Bun.js Project Exposed: No Automated Dependency Vulnerability Scanning in CI Pipeline

A critical security gap has been identified in the CI/CD pipeline for a Bun.js-based project: there is no automated vulnerability scanning for installed dependencies. This oversight means that a vulnerable transitive dependency could be silently committed to the `bun.lock` file and published to production without detection, creating a direct supply chain risk. The absence of this basic security check leaves the project's build artifacts exposed to known, exploitable flaws.

The issue, categorized under 'Supply Chain & Dependencies', proposes a concrete fix: adding a CI job that runs `bun audit`—or an equivalent vulnerability scanner—on every pull request and on pushes to the main branch. The proposed policy is stringent: the build would fail outright on discoveries rated 'high' or 'critical', and would issue warnings for 'moderate' severity advisories. This move would institutionalize security governance directly into the development workflow.

Implementation requires a new workflow or an additional step in existing CI, with clear documentation in CONTRIBUTING.md on how to triage and address findings. This change represents a fundamental hardening measure, shifting security left and placing the onus on developers to resolve critical vulnerabilities before code merges. The failure to implement such a scan represents a significant operational risk, as the project currently relies on manual vigilance to prevent the introduction of compromised packages.