REQUEST: Support bun.lock lockfile used by Bun

[Fra9ment]

Bun( https://bun.sh/ ) is Node.js like JavaScript runtime.

And packages are hosted by npm.js.

This scanner may be able to support bun.lockb bun.lock files with minor modifications.

Note

The lock files are in binary format, so this issue might be tricky... (updated by #1405 (comment) )

User documentation on the lockfile can be found here: https://bun.sh/docs/install/lockfile

bun.lockb can also be generated from existing package-lock.json and package.json with this command.

bun pm migrate # docs here: https://bun.sh/docs/cli/pm#migrate

Or, if you have only package.json just exec

bun install

[G-Rath]

I've previously looked into this and decided against it ("for now") due to the binary format - I now don't think it's worth doing because bun is moving away from the binary lockfile for exactly this kind of reason.

In the meantime you should be able to do scanning by generating a yarn.lock file

[Fra9ment]

Thank you.
Wow, the lockfile will be text format!

Now, I wait for the text one.
I respect and agree with your decision👍

[G-Rath]

Bun has officially implemented their new text-based lockfile which will be the default in v1.2 - I have started on an extractor for this over at osv-scalibr

[Fra9ment]

Thank you!
I updated issue title😉

bun.lockb → bun.lock