfile-only
rm bun.lockb
Workspaces (Monorepos)
{
"name": "my-monorepo",
"workspaces": ["packages/*", "apps/*"]
}
Run commands across workspaces:
# Run in matching packages
bun run --filter 'pkg-*' build
# Run in all workspaces
bun run --filter '*' test
# Install for specific packages
bun install --filter 'pkg-a'
Lifecycle Scripts
Bun does not run lifecycle scripts from dependencies by default (security). Whitelist trusted packages:
{
"trustedDependencies": ["my-trusted-package"]
}
# Skip all lifecycle scripts
bun install --ignore-scripts
# Concurrent scripts
bun install --concurrent-scripts 5
Overrides & Resolutions
Force specific versions for nested dependencies:
{
"overrides": {
"lodash": "4.17.21"
}
}
Yarn-style resolutions also supported:
{
"resolutions": {
"lodash": "4.17.21"
}
}
Non-npm Dependencies
{
"dependencies": {
"dayjs": "git+https://github.com/iamkun/dayjs.git",
"lodash": "git+ssh://github.com/lodash/lodash.git#4.17.21",
"zod": "github:colinhacks/zod",
"react": "https://registry.npmjs.org/react/-/react-18.2.0.tgz",
"bun-types": "npm:@types/bun"
}
}
Installation Strategies
Hoisted (default for single packages)
Traditional flat node_modules:
bun install --linker hoisted
Isolated (default for workspaces)
pnpm-like strict isolation:
bun install --linker isolated
Isolated prevents "phantom dependencies" - packages can only access declared dependencies.
CI/CD
# GitHub Actions
- uses: oven-sh/setup-bun@v2
- run: bun ci # frozen lockfile
Platform-Specific
# Install for different platform
bun install --cpu=x64 --os=linux
Common Errors
| Error | Cause | Fix |
|---|---|---|
Cannot find module | Missing dependency | Run bun install |
Lockfile mismatch | package.json changed | Run bun install |
Peer dependency | Missing peer | bun add the peer |
Lifecycle script failed | Untrusted package | Add to trustedDependencies |
Migration from Other Package Managers
From pnpm
Bun automatically migrates pnpm-lock.yaml:
bun install # Auto-converts to bun.lock
Workspace config moves to package.json:
{
"workspaces": {
"packages": ["apps/*", "packages/*"],
"catalog": {
"react": "^18.0.0"
}
}
}
From npm/Yarn
Simply run bun install - Bun reads package-lock.json and yarn.lock.
When to Load References
Load references/cli-commands.md when:
- Need complete CLI flag reference
- Working with advanced options
Load references/workspaces.md when:
- Setting up monorepos
- Configuring workspace filters
Load references/migration.md when:
- Migrating from npm/yarn/pnpm
- Converting lockfiles
> related_skills --same-repo
> zustand-state-management
--- name: zustand-state-management description: Zustand state management for React with TypeScript. Use for global state, Redux/Context API migration, localStorage persistence, slices pattern, devtools, Next.js SSR, or encountering hydration errors, TypeScript inference issues, persist middleware problems, infinite render loops. Keywords: zustand, state management, React state, TypeScript state, persist middleware, devtools, slices pattern, global state, React hooks, create store, useBoundS
> zod
TypeScript-first schema validation and type inference. Use for validating API requests/responses, form data, env vars, configs, defining type-safe schemas with runtime validation, transforming data, generating JSON Schema for OpenAPI/AI, or encountering missing validation errors, type inference issues, validation error handling problems. Zero dependencies (2kb gzipped).
> xss-prevention
--- name: xss-prevention description: XSS attack prevention with input sanitization, output encoding, Content Security Policy. Use for user-generated content, rich text editors, web application security, or encountering stored XSS, reflected XSS, DOM manipulation, script injection errors. Keywords: sanitization, HTML-encoding, DOMPurify, CSP, Content-Security-Policy, rich-text-editor, user-input, escaping, innerHTML, DOM-manipulation, stored-XSS, reflected-XSS, input-validation, output-encodi
> wordpress-plugin-core
--- name: wordpress-plugin-core description: WordPress plugin development with hooks, security, REST API, custom post types. Use for plugin creation, $wpdb queries, Settings API, or encountering SQL injection, XSS, CSRF, nonce errors. Keywords: wordpress plugin development, wordpress security, wordpress hooks, wordpress filters, wordpress database, wpdb prepare, sanitize_text_field, esc_html, wp_nonce, custom post type, register_post_type, settings api, rest api, admin-ajax, wordpress sql inj