[BUG] bun install fails with 503 on private GitHub Packages (sandbox proxy rejects redirect with Authorization header)

Open 💬 2 comments Opened Jun 29, 2026 by Thanaen

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

In the Claude Code web sandbox VM, bun install consistently fails with HTTP 503
when resolving private packages from GitHub Packages (npm.pkg.github.com).

The same bun install succeeds outside the sandbox (local machine, GitHub Actions)
with the exact same repo, lockfile, and GH_REGISTRY_TOKEN. npm install works
fine inside the sandbox. The failure is specific to Bun + the sandbox egress proxy.

Diagnosis inside the sandbox, using only curl:
A. curl -H "Authorization: Bearer $TOKEN" <metadata-url> → HTTP 200
B. curl <signed-redirect-url-from-A> → HTTP 200 (tarball downloads)
C. curl -H "Authorization: Bearer $TOKEN" <signed-redirect-url> → HTTP 503

Bun fails at step C: it reaches the signed redirect URL on
pkg-npm.githubusercontent.com but still carries the Authorization header from
the original request. The sandbox proxy (cert issuer
O=Anthropic; CN=sandbox-egress-production TLS Inspection CA) returns 503 for
that combination, even though the signed URL alone works fine. Outside the
sandbox this combination does not 503.

What Should Happen?

bun install should complete successfully in the Claude Code sandbox, matching
the behavior on user machines and GitHub Actions. Either:

  • the egress proxy should not return 503 when a request carries both a SAS

token in the query string and an Authorization header, or

  • Bun's behavior in this environment should converge with npm/curl (which

strip Authorization on cross-origin redirects and succeed).

Error Messages/Logs

$ bun install
bun install v1.3.11 (af24e281)
error: GET https://npm.pkg.github.com/download/@<scope>/<pkg>/<version>/<sha> - 503

# With a newer bun (1.3.13) the error URL is the post-redirect one:
error: GET https://pkg-npm.githubusercontent.com/npmregistryv2prod/blobs/.../<pkg>/<version>/<uuid>?se=...&sig=...&... - 503

Steps to Reproduce

  1. Start a Claude Code web session on any repo that consumes a private package

from GitHub Packages (@<scope>:registry=https://npm.pkg.github.com).

  1. Ensure GH_REGISTRY_TOKEN (or equivalent PAT with read:packages) is set.
  2. Configure Bun scope auth (repo-level bunfig.toml or global ~/.bunfig.toml):

[install.scopes]
"@<scope>" = { url = "https://npm.pkg.github.com", token = "$GH_REGISTRY_TOKEN" }

  1. Run bun install → fails with HTTP 503 on the tarball redirect.
  2. Confirm it's environment-specific:

npm install --legacy-peer-deps → succeeds
Same bun install on local / GH Actions → succeeds

  1. Isolate the proxy behavior with curl (no Bun involved):

REDIRECT=$(curl -sS -o /dev/null -w "%{redirect_url}" \
-H "Authorization: Bearer $GH_REGISTRY_TOKEN" \
"https://npm.pkg.github.com/download/@<scope>/<pkg>/<version>/<sha>")
curl -sS -o /dev/null -w "%{http_code}\n" "$REDIRECT"
→ 200
curl -sS -o /dev/null -w "%{http_code}\n" \
-H "Authorization: Bearer $GH_REGISTRY_TOKEN" "$REDIRECT"
→ 503 ← reproduces the 503 Bun hits

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.116 (Claude Code)

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Non-interactive/CI environment

Additional Information

  • Tested Bun versions: 1.3.11 (shipped in sandbox) and 1.3.13 (latest stable,

downloaded from GitHub releases). Both reproduce.

  • BUN_OPTIONS=--smol is set by the sandbox; unrelated to this bug (it breaks

bun upgrade argument parsing but not install).

  • Fully reproducible workaround (requires NO Claude Code changes):

cat > ~/.npmrc <<EOF
@<scope>:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=$GH_REGISTRY_TOKEN
package-lock=false
legacy-peer-deps=true
EOF
npm install

  • Suspected root cause: the sandbox egress proxy returns 503 when the same request

carries both a SAS token in the query string (GitHub's signed CDN URL) and an
Authorization: Bearer header. Bun 1.3.11/1.3.13 forwards the scope's
Authorization header across the cross-origin redirect; curl and npm strip it
and therefore succeed. Outside the sandbox the combination doesn't 503, so
users and CI never see the bug.

  • Possible fixes (non-exhaustive):

(a) Don't 503 on that header combination in the egress proxy.
(b) Document this limitation and ship a ~/.npmrc + ~/.bunfig.toml
pre-populated from GH_REGISTRY_TOKEN as part of the sandbox base image.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗