RMG
Back to Blog

From 23 to 0 Vulnerabilities: How I Hardened a Next.js 16 App with Bun

3 min readRaul M. Guajardo
BunNext.jsSecurityDependenciesTypeScript

A practical walkthrough of reducing dependency vulnerabilities from 23 to 0 using Bun audit, targeted upgrades, transitive overrides, and full regression checks.

From 23 to 0 Vulnerabilities: How I Hardened a Next.js 16 App with Bun

Security work often sounds abstract until you have a real number in front of you.

In my case, bun audit reported 23 vulnerabilities in a Next.js 16 codebase. Instead of stopping at direct dependency updates, I pushed through the full chain: upgrades, transitive dependency overrides, and regression validation.

Final result:

  • Started at 23 vulnerabilities
  • Reduced to 15 vulnerabilities after direct updates
  • Finished at 0 vulnerabilities after targeted transitive overrides
  • Kept the app stable: all tests passing and production build successful

Step 1: Start with Direct Dependencies

First pass was straightforward: update the direct packages most likely to pull in patched dependency trees.

bun add next@16.2.1 @next/mdx@16.2.1 next-intl@4.8.3 resend@6.9.4
bun add -d eslint-config-next@16.2.1
bun update

This removed the most visible framework-level advisories (including Next.js vulnerabilities), but did not clear the entire graph.

Step 2: Re-Audit and Triage Remaining Risk

After direct updates, Bun still flagged transitive issues, mainly in packages like:

  • minimatch
  • brace-expansion
  • picomatch
  • yaml
  • flatted

At this point, the key move was to patch the transitive chain explicitly instead of waiting for every parent package to release and be adopted.

Step 3: Use Transitive Overrides in package.json

I added targeted overrides at the root level:

"overrides": {
  "minimatch": "3.1.4",
  "brace-expansion": "1.1.13",
  "picomatch": "2.3.2",
  "yaml": "2.8.3",
  "flatted": "3.4.2"
}

Then reinstalled and re-audited:

bun install
bun audit

Audit output: No vulnerabilities found.

Step 4: Verify Functionality, Not Just Security

A clean audit is only half the job. Dependency changes can introduce subtle regressions, so I ran full checks:

bun run test
bun run build

Validation results:

  • Test suites: 27/27 passing
  • Tests: 214/214 passing
  • Next.js production build: successful

What Actually Made This Work

A few practical lessons from this process:

  1. Always do direct updates first. It removes broad risk quickly.
  2. Re-audit before changing anything else. Don’t guess.
  3. Use transitive overrides surgically. Pin only what is needed.
  4. Treat security work like feature work. Run tests and build before calling it done.
  5. Keep lockfiles committed and reproducible.

Final Takeaway

You do not need a massive platform migration to significantly improve dependency security.

A disciplined Bun workflow, targeted package upgrades, and regression validation can take a real app from vulnerable to clean in a single focused pass.

If you maintain a Next.js app and have been postponing dependency hardening, run the audit now and chip away at it in layers. The payoff is immediate and measurable.