Skip to docs content
SCPM

For bun users

scpm can install directly from Bun lockfiles. You do not need to delete bun.lock or remove node_modules before trying scpm.

Try the Bun lockfile

scpm install

Run this once when you specifically want to verify that scpm can read and write the existing Bun lockfile. For normal local work, run the command you wanted instead: scpmr build, scpm test, and scpm exec <bin> auto-install first when dependencies are stale; scpmx <pkg> handles one-off tools.

scpm reads and updates the text-format bun.lock at lockfileVersion: 1 in place and installs packages into node_modules/.scpm/.

scpm does not read Bun's older binary bun.lockb format. Projects still on bun.lockb can generate the text lockfile with a modern Bun once:

bun install --save-text-lockfile

Commit the resulting bun.lock and drop bun.lockb before switching to scpm.

Keep Bun working during rollout

Commit the updated bun.lock so both Bun and scpm users see the same resolved versions. You do not need scpm import for a normal rollout; scpm install keeps bun.lock as the shared source of truth.

Use scpm import only if the team intentionally wants to convert the project to scpm-lock.yaml. After import succeeds, remove bun.lock so future installs keep writing scpm-lock.yaml.

Differences from Bun

  • scpm keeps package files in a global content-addressable store.
  • scpm produces an isolated symlink layout under node_modules/.scpm/ rather than Bun's hoisted tree.
  • scpm does not manage a JavaScript runtime. Use mise (mise use node@22) if you need a Node version alongside or in place of Bun.
  • Dependency lifecycle scripts (preinstall, install, postinstall) are gated by an allowlist. scpm reads Bun's top-level trustedDependencies array in addition to pnpm's pnpm.allowBuilds / pnpm.onlyBuiltDependencies, so an existing Bun manifest keeps running its install scripts without edits. Install writes unreviewed packages into scpm-workspace.yaml's allowBuilds with false (or pnpm-workspace.yaml if one already exists); scpm approve-builds flips reviewed entries to true. Approved dependency builds can also run in a jail with package-specific env, path, and network permissions.

Reference: bun install