bun install: Install Dependencies in CI
bun install reads package.json, resolves the dependency tree, and installs it into node_modules, writing or honoring bun.lock.
bun install is the entry point for any Bun pipeline. It is fast because it installs in parallel and caches globally, but in CI you want it deterministic, which means installing from the committed lockfile.
What it does
bun install resolves every dependency in package.json (and workspace packages), downloads them into the global cache at ~/.bun/install/cache, and links them into node_modules. It writes a text lockfile bun.lock (the older binary bun.lockb is still read). With no arguments it installs everything; pass a package name to add one.
Common usage
bun install
bun install --frozen-lockfile # CI: fail if lockfile would change
bun install --production # skip devDependencies
bun install --ignore-scripts # do not run postinstall scriptsOptions
| Flag | What it does |
|---|---|
| --frozen-lockfile | Do not update the lockfile; fail if it is out of date |
| --production / -p | Install only dependencies, not devDependencies |
| --ignore-scripts | Skip lifecycle scripts like postinstall |
| --no-save | Do not write package.json or the lockfile |
| --dry-run | Resolve and report without installing |
| --verbose | Print detailed resolution and link output |
In CI
Always run bun install --frozen-lockfile in CI so a stale or hand-edited bun.lock fails the build instead of silently resolving new versions. Cache ~/.bun/install/cache keyed on the lockfile hash, and use oven-sh/setup-bun to pin the Bun version. setup-bun also exposes a built-in cache for the global store.
Common errors in CI
"error: lockfile had changes, but lockfile is frozen" means package.json and bun.lock disagree under --frozen-lockfile; run bun install locally and commit the updated bun.lock. "error: failed to resolve" or "package <x> not found" points at a private registry without auth (set a bunfig.toml registry token) or a typo in the version range. "EACCES" on node_modules means a read-only or root-owned workspace.