Add support for bun package management #921
Description
Is your feature request related to a problem? Please describe.
Yes. Currently when Javascript codebases using bun for package management are scanned they are detected as npm by Frogbot. This then appears to cause the frogbot scans to fail when the package.json contains content which is not supported by npm.
e.g. given the following package.json
{
"name": "bun-sample",
"module": "index.ts",
"type": "module",
"private": true,
"devDependencies": {
"@types/bun": "latest"
},
"peerDependencies": {
"typescript": "^5"
},
"dependencies": {
"@actions/core": "^1.11.1",
"@actions-commons/gha": "workspace:*"
}
}
The scan output indicates that frogbot is treating this dir as npm based.
...
14:09:24 [Info] Performing scans on 8 targets:
[
{
"target": "/tmp/jfrog.cli.temp.-1757340555-3683775740/bun-sample",
"technology": "npm"
},
...
The following error is seen during the frogbot scan.
Error: 7 [Error] target '/tmp/jfrog.cli.temp.-1757340555-3683775740/bun-sample [npm]' errors:
failed to generate SBOM for /tmp/jfrog.cli.temp.-1757340555-3683775740/bun-sample: failed to build dependency tree: failed while building 'npm' dependency tree: error while running '/usr/bin/npm install --ignore-scripts --package-lock-only': exit status 1
npm warn config ignoring workspace config at /tmp/jfrog.cli.temp.-1757340555-3683775740/bun-sample/.npmrc
npm error code EUNSUPPORTEDPROTOCOL
npm error Unsupported URL Type "workspace:": workspace:*
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-09-08T14_09_16_516Z-debug-0.log
Describe the solution you'd like to see
Ideally full bun support so that codebases using this can be scanned for vulns, failing that some logic to stop bun based projects being incorrectly identified as npm so that it doesn't cause the whole scan to fail.
Describe alternatives you've considered
n/a
Additional context
Please let me know if you need any further information or if I have missed anything else.