BUG Vulnerabilities are not being detected accurately in repos using the bun.js runtime #4695
Description
Describe the bug
Vulnerabilities are not being detected accurately in repos using the bun.js runtime. Below are 2 almost identical repositories. The differences being that one uses the node.js runtime and the other uses bun. The node.js runtime is using pnpm as it's package manager while the bun runtime uses bun as it's package manager. The nodejs runtime is using jest for unit testing while the bun one is using the native bun test runner. There is also some chromaticUI stuff in the node.js run that is not present in the bun.js one but it is also not being used in the node.js one.
At the time of writing, the node.js repo has 6 vulnerabilities in the scorecard. I think they are mostly related to the next.js build tools. The bun.js repo show 0 vulnerablities in the scorecard.
Reproduction steps
As much as I would like to make simple versions of both theses repositories emphasising where the vulnerabilities are, I'm not an export on how these CVE are reported and I don't understand a lot of the descriptions in those reports. I'm guessing the problem is related to something inside how the scorecard checks the runtime and/or package manager anyway.
I have a similar-ish deno version which is not as mature as the other two at the time of writing because I'm less impressed with deno: https://github.com/dsm23/dsm23-deno-next-template.
Expected behavior
I expect that both node.js and bun.js based repositories to have the same number of vulnerabilities that aren't related to the either node.js or bun.js' internals.
Additional context
Add any other context about the problem here.