Complete Bun.js ecosystem guidance for runtime APIs, file I/O, package management, testing, SQLite, and security; use proactively when setting up Bun projects, replacing Node.js APIs with Bun-native APIs, writing bun test suites, implementing Bun.serve services, using bun:sqlite with prepared statements, configuring workspaces and lockfiles, hardening shell and SQL boundaries, or optimizing Bun performance and migration workflows.
71
89%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Navigation hub for Bun guidance focused on production-safe implementation.
Use this skill when:
Bun.file, Bun.write, Bun.serve)bun testbun:sqlite usage with transactions or prepared statementsbun install fails: check bun.lock/bun.lockb for merge conflicts, resolve them, and re-run bun install.bun test to isolate regressions before proceeding.rg finds non-prepared statements in existing code): refactor each flagged call to use db.prepare(...) with bound parameters before merging; do not leave raw interpolations in place.bun --versionExpected: a Bun version is printed.
bun installExpected: lockfile is updated consistently (bun.lock/bun.lockb per project setup).
bun run src/index.tsExpected: script executes without Node.js runtime shims.
bun testExpected: failing assertions clearly identify behavior regressions.
bun run server.tsExpected: service binds configured port and handles requests via Bun.serve.
rg -n "query\\(|prepare\\(" srcExpected: queries in new code paths use prepared statements where input is user-controlled. If raw query( calls with interpolated values are found in existing code, refactor them to db.prepare(...) with bound parameters before proceeding.
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Runtime & Core APIs | CRITICAL | runtime- |
| 2 | File I/O Operations | CRITICAL | file- |
| 3 | Testing Framework | HIGH | testing- |
| 4 | SQLite Integration | HIGH | sqlite- |
| 5 | Package Management | MEDIUM | package- |
| 6 | Security Practices | MEDIUM | security- |
WHY: mixed APIs create inconsistent behavior and miss Bun performance advantages.
BAD: readFileSync("./config.json") for Bun-managed file reads. GOOD: await Bun.file("./config.json").text().
BAD:
import { readFileSync } from "node:fs";
const config = readFileSync("./config.json", "utf8");GOOD:
const config = await Bun.file("./config.json").text();npm install in Bun-managed repositoriesWHY: mixed package managers cause lockfile drift and nondeterministic installs.
BAD: npm install
GOOD: bun install
WHY: direct interpolation can introduce SQL injection vulnerabilities. BAD: interpolate untrusted values into query strings. GOOD: bind values with prepared statements.
BAD:
db.query(`SELECT * FROM users WHERE email = '${email}'`).all();GOOD:
db.prepare("SELECT * FROM users WHERE email = ?").all(email);WHY: shell interpolation enables command injection.
BAD: await Bun.spawn(["sh", "-c", userInput]).exited. GOOD: use direct API calls or fixed command arguments.
BAD:
await Bun.spawn(["sh", "-c", userInput]).exited;GOOD:
const safePath = Bun.file(userProvidedPath);
await safePath.text();references/runtime-globals.md, references/runtime-http-server.mdreferences/file-io-patterns.md, references/file-vs-node.md, references/file-glob.mdreferences/testing-bun-test.md, references/testing-matchers.md, references/testing-mocking.md, references/testing-snapshots.mdreferences/sqlite-basics.mdreferences/pm-workspaces-agent-instructions.mdreferences/runtime-shell.md, references/runtime-password.md