bun update: Upgrade Dependencies
bun update bumps installed dependencies to the newest versions allowed by their package.json ranges and rewrites bun.lock.
bun update keeps dependencies current. It respects semver ranges by default, so it is safer than it sounds, but --latest deliberately ignores ranges and can break builds.
What it does
bun update re-resolves dependencies to the newest versions that satisfy the ranges in package.json, updating bun.lock and node_modules. With a package name it updates only that one; with --latest it upgrades to the newest version even past the declared range and rewrites the range.
Common usage
bun update # all deps, within ranges
bun update react # just one package
bun update --latest # ignore ranges, go to newest
bun outdated # preview what would changeOptions
| Flag | What it does |
|---|---|
| <package> | Update only the named package |
| --latest | Upgrade past semver ranges to the newest version |
| --frozen-lockfile | Refuse to change the lockfile (effectively a no-op check) |
| --dry-run | Show the resolution without applying it |
In CI
bun update belongs in a scheduled dependency-bump job, not in normal build pipelines. Run it on a branch, let CI install --frozen-lockfile and run tests against the new bun.lock, then open a PR. Pair bun outdated with bun update to review the diff before committing.
Common errors in CI
A normal build that runs bun update will fail a downstream --frozen-lockfile check because the lockfile changed; keep update out of build jobs. After --latest, "Cannot find module" or type errors usually mean a major bump introduced a breaking change; pin back the offending package and bump it deliberately.