up

docs/modules/scanner/bun-analyzer-gotchas.md

@@ -25,21 +25,26 @@ Unlike Node.js, Bun may store packages entirely under `node_modules/.bun/` with
 - Do not filter out hidden directories in container scans
 - Verify evidence shows packages from both `node_modules/` and `node_modules/.bun/`
 
-## 3. `bun.lockb` Migration Path
+## 3. `bun.lockb` Policy (2025-12-09)
 
-The binary lockfile (`bun.lockb`) format is undocumented and unstable. The analyzer treats it as **unsupported** and emits a remediation finding.
+The binary lockfile (`bun.lockb`) remains **unsupported**. We will not parse it and will keep remediation-only handling until Bun publishes a stable, documented format.
 
-**Migration command:**
+**Posture:**
+- Treat `bun.lockb` as unsupported input; do not attempt best-effort parsing.
+- Emit a deterministic remediation finding instructing conversion to text.
+- Skip package inventory when only `bun.lockb` is present to avoid nondeterministic/partial results.
+
+**Migration command (required):**
 ```bash
 bun install --save-text-lockfile
 ```
 
-This generates `bun.lock` (JSONC text format) which the analyzer can parse.
+This generates `bun.lock` (JSONC text format) which the analyzer parses.
 
-**WebService response:** When only `bun.lockb` is present:
-- The scan completes but reports unsupported status
-- Remediation guidance is included in findings
-- No package inventory is generated
+**WebService response when only `bun.lockb` exists:**
+- Scan completes with `unsupported` marker for the package manager.
+- Remediation guidance is included in findings.
+- No package inventory is generated until `bun.lock` is provided.
 
 ## 4. JSONC Lockfile Format