bun-scan 1.1.0 → 1.1.1-beta.1

package/README.md

@@ -0,0 +1,91 @@
+# Bun-Scan
+
+A security scanner for [Bun](https://bun.sh/) that checks packages for known vulnerabilities during installation.
+
+## Features
+
+- **Real-time Scanning**: Checks packages against configured sources (OSV, npm, or both) during installation
+- **Whitelists**: Specific warnings can be ignored
+- **Fail-safe**: Can configure non-critical advisories to not prevent installations
+
+## Installation
+
+```bash
+# Install as a dev dependency
+bun add -d bun-scan
+```
+
+Add to your `bunfig.toml`:
+
+```toml
+[install.security]
+scanner = "bun-scan"
+```
+
+Select your source from `npm`, `osv` (default), or run checks against `both` by setting up your config in `.bun-scan.config.json`
+
+Note to set the schema version in the URL to the correct version:
+
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/rawtoast/bun-scan/v1.1.0/schema/bun-scan.schema.json",
+  "source": "npm"
+}
+```
+
+### Ignoring Vulnerabilities
+
+A package may have a vulnerability, but your project is not affected. In this scenario, you would
+not want installations to be prevented. To work around this, the vulnerability can be flagged as ignored in your `.bun-scan.config.json`
+
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/rawtoast/bun-scan/v1.1.0/schema/bun-scan.schema.json",
+  "source": "npm",
+  "packages": {
+    "hono": {
+      "vulnerabilities": ["CVE-2026-22818"],
+      "reason": "Project does not use JWT from hono, verify again in June",
+      "until": "2026-06-01"
+    }
+  }
+}
+```
+
+Note that `bunReportWarnings` can be set `false` to print warning-level advisories without triggering Bun's install prompt:
+
+```json
+{
+  "bunReportWarnings": false
+}
+```
+
+### Advisory Levels
+
+#### Fatal (Installation Blocked)
+
+- **CVSS Score**: ≥ 7.0 (High/Critical)
+- **Database Severity**: CRITICAL or HIGH
+- **Action**: Installation is immediately blocked
+
+#### Warning (User Prompted)
+
+- **CVSS Score**: < 7.0 (Medium/Low)
+- **Database Severity**: MEDIUM, LOW, or unspecified
+- **Action**: User is prompted to continue or cancel
+
+## License
+
+MIT License - see the [LICENSE](LICENSE) file for details.
+
+## Acknowledgments
+
+- **maloma7**: For the original implementation of the Bun OSV Scanner
+
+## Related Projects
+
+- [Bun Security Scanner API](https://bun.com/docs/install/security-scanner-api)
+- [OSV.dev](https://osv.dev/)
+- [GitHub advisories](https://github.com/advisories)
+- [Bun OSV Scanner](https://github.com/bun-security-scanner/osv)
+- [Bun NPM Scanner](https://github.com/bun-security-scanner/npm)

package/dist/cli.js

@@ -29,7 +29,8 @@ var ENV = {
   LOG_LEVEL: "BUN_SCAN_LOG_LEVEL",
   API_BASE_URL: "OSV_API_BASE_URL",
   TIMEOUT_MS: "OSV_TIMEOUT_MS",
-  DISABLE_BATCH: "OSV_DISABLE_BATCH"
+  DISABLE_BATCH: "OSV_DISABLE_BATCH",
+  FAIL_ON_SCANNER_ERROR: "BUN_SCAN_FAIL_ON_SCANNER_ERROR"
 };
 // ../core/src/logger.ts
 var LEVELS = { debug: 0, info: 1, warn: 2, error: 3 };
@@ -118,6 +119,7 @@ import { z } from "zod";
 var CONFIG_DEFAULTS = {
   logLevel: "info",
   bunReportWarnings: true,
+  failOnScannerError: false,
   osv: {
     apiBaseUrl: OSV_API.BASE_URL,
     timeoutMs: OSV_API.TIMEOUT_MS,
@@ -152,6 +154,7 @@ var ConfigSchema = z.object({
   packages: z.record(z.string(), IgnorePackageRuleSchema).optional(),
   logLevel: z.enum(["debug", "info", "warn", "error"]).optional(),
   bunReportWarnings: z.boolean().optional(),
+  failOnScannerError: z.boolean().optional(),
   osv: OsvConfigSchema.optional(),
   npm: NpmConfigSchema.optional()
 });
@@ -198,6 +201,7 @@ function parseEnvLogLevel(envVar) {
 function buildEnvConfig() {
   return {
     logLevel: parseEnvLogLevel(ENV.LOG_LEVEL),
+    failOnScannerError: parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR),
     osv: {
       apiBaseUrl: Bun.env[ENV.API_BASE_URL] || undefined,
       timeoutMs: parseEnvNumber(ENV.TIMEOUT_MS),
@@ -215,11 +219,14 @@ function mergeConfig(fileConfig) {
     source: DEFAULT_SOURCE,
     logLevel: CONFIG_DEFAULTS.logLevel,
     bunReportWarnings: CONFIG_DEFAULTS.bunReportWarnings,
+    failOnScannerError: CONFIG_DEFAULTS.failOnScannerError,
     osv: { ...CONFIG_DEFAULTS.osv },
     npm: { ...CONFIG_DEFAULTS.npm }
   };
   if (envConfig.logLevel !== undefined)
     merged.logLevel = envConfig.logLevel;
+  if (envConfig.failOnScannerError !== undefined)
+    merged.failOnScannerError = envConfig.failOnScannerError;
   if (envConfig.osv?.apiBaseUrl !== undefined)
     merged.osv.apiBaseUrl = envConfig.osv.apiBaseUrl;
   if (envConfig.osv?.timeoutMs !== undefined)
@@ -241,6 +248,8 @@ function mergeConfig(fileConfig) {
       merged.logLevel = fileConfig.logLevel;
     if (fileConfig.bunReportWarnings !== undefined)
       merged.bunReportWarnings = fileConfig.bunReportWarnings;
+    if (fileConfig.failOnScannerError !== undefined)
+      merged.failOnScannerError = fileConfig.failOnScannerError;
     if (fileConfig.osv?.apiBaseUrl !== undefined)
       merged.osv.apiBaseUrl = fileConfig.osv.apiBaseUrl;
     if (fileConfig.osv?.timeoutMs !== undefined)
@@ -252,18 +261,22 @@ function mergeConfig(fileConfig) {
     if (fileConfig.npm?.timeoutMs !== undefined)
       merged.npm.timeoutMs = fileConfig.npm.timeoutMs;
   }
+  if (envConfig.failOnScannerError !== undefined) {
+    merged.failOnScannerError = envConfig.failOnScannerError;
+  }
   return merged;
 }
 async function loadConfig() {
+  const strictBootstrap = parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR) === true;
   for (const filename of CONFIG_FILES) {
-    const config = await tryLoadConfigFile(filename);
+    const config = await tryLoadConfigFile(filename, { fatalOnError: strictBootstrap });
     if (config) {
       return mergeConfig(config);
     }
   }
   return mergeConfig(null);
 }
-async function tryLoadConfigFile(filename) {
+async function tryLoadConfigFile(filename, options) {
   try {
     const file = Bun.file(filename);
     const exists = await file.exists();
@@ -276,6 +289,18 @@ async function tryLoadConfigFile(filename) {
     logConfigStats(parsed);
     return parsed;
   } catch (error) {
+    const isENOENT = error instanceof Error && ("code" in error ? error.code === "ENOENT" : error.message.includes("No such file"));
+    if (options?.fatalOnError) {
+      if (isENOENT) {
+        return null;
+      }
+      logger.error(`Failed to read config file ${filename}`, {
+        error: error instanceof Error ? error.message : String(error),
+        stack: error instanceof Error ? error.stack : undefined
+      });
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`bun-scan: failed to load config file ${filename}: ${message}. ` + `BUN_SCAN_FAIL_ON_SCANNER_ERROR=true makes config errors fatal.`);
+    }
     if (error instanceof z.ZodError) {
       logger.warn(`Invalid config in ${filename}`, {
         errors: error.issues.map((e) => `${e.path.join(".")}: ${e.message}`)
@@ -284,6 +309,13 @@ async function tryLoadConfigFile(filename) {
       logger.warn(`Failed to parse ${filename} as JSON`, {
         error: error.message
       });
+    } else if (isENOENT) {
+      logger.debug(`Config file ${filename} not found (race condition handled)`);
+    } else {
+      logger.warn(`Failed to read config file ${filename}`, {
+        error: error instanceof Error ? error.message : String(error),
+        stack: error instanceof Error ? error.stack : undefined
+      });
     }
     return null;
   }
@@ -408,6 +440,7 @@ function createOSVClient(options = {}) {
   const baseUrl = osvConfig.apiBaseUrl ?? OSV_API.BASE_URL;
   const timeout = osvConfig.timeoutMs ?? OSV_API.TIMEOUT_MS;
   const useBatch = !(osvConfig.disableBatch ?? false);
+  const failOnError = options.failOnScannerError ?? false;
   function deduplicatePackages(packages) {
     const packageMap = new Map;
     for (const pkg of packages) {
@@ -466,8 +499,15 @@ function createOSVClient(options = {}) {
         return OSVVulnerabilitySchema.parse(data);
       }, `Get vulnerability ${id}`);
     } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (failOnError) {
+        logger.error(`Failed to fetch vulnerability ${id} (strict mode)`, {
+          error: message
+        });
+        throw error;
+      }
       logger.warn(`Failed to fetch vulnerability ${id}`, {
-        error: error instanceof Error ? error.message : String(error)
+        error: message
       });
       return null;
     }
@@ -482,6 +522,18 @@ function createOSVClient(options = {}) {
     for (let i = 0;i < uniqueIds.length; i += chunkSize) {
       const chunk = uniqueIds.slice(i, i + chunkSize);
       const chunkResults = await Promise.allSettled(chunk.map((id) => fetchSingleVulnerability(id)));
+      if (failOnError) {
+        const rejections = chunkResults.filter((r) => r.status === "rejected");
+        if (rejections.length > 0) {
+          const firstError = rejections[0].reason;
+          const message = firstError instanceof Error ? firstError.message : String(firstError);
+          logger.error(`Failed to fetch vulnerability details (strict mode)`, {
+            error: message,
+            failedCount: rejections.length
+          });
+          throw firstError;
+        }
+      }
       for (const result of chunkResults) {
         if (result.status === "fulfilled" && result.value) {
           vulnerabilities.push(result.value);
@@ -499,8 +551,16 @@ function createOSVClient(options = {}) {
         const batchIds = await executeBatchQuery(batchQueries);
         vulnerabilityIds.push(...batchIds);
       } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (failOnError) {
+          logger.error(`Batch query failed for ${batchQueries.length} packages (strict mode)`, {
+            error: message,
+            startIndex: i
+          });
+          throw error;
+        }
         logger.error(`Batch query failed for ${batchQueries.length} packages`, {
-          error: error instanceof Error ? error.message : String(error),
+          error: message,
           startIndex: i
         });
       }
@@ -538,8 +598,15 @@ function createOSVClient(options = {}) {
           break;
         }
       } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (failOnError) {
+          logger.error(`Query failed for ${query.package?.name || "unknown"}@${query.version || "unknown"} (strict mode)`, {
+            error: message
+          });
+          throw error;
+        }
         logger.warn(`Query failed for ${query.package?.name || "unknown"}@${query.version || "unknown"}`, {
-          error: error instanceof Error ? error.message : String(error)
+          error: message
         });
         break;
       }
@@ -548,6 +615,18 @@ function createOSVClient(options = {}) {
   }
   async function queryIndividually(queries) {
     const responses = await Promise.allSettled(queries.map((query) => querySinglePackage(query)));
+    if (failOnError) {
+      const rejections = responses.filter((r) => r.status === "rejected");
+      if (rejections.length > 0) {
+        const firstError = rejections[0].reason;
+        const message = firstError instanceof Error ? firstError.message : String(firstError);
+        logger.error(`Individual query failed (strict mode)`, {
+          error: message,
+          failedCount: rejections.length
+        });
+        throw firstError;
+      }
+    }
     const vulnerabilities = [];
     let successCount = 0;
     for (const response of responses) {
@@ -846,6 +925,8 @@ function createVulnerabilityProcessor(ignoreConfig = {}) {
 function isNewOptionsFormat(options) {
   if ("osv" in options)
     return true;
+  if ("failOnScannerError" in options)
+    return true;
   if ("ignore" in options && options.ignore && typeof options.ignore === "object" && !Array.isArray(options.ignore)) {
     return true;
   }
@@ -854,14 +935,32 @@ function isNewOptionsFormat(options) {
 function createOSVSource(options = {}) {
   let ignoreConfig;
   let osvConfig;
+  let failOnScannerError;
   if (isNewOptionsFormat(options)) {
-    ignoreConfig = options.ignore ?? {};
+    const ignoreFromOptions = options.ignore;
+    const packagesFromOptions = options.packages;
+    if (ignoreFromOptions !== undefined) {
+      if (Array.isArray(ignoreFromOptions)) {
+        ignoreConfig = { ignore: ignoreFromOptions, packages: packagesFromOptions };
+      } else {
+        ignoreConfig = {
+          ignore: ignoreFromOptions.ignore,
+          packages: ignoreFromOptions.packages ?? packagesFromOptions
+        };
+      }
+    } else if (packagesFromOptions !== undefined) {
+      ignoreConfig = { ignore: undefined, packages: packagesFromOptions };
+    } else {
+      ignoreConfig = {};
+    }
     osvConfig = options.osv;
+    failOnScannerError = options.failOnScannerError;
   } else {
     ignoreConfig = options;
     osvConfig = undefined;
+    failOnScannerError = undefined;
   }
-  const client = createOSVClient({ osv: osvConfig });
+  const client = createOSVClient({ osv: osvConfig, failOnScannerError });
   const processor = createVulnerabilityProcessor(ignoreConfig);
   return {
     name: "osv",
@@ -934,6 +1033,7 @@ function createNpmAuditClient(options = {}) {
   const npmConfig = options.npm ?? CONFIG_DEFAULTS.npm;
   const registryUrl = npmConfig.registryUrl ?? NPM_AUDIT_API.REGISTRY_URL;
   const timeout = npmConfig.timeoutMs ?? NPM_AUDIT_API.TIMEOUT_MS;
+  const failOnError = options.failOnScannerError ?? false;
   function deduplicatePackages(packages) {
     const packageMap = new Map;
     for (const pkg of packages) {
@@ -1012,8 +1112,16 @@ function createNpmAuditClient(options = {}) {
         const batchAdvisories = await executeBulkQuery(payload);
         advisories.push(...batchAdvisories);
       } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (failOnError) {
+          logger.error(`Batch query failed for ${batch.length} packages (strict mode)`, {
+            error: message,
+            startIndex: i
+          });
+          throw error;
+        }
         logger.error(`Batch query failed for ${batch.length} packages`, {
-          error: error instanceof Error ? error.message : String(error),
+          error: message,
           startIndex: i
         });
       }
@@ -1030,7 +1138,23 @@ function createNpmAuditClient(options = {}) {
     if (uniquePackages.length > NPM_AUDIT_API.MAX_PACKAGES_PER_REQUEST) {
       return await queryInBatches(uniquePackages);
     }
-    return await executeBulkQuery(requestPayload);
+    try {
+      return await executeBulkQuery(requestPayload);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (failOnError) {
+        logger.error(`Bulk query failed (strict mode)`, {
+          error: message,
+          packageCount: uniquePackages.length
+        });
+        throw error;
+      }
+      logger.error(`Bulk query failed`, {
+        error: message,
+        packageCount: uniquePackages.length
+      });
+      return [];
+    }
   }
   return {
     queryVulnerabilities
@@ -1176,6 +1300,8 @@ function createAdvisoryProcessor(ignoreConfig = {}) {
 function isNewOptionsFormat2(options) {
   if ("npm" in options)
     return true;
+  if ("failOnScannerError" in options)
+    return true;
   if ("ignore" in options && options.ignore && typeof options.ignore === "object" && !Array.isArray(options.ignore)) {
     return true;
   }
@@ -1184,14 +1310,32 @@ function isNewOptionsFormat2(options) {
 function createNpmSource(options = {}) {
   let ignoreConfig;
   let npmConfig;
+  let failOnScannerError;
   if (isNewOptionsFormat2(options)) {
-    ignoreConfig = options.ignore ?? {};
+    const ignoreFromOptions = options.ignore;
+    const packagesFromOptions = options.packages;
+    if (ignoreFromOptions !== undefined) {
+      if (Array.isArray(ignoreFromOptions)) {
+        ignoreConfig = { ignore: ignoreFromOptions, packages: packagesFromOptions };
+      } else {
+        ignoreConfig = {
+          ignore: ignoreFromOptions.ignore,
+          packages: ignoreFromOptions.packages ?? packagesFromOptions
+        };
+      }
+    } else if (packagesFromOptions !== undefined) {
+      ignoreConfig = { ignore: undefined, packages: packagesFromOptions };
+    } else {
+      ignoreConfig = {};
+    }
     npmConfig = options.npm;
+    failOnScannerError = options.failOnScannerError;
   } else {
     ignoreConfig = options;
     npmConfig = undefined;
+    failOnScannerError = undefined;
   }
-  const client = createNpmAuditClient({ npm: npmConfig });
+  const client = createNpmAuditClient({ npm: npmConfig, failOnScannerError });
   const processor = createAdvisoryProcessor(ignoreConfig);
   return {
     name: "npm",
@@ -1211,17 +1355,17 @@ function createNpmSource(options = {}) {
 function extractIgnoreConfig(config) {
   return { ignore: config.ignore, packages: config.packages };
 }
-function createSources(type, config) {
+function createSources(type, config, failOnScannerError) {
   const ignoreConfig = extractIgnoreConfig(config);
   switch (type) {
     case "osv":
-      return [createOSVSource({ ignore: ignoreConfig, osv: config.osv })];
+      return [createOSVSource({ ignore: ignoreConfig, osv: config.osv, failOnScannerError })];
     case "npm":
-      return [createNpmSource({ ignore: ignoreConfig, npm: config.npm })];
+      return [createNpmSource({ ignore: ignoreConfig, npm: config.npm, failOnScannerError })];
     case "both":
       return [
-        createOSVSource({ ignore: ignoreConfig, osv: config.osv }),
-        createNpmSource({ ignore: ignoreConfig, npm: config.npm })
+        createOSVSource({ ignore: ignoreConfig, osv: config.osv, failOnScannerError }),
+        createNpmSource({ ignore: ignoreConfig, npm: config.npm, failOnScannerError })
       ];
     default:
       throw new Error(`Unknown source type: ${type}`);
@@ -1229,10 +1373,11 @@ function createSources(type, config) {
 }
 
 // src/sources/multi.ts
-function createMultiSourceScanner(sources) {
+function createMultiSourceScanner(sources, options) {
   if (sources.length === 0) {
     throw new Error("MultiSourceScanner requires at least one source");
   }
+  const failOnError = options?.failOnScannerError ?? false;
   function isHigherSeverity(a, b) {
     const priority = { fatal: 2, warn: 1 };
     return (priority[a] ?? 0) > (priority[b] ?? 0);
@@ -1269,8 +1414,9 @@ function createMultiSourceScanner(sources) {
   async function scan(packages) {
     const sourceNames = sources.map((s) => s.name).join(", ");
     logger.info(`Scanning with sources: ${sourceNames}`);
-    const results = await Promise.allSettled(sources.map((source) => source.scan(packages)));
+    const results = await Promise.allSettled(sources.map((source) => Promise.resolve().then(() => source.scan(packages))));
     const allAdvisories = [];
+    const failures = [];
     for (const [i, result] of results.entries()) {
       const source = sources[i];
       if (!source)
@@ -1279,11 +1425,15 @@ function createMultiSourceScanner(sources) {
         logger.debug(`[${source.name}] Found ${result.value.length} advisories`);
         allAdvisories.push(...result.value);
       } else {
-        logger.error(`[${source.name}] Scan failed`, {
-          error: result.reason instanceof Error ? result.reason.message : String(result.reason)
-        });
+        const errorMessage = result.reason instanceof Error ? result.reason.message : String(result.reason);
+        logger.error(`[${source.name}] Scan failed`, { error: errorMessage });
+        failures.push({ name: source.name, error: errorMessage });
       }
     }
+    if (failOnError && failures.length > 0) {
+      const details = failures.map((f) => `${f.name}: ${f.error}`).join("; ");
+      throw new Error(`bun-scan: scan failed for ${failures.length === 1 ? "source" : "sources"} ` + `${failures.map((f) => `"${f.name}"`).join(", ")}. ` + `Details: ${details}. ` + `failOnScannerError=true requires all configured sources to succeed.`);
+    }
     return deduplicateAdvisories(allAdvisories);
   }
   return {
@@ -1295,12 +1445,16 @@ function createMultiSourceScanner(sources) {
 var scanner = {
   version: "1",
   async scan({ packages }) {
+    let failOnScannerError = parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR) === true;
     try {
       logger.debug(`Starting vulnerability scan for ${packages.length} packages`);
       const config = await loadConfig();
       const bunReportWarnings = config.bunReportWarnings ?? CONFIG_DEFAULTS.bunReportWarnings;
-      const sources = createSources(config.source ?? "osv", config);
-      const multiScanner = createMultiSourceScanner(sources);
+      if (parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR) === undefined) {
+        failOnScannerError = config.failOnScannerError ?? failOnScannerError;
+      }
+      const sources = createSources(config.source ?? "osv", config, failOnScannerError);
+      const multiScanner = createMultiSourceScanner(sources, { failOnScannerError });
       const advisories = await multiScanner.scan(packages);
       logger.info(`Scan completed: ${advisories.length} advisories found for ${packages.length} packages`);
       if (!bunReportWarnings) {
@@ -1318,6 +1472,12 @@ var scanner = {
       return advisories;
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
+      if (failOnScannerError) {
+        logger.error("Scanner error in strict mode \u2014 failing scan", {
+          error: message
+        });
+        throw error;
+      }
       logger.error("Scanner encountered an unexpected error", {
         error: message
       });

package/dist/index.d.ts

@@ -64,7 +64,7 @@ export declare const DEFAULT_RETRY_CONFIG: RetryConfig
 export declare function withRetry<T>(
   operation: () => Promise<T>,
   operationName: string,
-  config?: Partial<RetryConfig>,
+  config?: RetryConfig,
 ): Promise<T>
 
 // ============================================================================
@@ -86,6 +86,12 @@ export interface Config {
   source?: SourceType
   ignore?: string[]
   packages?: Record<string, IgnorePackageRule>
+  logLevel?: "debug" | "info" | "warn" | "error"
+  bunReportWarnings?: boolean
+  /** Fail on scanner errors (block install). Env var overrides config file (escape hatch). */
+  failOnScannerError?: boolean
+  osv?: OsvConfig
+  npm?: NpmConfig
 }
 
 export interface OsvConfig {
@@ -94,9 +100,29 @@ export interface OsvConfig {
   disableBatch?: boolean
 }
 
+export interface NpmConfig {
+  registryUrl?: string
+  timeoutMs?: number
+}
+
 export interface CreateOSVSourceOptions {
-  ignore?: IgnoreConfig
+  /** Legacy array form or new object form */
+  ignore?: IgnoreConfig | string[]
+  /** Legacy packages config (when ignore is not an object) */
+  packages?: Record<string, IgnorePackageRule>
   osv?: OsvConfig
+  /** When true, throw on internal errors (batch/query failures) instead of continuing with partial results */
+  failOnScannerError?: boolean
+}
+
+export interface CreateNpmSourceOptions {
+  /** Legacy array form or new object form */
+  ignore?: IgnoreConfig | string[]
+  /** Legacy packages config (when ignore is not an object) */
+  packages?: Record<string, IgnorePackageRule>
+  npm?: NpmConfig
+  /** When true, throw on internal errors (batch/query failures) instead of continuing with partial results */
+  failOnScannerError?: boolean
 }
 
 export interface CompiledPackageRule {
@@ -110,6 +136,24 @@ export interface CompiledIgnoreConfig {
   packages: Map<string, CompiledPackageRule>
 }
 
+export interface ConfigDefaults {
+  readonly logLevel: "debug" | "info" | "warn" | "error"
+  readonly bunReportWarnings: boolean
+  readonly failOnScannerError: boolean
+  readonly osv: {
+    readonly apiBaseUrl: string
+    readonly timeoutMs: number
+    readonly disableBatch: boolean
+  }
+  readonly npm: {
+    readonly registryUrl: string
+    readonly timeoutMs: number
+  }
+}
+
+/** Default configuration values */
+export declare const CONFIG_DEFAULTS: ConfigDefaults
+
 /** Zod schema for ignore config validation */
 export declare const IgnoreConfigSchema: z.ZodObject<{
   ignore: z.ZodOptional<z.ZodArray<z.ZodString>>
@@ -139,6 +183,22 @@ export declare const ConfigSchema: z.ZodObject<{
       }>
     >
   >
+  logLevel: z.ZodOptional<z.ZodEnum<["debug", "info", "warn", "error"]>>
+  bunReportWarnings: z.ZodOptional<z.ZodBoolean>
+  failOnScannerError: z.ZodOptional<z.ZodBoolean>
+  osv: z.ZodOptional<
+    z.ZodObject<{
+      apiBaseUrl: z.ZodOptional<z.ZodString>
+      timeoutMs: z.ZodOptional<z.ZodNumber>
+      disableBatch: z.ZodOptional<z.ZodBoolean>
+    }>
+  >
+  npm: z.ZodOptional<
+    z.ZodObject<{
+      registryUrl: z.ZodOptional<z.ZodString>
+      timeoutMs: z.ZodOptional<z.ZodNumber>
+    }>
+  >
 }>
 
 /** Load config from .bun-scan.json or .bun-scan.config.json */
@@ -149,11 +209,11 @@ export declare function compileIgnoreConfig(config: IgnoreConfig): CompiledIgnor
 
 /** Check if a vulnerability should be ignored */
 export declare function shouldIgnoreVulnerability(
-  compiledConfig: CompiledIgnoreConfig,
   vulnId: string,
-  packageName: string,
-  aliases?: string[],
-): boolean
+  vulnAliases: string[] | undefined,
+  packageName: string | undefined,
+  config: CompiledIgnoreConfig,
+): { ignored: boolean; reason?: string }
 
 // ============================================================================
 // Source Factories
@@ -165,15 +225,22 @@ export declare function createOSVSource(
 ): VulnerabilitySource
 
 /** Create an npm audit vulnerability source */
-export declare function createNpmSource(config?: IgnoreConfig): VulnerabilitySource
+export declare function createNpmSource(
+  options?: CreateNpmSourceOptions | IgnoreConfig,
+): VulnerabilitySource
 
 /** Create a vulnerability source by type */
-export declare function createSource(type: SourceType, config?: IgnoreConfig): VulnerabilitySource
+export declare function createSource(
+  type: "osv" | "npm",
+  config: Config,
+  failOnScannerError?: boolean,
+): VulnerabilitySource
 
 /** Create all sources for a given type (both = OSV + npm) */
 export declare function createSources(
   type: SourceType,
-  config?: IgnoreConfig,
+  config: Config,
+  failOnScannerError?: boolean,
 ): VulnerabilitySource[]
 
 // ============================================================================
@@ -184,8 +251,17 @@ export interface MultiSourceScanner {
   scan(packages: Bun.Security.Package[]): Promise<Bun.Security.Advisory[]>
 }
 
+/** Options for multi-source scanner */
+export interface MultiSourceScannerOptions {
+  /** When true, throw if any configured source fails */
+  failOnScannerError?: boolean
+}
+
 /** Create a scanner that queries multiple sources in parallel */
-export declare function createMultiSourceScanner(sources: VulnerabilitySource[]): MultiSourceScanner
+export declare function createMultiSourceScanner(
+  sources: VulnerabilitySource[],
+  options?: MultiSourceScannerOptions,
+): MultiSourceScanner
 
 // ============================================================================
 // Main Scanner Export

package/dist/index.js

@@ -1,12 +1,16 @@
 // @bun
 var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
       get: all[name],
       enumerable: true,
       configurable: true,
-      set: (newValue) => all[name] = () => newValue
+      set: __exportSetter.bind(all, name)
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
@@ -44,7 +48,8 @@ var init_constants = __esm(() => {
     LOG_LEVEL: "BUN_SCAN_LOG_LEVEL",
     API_BASE_URL: "OSV_API_BASE_URL",
     TIMEOUT_MS: "OSV_TIMEOUT_MS",
-    DISABLE_BATCH: "OSV_DISABLE_BATCH"
+    DISABLE_BATCH: "OSV_DISABLE_BATCH",
+    FAIL_ON_SCANNER_ERROR: "BUN_SCAN_FAIL_ON_SCANNER_ERROR"
   };
 });
 
@@ -179,6 +184,7 @@ function parseEnvLogLevel(envVar) {
 function buildEnvConfig() {
   return {
     logLevel: parseEnvLogLevel(ENV.LOG_LEVEL),
+    failOnScannerError: parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR),
     osv: {
       apiBaseUrl: Bun.env[ENV.API_BASE_URL] || undefined,
       timeoutMs: parseEnvNumber(ENV.TIMEOUT_MS),
@@ -196,11 +202,14 @@ function mergeConfig(fileConfig) {
     source: DEFAULT_SOURCE,
     logLevel: CONFIG_DEFAULTS.logLevel,
     bunReportWarnings: CONFIG_DEFAULTS.bunReportWarnings,
+    failOnScannerError: CONFIG_DEFAULTS.failOnScannerError,
     osv: { ...CONFIG_DEFAULTS.osv },
     npm: { ...CONFIG_DEFAULTS.npm }
   };
   if (envConfig.logLevel !== undefined)
     merged.logLevel = envConfig.logLevel;
+  if (envConfig.failOnScannerError !== undefined)
+    merged.failOnScannerError = envConfig.failOnScannerError;
   if (envConfig.osv?.apiBaseUrl !== undefined)
     merged.osv.apiBaseUrl = envConfig.osv.apiBaseUrl;
   if (envConfig.osv?.timeoutMs !== undefined)
@@ -222,6 +231,8 @@ function mergeConfig(fileConfig) {
       merged.logLevel = fileConfig.logLevel;
     if (fileConfig.bunReportWarnings !== undefined)
       merged.bunReportWarnings = fileConfig.bunReportWarnings;
+    if (fileConfig.failOnScannerError !== undefined)
+      merged.failOnScannerError = fileConfig.failOnScannerError;
     if (fileConfig.osv?.apiBaseUrl !== undefined)
       merged.osv.apiBaseUrl = fileConfig.osv.apiBaseUrl;
     if (fileConfig.osv?.timeoutMs !== undefined)
@@ -233,18 +244,22 @@ function mergeConfig(fileConfig) {
     if (fileConfig.npm?.timeoutMs !== undefined)
       merged.npm.timeoutMs = fileConfig.npm.timeoutMs;
   }
+  if (envConfig.failOnScannerError !== undefined) {
+    merged.failOnScannerError = envConfig.failOnScannerError;
+  }
   return merged;
 }
 async function loadConfig() {
+  const strictBootstrap = parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR) === true;
   for (const filename of CONFIG_FILES) {
-    const config = await tryLoadConfigFile(filename);
+    const config = await tryLoadConfigFile(filename, { fatalOnError: strictBootstrap });
     if (config) {
       return mergeConfig(config);
     }
   }
   return mergeConfig(null);
 }
-async function tryLoadConfigFile(filename) {
+async function tryLoadConfigFile(filename, options) {
   try {
     const file = Bun.file(filename);
     const exists = await file.exists();
@@ -257,6 +272,18 @@ async function tryLoadConfigFile(filename) {
     logConfigStats(parsed);
     return parsed;
   } catch (error) {
+    const isENOENT = error instanceof Error && ("code" in error ? error.code === "ENOENT" : error.message.includes("No such file"));
+    if (options?.fatalOnError) {
+      if (isENOENT) {
+        return null;
+      }
+      logger.error(`Failed to read config file ${filename}`, {
+        error: error instanceof Error ? error.message : String(error),
+        stack: error instanceof Error ? error.stack : undefined
+      });
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`bun-scan: failed to load config file ${filename}: ${message}. ` + `BUN_SCAN_FAIL_ON_SCANNER_ERROR=true makes config errors fatal.`);
+    }
     if (error instanceof z.ZodError) {
       logger.warn(`Invalid config in ${filename}`, {
         errors: error.issues.map((e) => `${e.path.join(".")}: ${e.message}`)
@@ -265,6 +292,13 @@ async function tryLoadConfigFile(filename) {
       logger.warn(`Failed to parse ${filename} as JSON`, {
         error: error.message
       });
+    } else if (isENOENT) {
+      logger.debug(`Config file ${filename} not found (race condition handled)`);
+    } else {
+      logger.warn(`Failed to read config file ${filename}`, {
+        error: error instanceof Error ? error.message : String(error),
+        stack: error instanceof Error ? error.stack : undefined
+      });
     }
     return null;
   }
@@ -315,6 +349,7 @@ var init_config = __esm(() => {
   CONFIG_DEFAULTS = {
     logLevel: "info",
     bunReportWarnings: true,
+    failOnScannerError: false,
     osv: {
       apiBaseUrl: OSV_API.BASE_URL,
       timeoutMs: OSV_API.TIMEOUT_MS,
@@ -349,6 +384,7 @@ var init_config = __esm(() => {
     packages: z.record(z.string(), IgnorePackageRuleSchema).optional(),
     logLevel: z.enum(["debug", "info", "warn", "error"]).optional(),
     bunReportWarnings: z.boolean().optional(),
+    failOnScannerError: z.boolean().optional(),
     osv: OsvConfigSchema.optional(),
     npm: NpmConfigSchema.optional()
   });
@@ -447,6 +483,7 @@ function createOSVClient(options = {}) {
   const baseUrl = osvConfig.apiBaseUrl ?? OSV_API.BASE_URL;
   const timeout = osvConfig.timeoutMs ?? OSV_API.TIMEOUT_MS;
   const useBatch = !(osvConfig.disableBatch ?? false);
+  const failOnError = options.failOnScannerError ?? false;
   function deduplicatePackages(packages) {
     const packageMap = new Map;
     for (const pkg of packages) {
@@ -505,8 +542,15 @@ function createOSVClient(options = {}) {
         return OSVVulnerabilitySchema.parse(data);
       }, `Get vulnerability ${id}`);
     } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (failOnError) {
+        logger.error(`Failed to fetch vulnerability ${id} (strict mode)`, {
+          error: message
+        });
+        throw error;
+      }
       logger.warn(`Failed to fetch vulnerability ${id}`, {
-        error: error instanceof Error ? error.message : String(error)
+        error: message
       });
       return null;
     }
@@ -521,6 +565,18 @@ function createOSVClient(options = {}) {
     for (let i = 0;i < uniqueIds.length; i += chunkSize) {
       const chunk = uniqueIds.slice(i, i + chunkSize);
       const chunkResults = await Promise.allSettled(chunk.map((id) => fetchSingleVulnerability(id)));
+      if (failOnError) {
+        const rejections = chunkResults.filter((r) => r.status === "rejected");
+        if (rejections.length > 0) {
+          const firstError = rejections[0].reason;
+          const message = firstError instanceof Error ? firstError.message : String(firstError);
+          logger.error(`Failed to fetch vulnerability details (strict mode)`, {
+            error: message,
+            failedCount: rejections.length
+          });
+          throw firstError;
+        }
+      }
       for (const result of chunkResults) {
         if (result.status === "fulfilled" && result.value) {
           vulnerabilities.push(result.value);
@@ -538,8 +594,16 @@ function createOSVClient(options = {}) {
         const batchIds = await executeBatchQuery(batchQueries);
         vulnerabilityIds.push(...batchIds);
       } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (failOnError) {
+          logger.error(`Batch query failed for ${batchQueries.length} packages (strict mode)`, {
+            error: message,
+            startIndex: i
+          });
+          throw error;
+        }
         logger.error(`Batch query failed for ${batchQueries.length} packages`, {
-          error: error instanceof Error ? error.message : String(error),
+          error: message,
           startIndex: i
         });
       }
@@ -577,8 +641,15 @@ function createOSVClient(options = {}) {
           break;
         }
       } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (failOnError) {
+          logger.error(`Query failed for ${query.package?.name || "unknown"}@${query.version || "unknown"} (strict mode)`, {
+            error: message
+          });
+          throw error;
+        }
         logger.warn(`Query failed for ${query.package?.name || "unknown"}@${query.version || "unknown"}`, {
-          error: error instanceof Error ? error.message : String(error)
+          error: message
         });
         break;
       }
@@ -587,6 +658,18 @@ function createOSVClient(options = {}) {
   }
   async function queryIndividually(queries) {
     const responses = await Promise.allSettled(queries.map((query) => querySinglePackage(query)));
+    if (failOnError) {
+      const rejections = responses.filter((r) => r.status === "rejected");
+      if (rejections.length > 0) {
+        const firstError = rejections[0].reason;
+        const message = firstError instanceof Error ? firstError.message : String(firstError);
+        logger.error(`Individual query failed (strict mode)`, {
+          error: message,
+          failedCount: rejections.length
+        });
+        throw firstError;
+      }
+    }
     const vulnerabilities = [];
     let successCount = 0;
     for (const response of responses) {
@@ -901,6 +984,8 @@ var init_processor = __esm(() => {
 function isNewOptionsFormat(options) {
   if ("osv" in options)
     return true;
+  if ("failOnScannerError" in options)
+    return true;
   if ("ignore" in options && options.ignore && typeof options.ignore === "object" && !Array.isArray(options.ignore)) {
     return true;
   }
@@ -909,14 +994,32 @@ function isNewOptionsFormat(options) {
 function createOSVSource(options = {}) {
   let ignoreConfig;
   let osvConfig;
+  let failOnScannerError;
   if (isNewOptionsFormat(options)) {
-    ignoreConfig = options.ignore ?? {};
+    const ignoreFromOptions = options.ignore;
+    const packagesFromOptions = options.packages;
+    if (ignoreFromOptions !== undefined) {
+      if (Array.isArray(ignoreFromOptions)) {
+        ignoreConfig = { ignore: ignoreFromOptions, packages: packagesFromOptions };
+      } else {
+        ignoreConfig = {
+          ignore: ignoreFromOptions.ignore,
+          packages: ignoreFromOptions.packages ?? packagesFromOptions
+        };
+      }
+    } else if (packagesFromOptions !== undefined) {
+      ignoreConfig = { ignore: undefined, packages: packagesFromOptions };
+    } else {
+      ignoreConfig = {};
+    }
     osvConfig = options.osv;
+    failOnScannerError = options.failOnScannerError;
   } else {
     ignoreConfig = options;
     osvConfig = undefined;
+    failOnScannerError = undefined;
   }
-  const client = createOSVClient({ osv: osvConfig });
+  const client = createOSVClient({ osv: osvConfig, failOnScannerError });
   const processor = createVulnerabilityProcessor(ignoreConfig);
   return {
     name: "osv",
@@ -1005,6 +1108,7 @@ function createNpmAuditClient(options = {}) {
   const npmConfig = options.npm ?? CONFIG_DEFAULTS.npm;
   const registryUrl = npmConfig.registryUrl ?? NPM_AUDIT_API.REGISTRY_URL;
   const timeout = npmConfig.timeoutMs ?? NPM_AUDIT_API.TIMEOUT_MS;
+  const failOnError = options.failOnScannerError ?? false;
   function deduplicatePackages(packages) {
     const packageMap = new Map;
     for (const pkg of packages) {
@@ -1083,8 +1187,16 @@ function createNpmAuditClient(options = {}) {
         const batchAdvisories = await executeBulkQuery(payload);
         advisories.push(...batchAdvisories);
       } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (failOnError) {
+          logger.error(`Batch query failed for ${batch.length} packages (strict mode)`, {
+            error: message,
+            startIndex: i
+          });
+          throw error;
+        }
         logger.error(`Batch query failed for ${batch.length} packages`, {
-          error: error instanceof Error ? error.message : String(error),
+          error: message,
           startIndex: i
         });
       }
@@ -1101,7 +1213,23 @@ function createNpmAuditClient(options = {}) {
     if (uniquePackages.length > NPM_AUDIT_API.MAX_PACKAGES_PER_REQUEST) {
       return await queryInBatches(uniquePackages);
     }
-    return await executeBulkQuery(requestPayload);
+    try {
+      return await executeBulkQuery(requestPayload);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (failOnError) {
+        logger.error(`Bulk query failed (strict mode)`, {
+          error: message,
+          packageCount: uniquePackages.length
+        });
+        throw error;
+      }
+      logger.error(`Bulk query failed`, {
+        error: message,
+        packageCount: uniquePackages.length
+      });
+      return [];
+    }
   }
   return {
     queryVulnerabilities
@@ -1261,6 +1389,8 @@ var init_processor2 = __esm(() => {
 function isNewOptionsFormat2(options) {
   if ("npm" in options)
     return true;
+  if ("failOnScannerError" in options)
+    return true;
   if ("ignore" in options && options.ignore && typeof options.ignore === "object" && !Array.isArray(options.ignore)) {
     return true;
   }
@@ -1269,14 +1399,32 @@ function isNewOptionsFormat2(options) {
 function createNpmSource(options = {}) {
   let ignoreConfig;
   let npmConfig;
+  let failOnScannerError;
   if (isNewOptionsFormat2(options)) {
-    ignoreConfig = options.ignore ?? {};
+    const ignoreFromOptions = options.ignore;
+    const packagesFromOptions = options.packages;
+    if (ignoreFromOptions !== undefined) {
+      if (Array.isArray(ignoreFromOptions)) {
+        ignoreConfig = { ignore: ignoreFromOptions, packages: packagesFromOptions };
+      } else {
+        ignoreConfig = {
+          ignore: ignoreFromOptions.ignore,
+          packages: ignoreFromOptions.packages ?? packagesFromOptions
+        };
+      }
+    } else if (packagesFromOptions !== undefined) {
+      ignoreConfig = { ignore: undefined, packages: packagesFromOptions };
+    } else {
+      ignoreConfig = {};
+    }
     npmConfig = options.npm;
+    failOnScannerError = options.failOnScannerError;
   } else {
     ignoreConfig = options;
     npmConfig = undefined;
+    failOnScannerError = undefined;
   }
-  const client = createNpmAuditClient({ npm: npmConfig });
+  const client = createNpmAuditClient({ npm: npmConfig, failOnScannerError });
   const processor = createAdvisoryProcessor(ignoreConfig);
   return {
     name: "npm",
@@ -1306,28 +1454,28 @@ var init_src3 = __esm(() => {
 function extractIgnoreConfig(config) {
   return { ignore: config.ignore, packages: config.packages };
 }
-function createSource(type, config) {
+function createSource(type, config, failOnScannerError) {
   const ignoreConfig = extractIgnoreConfig(config);
   switch (type) {
     case "osv":
-      return createOSVSource({ ignore: ignoreConfig, osv: config.osv });
+      return createOSVSource({ ignore: ignoreConfig, osv: config.osv, failOnScannerError });
     case "npm":
-      return createNpmSource({ ignore: ignoreConfig, npm: config.npm });
+      return createNpmSource({ ignore: ignoreConfig, npm: config.npm, failOnScannerError });
     default:
       throw new Error(`Unknown source type: ${type}`);
   }
 }
-function createSources(type, config) {
+function createSources(type, config, failOnScannerError) {
   const ignoreConfig = extractIgnoreConfig(config);
   switch (type) {
     case "osv":
-      return [createOSVSource({ ignore: ignoreConfig, osv: config.osv })];
+      return [createOSVSource({ ignore: ignoreConfig, osv: config.osv, failOnScannerError })];
     case "npm":
-      return [createNpmSource({ ignore: ignoreConfig, npm: config.npm })];
+      return [createNpmSource({ ignore: ignoreConfig, npm: config.npm, failOnScannerError })];
     case "both":
       return [
-        createOSVSource({ ignore: ignoreConfig, osv: config.osv }),
-        createNpmSource({ ignore: ignoreConfig, npm: config.npm })
+        createOSVSource({ ignore: ignoreConfig, osv: config.osv, failOnScannerError }),
+        createNpmSource({ ignore: ignoreConfig, npm: config.npm, failOnScannerError })
       ];
     default:
       throw new Error(`Unknown source type: ${type}`);
@@ -1339,10 +1487,11 @@ var init_factory = __esm(() => {
 });
 
 // src/sources/multi.ts
-function createMultiSourceScanner(sources) {
+function createMultiSourceScanner(sources, options) {
   if (sources.length === 0) {
     throw new Error("MultiSourceScanner requires at least one source");
   }
+  const failOnError = options?.failOnScannerError ?? false;
   function isHigherSeverity(a, b) {
     const priority = { fatal: 2, warn: 1 };
     return (priority[a] ?? 0) > (priority[b] ?? 0);
@@ -1379,8 +1528,9 @@ function createMultiSourceScanner(sources) {
   async function scan(packages) {
     const sourceNames = sources.map((s) => s.name).join(", ");
     logger.info(`Scanning with sources: ${sourceNames}`);
-    const results = await Promise.allSettled(sources.map((source) => source.scan(packages)));
+    const results = await Promise.allSettled(sources.map((source) => Promise.resolve().then(() => source.scan(packages))));
     const allAdvisories = [];
+    const failures = [];
     for (const [i, result] of results.entries()) {
       const source = sources[i];
       if (!source)
@@ -1389,11 +1539,15 @@ function createMultiSourceScanner(sources) {
         logger.debug(`[${source.name}] Found ${result.value.length} advisories`);
         allAdvisories.push(...result.value);
       } else {
-        logger.error(`[${source.name}] Scan failed`, {
-          error: result.reason instanceof Error ? result.reason.message : String(result.reason)
-        });
+        const errorMessage = result.reason instanceof Error ? result.reason.message : String(result.reason);
+        logger.error(`[${source.name}] Scan failed`, { error: errorMessage });
+        failures.push({ name: source.name, error: errorMessage });
       }
     }
+    if (failOnError && failures.length > 0) {
+      const details = failures.map((f) => `${f.name}: ${f.error}`).join("; ");
+      throw new Error(`bun-scan: scan failed for ${failures.length === 1 ? "source" : "sources"} ` + `${failures.map((f) => `"${f.name}"`).join(", ")}. ` + `Details: ${details}. ` + `failOnScannerError=true requires all configured sources to succeed.`);
+    }
     return deduplicateAdvisories(allAdvisories);
   }
   return {
@@ -1567,12 +1721,16 @@ var init_src4 = __esm(async () => {
   scanner = {
     version: "1",
     async scan({ packages }) {
+      let failOnScannerError = parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR) === true;
       try {
         logger.debug(`Starting vulnerability scan for ${packages.length} packages`);
         const config = await loadConfig();
         const bunReportWarnings = config.bunReportWarnings ?? CONFIG_DEFAULTS.bunReportWarnings;
-        const sources = createSources(config.source ?? "osv", config);
-        const multiScanner = createMultiSourceScanner(sources);
+        if (parseEnvBoolean(ENV.FAIL_ON_SCANNER_ERROR) === undefined) {
+          failOnScannerError = config.failOnScannerError ?? failOnScannerError;
+        }
+        const sources = createSources(config.source ?? "osv", config, failOnScannerError);
+        const multiScanner = createMultiSourceScanner(sources, { failOnScannerError });
         const advisories = await multiScanner.scan(packages);
         logger.info(`Scan completed: ${advisories.length} advisories found for ${packages.length} packages`);
         if (!bunReportWarnings) {
@@ -1590,6 +1748,12 @@ var init_src4 = __esm(async () => {
         return advisories;
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
+        if (failOnScannerError) {
+          logger.error("Scanner error in strict mode \u2014 failing scan", {
+            error: message
+          });
+          throw error;
+        }
         logger.error("Scanner encountered an unexpected error", {
           error: message
         });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bun-scan",
-  "version": "1.1.0",
+  "version": "1.1.1-beta.1",
   "description": "Vulnerability scanner for Bun projects",
   "keywords": [
     "audit",
@@ -49,15 +49,15 @@
     "lint": "oxlint check"
   },
   "dependencies": {
-    "zod": "4.3.5"
+    "zod": "4.3.6"
   },
   "devDependencies": {
     "@repo/core": "workspace:*",
     "@repo/source-npm": "workspace:*",
     "@repo/source-osv": "workspace:*",
-    "@types/bun": "1.3.6",
-    "@typescript/native-preview": "7.0.0-dev.20260114.1",
-    "bun-types": "1.3.6"
+    "@types/bun": "1.3.8",
+    "@typescript/native-preview": "7.0.0-dev.20260131.1",
+    "bun-types": "1.3.8"
   },
   "engines": {
     "bun": ">=1.0.0"