Describe the bug
The new bun support (added #1648) does not filter out transitive dependencies that are only introduced through devDependencies. Only direct devDependencies are filtered.
To Reproduce
Steps to reproduce the behavior:
- Create new bun project with
bun init and install with bun install
- Run
fossa analyze
- FOSSA project shows 3 dependencies (@types/node, bun-types, undici-types) although the package.json only contains dev and peerDependencies.
- run
bun why @types/node to verify that it is only installed because a devDependency requires it:
Expected behavior
FOSSA should not detect 2nd+ level devDependencies.
Additional context
See reproduction in https://github.com/[lpanni/bun-dev-dep-repro](https://github.com/lpanni/bun-dev-dep-repro), FOSSA project https://app.fossa.com/projects/custom%2B31612%2Fbun-dev-dependencies-repro/refs/branch/master/2026-02-24T07%3A19%3A11Z?revisionScanId=98570608
Describe the bug
The new bun support (added #1648) does not filter out transitive dependencies that are only introduced through devDependencies. Only direct devDependencies are filtered.
To Reproduce
Steps to reproduce the behavior:
bun initand install withbun installfossa analyzebun why @types/nodeto verify that it is only installed because a devDependency requires it:Expected behavior
FOSSA should not detect 2nd+ level devDependencies.
Additional context
See reproduction in https://github.com/[lpanni/bun-dev-dep-repro](https://github.com/lpanni/bun-dev-dep-repro), FOSSA project https://app.fossa.com/projects/custom%2B31612%2Fbun-dev-dependencies-repro/refs/branch/master/2026-02-24T07%3A19%3A11Z?revisionScanId=98570608