bun publish: Publish a Package to npm
bun publish packs the current package and uploads it to the npm registry, honoring the files field and .npmignore.
bun publish is the release command. In CI it runs from a tag or release workflow with a registry token, and --dry-run lets you verify the tarball contents before going live.
What it does
bun publish builds the package tarball (respecting the files field, package.json bin/exports, and .npmignore) and publishes it to the configured registry. --access sets public/restricted for scoped packages, --tag sets the dist-tag, and --otp supplies a one-time code for 2FA.
Common usage
bun publish --dry-run # verify the tarball, do not upload
bun publish --access public # scoped package, public
bun publish --tag next # publish under a dist-tag
bun publish --otp 123456 # one-time 2FA codeOptions
| Flag | What it does |
|---|---|
| --dry-run | Pack and report without publishing |
| --access <public|restricted> | Visibility for scoped packages |
| --tag <tag> | Publish under a dist-tag instead of latest |
| --otp <code> | One-time password for 2FA-protected accounts |
| --no-git-checks | Skip the clean-working-tree and branch checks |
In CI
Provide the registry token via the environment (BUN_AUTH_TOKEN or an npmrc/bunfig with a $TOKEN reference) so no secret is committed. Run --dry-run on PRs and the real publish only on tags. Bump the version before publishing; the registry rejects republishing an existing version.
Common errors in CI
"error: 401 Unauthorized" or "need auth" means the registry token is missing or wrong; set BUN_AUTH_TOKEN or the registry auth in bunfig.toml. "403 Forbidden ... cannot publish over previously published version" means the version already exists; bump package.json. "402 Payment Required" on a scoped package means you published privately without --access public.