Bun install skips all processing if a security scanner is present and project has a lot of packages

[neilemms]

What version of Bun is running?

1.3.10

What platform is your computer?

Linux 6.6.87.2-microsoft-standard-WSL2 x86_64 x86_64

What steps can reproduce the bug?

A project containing a very large number of packages (I have a monorepo with a total package count of 1473. I know that 770 packages works fine).

Setup a security scanner in bunfig.toml and dev dependencies. Example:

# Configure scanner in bunfig.toml
cat > bunfig.toml << 'EOF'
[install.security]
scanner = "@socketsecurity/bun-security-scanner"
EOF

# Install the scanner
bun add -d @socketsecurity/bun-security-scanner

Add a large number of packages to the project. Example:

bun add react-native react @react-navigation/native @react-navigation/stack \
  @react-navigation/bottom-tabs @tanstack/react-query axios \
  @testing-library/react-native jest zod zustand @supabase/supabase-js \
  @sentry/react-native @shopify/flash-list lottie-react-native \
  @gorhom/bottom-sheet react-native-reanimated react-native-gesture-handler \
  react-native-screens react-native-svg @shopify/react-native-skia \
  react-native-webview react-native-mmkv react-native-safe-area-context \
  react-native-pager-view echarts @babel/core babel-preset-expo \
  tailwindcss postcss @nestjs/common @nestjs/core @nestjs/platform-express

# Test bun install - this WORKS
bun install

What is the expected behavior?

The packages should be installed and security scanned.

What do you see instead?

The install instantly returns, without any errors. But it doesn't create the node_modules folder or the bun.lock file.

$ bun install --ignore-scripts
bun install v1.3.10 (30e609e0)

Using bun install --verbose I see typical output without errors. At the end of the output is:

...
Clean lockfile: 747 packages - 747 packages in 3ms
[SecurityProvider] Running at '@socketsecurity/bun-security-scanner'
[SecurityProvider] top_level_dir: '/home/test/test-scanner'
[SecurityProvider] original_cwd: '/home/test/test-scanner'

No bun.lock or node_modules folders have been created.

Additional information

If I remove the security scanner the install works as expected.
It I reduce the number of packages, the install works as expected.

This problem showed when I moved to a monorepo setup, as the package count is for the entire monorepo and not a single app any longer.

[github-actions]

Found 1 possible duplicate issue:

1. bun install hangs indefinitely with security scanner enabled when node_modules exceeds ~790 packages #23607

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[neilemms]

This is not a duplicate of that as the install does not hang, it instantly returns. Plus, that issue was supposedly resolved in October 2025 in an older version of Bun.

[alii]

This is definitely possibly related to, or a duplicate of #23607 - will keep them both open just to be safe.

I opened #23706, but it had problems on Windows. I will revisit that PR soon so we can try to get the fix in the next release of Bun.