bun pm: Inspect the Package Store and Cache
bun pm groups package-manager utilities: print the cache path, list the dependency tree, show the bin directory, and manage trusted dependencies.
bun pm is the toolbox behind bun install. Its subcommands matter in CI when you need the cache path for a cache key or want to audit what got installed.
What it does
bun pm exposes subcommands: cache (print or rm the global cache), ls (print the installed tree), bin (print the bin directory), hash (print the lockfile hash), and trust/untrusted (manage which dependencies may run lifecycle scripts). Each is a quick introspection or maintenance command.
Common usage
bun pm cache # print the cache directory
bun pm cache rm # clear the global cache
bun pm ls # installed dependency tree
bun pm ls --all # include transitive deps
bun pm bin # path to project bin dir
bun pm hash # current lockfile hashOptions
| Subcommand | What it does |
|---|---|
| cache | Print the global cache path (~/.bun/install/cache) |
| cache rm | Delete the global install cache |
| ls [--all] | List installed dependencies (top-level, or all) |
| bin [-g] | Print the project (or global) bin directory |
| hash | Print the hash of the current lockfile |
| trust <pkg> / untrusted | Allow / list packages permitted to run scripts |
In CI
Use bun pm cache to locate ~/.bun/install/cache for a cache restore/save step, and bun pm hash as a stable cache key tied to the lockfile. bun pm untrusted lists dependencies whose postinstall scripts were blocked; trust only the ones you audit, since Bun does not run arbitrary install scripts by default.
Common errors in CI
"error: No lockfile found" from bun pm hash means you ran it before bun install; install first. If bun pm ls shows a different tree than expected, the install was not --frozen-lockfile and resolved new versions. A blocked native dependency that fails at runtime needs bun pm trust <pkg> so its build script runs.