Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Bun with bun.lock #11209

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Support Bun with bun.lock #11209

wants to merge 10 commits into from
+1,331 −40

Conversation

Electroid
Copy link

What are you trying to accomplish?

This PR adds support for Bun, which is the most upvoted, open issue for Dependabot:

Screenshot 2025-01-02 at 5 38 41 PM

Bun is an npm-compatible package manager, so it has been added to the npm_and_yarn source code, alongside other package managers like yarn and pnpm.

Previously, Bun used a binary lockfile, bun.lockb. In Bun 1.1.39, It was changed to a text-based format and renamed to bun.lock. Support for previous binary lockfile is possible, but it's easier to just support the text-based one, since it's the new default.

Here's an example bun.lock file. 
{
  "lockfileVersion": 0,
  "workspaces": {
    "": {
      "dependencies": {
        "fetch-factory": "^0.0.1",
      },
      "devDependencies": {
        "etag": "^1.0.0",
      },
    },
  },
  "packages": {
    "encoding": ["[email protected]", "", { "dependencies": { "iconv-lite": "^0.6.2" } }, "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A=="],

    "es6-promise": ["[email protected]", "", {}, "sha512-SOp9Phqvqn7jtEUxPWdWfWoLmyt2VaJ6MpvP9Comy1MceMXqE6bxvaTu4iaxpYYPzhny28Lc+M87/c2cPK6lDg=="],

    "etag": ["[email protected]", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="],

    "fetch-factory": ["[email protected]", "", { "dependencies": { "es6-promise": "^3.0.2", "isomorphic-fetch": "^2.1.1", "lodash": "^3.10.1" } }, "sha512-gexRwqIhwzDJ2pJvL0UYfiZwW06/bdYWxAmswFFts7C87CF8i6liApihTk7TZFYMDcQjvvDIvyHv0q379z0aWA=="],

    "iconv-lite": ["[email protected]", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="],

    "is-stream": ["[email protected]", "", {}, "sha512-uQPm8kcs47jx38atAcWTVxyltQYoPT68y9aWYdV6yWXSyW8mzSat0TL6CiWdZeCdF3KrAvpVtnHbTv4RN+rqdQ=="],

    "isomorphic-fetch": ["[email protected]", "", { "dependencies": { "node-fetch": "^1.0.1", "whatwg-fetch": ">=0.10.0" } }, "sha512-9c4TNAKYXM5PRyVcwUZrF3W09nQ+sO7+jydgs4ZGW9dhsLG2VOlISJABombdQqQRXCwuYG3sYV/puGf5rp0qmA=="],

    "lodash": ["[email protected]", "", {}, "sha512-9mDDwqVIma6OZX79ZlDACZl8sBm0TEnkf99zV3iMA4GzkIT/9hiqP5mY0HoT1iNLCrKc/R1HByV+yJfRWVJryQ=="],

    "node-fetch": ["[email protected]", "", { "dependencies": { "encoding": "^0.1.11", "is-stream": "^1.0.1" } }, "sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ=="],

    "safer-buffer": ["[email protected]", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],

    "whatwg-fetch": ["[email protected]", "", {}, "sha512-EqhiFU6daOA8kpjOWTL0olhVOF3i7OrFzSYiGsEMB8GcXS+RrzauAERX65xMeNWVqxA6HXH2m69Z9LaKKdisfg=="],
  }
}

Example

Using the dry-run scripts, here's an example diff from Dependabot with Bun support.

Commands:

$ export LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token)
$ ./bin/docker-dev-shell npm_and_yarn --rebuild
$ ./bin/dry-run.rb npm_and_yarn ArnaudBarre/rds --dep=prettier

Output:

 => bump prettier from 3.0.3 to 3.4.2

    ± package.json
    ~~~
    --- /tmp/original20250103-42610-8gx53l      2025-01-03 01:35:22.414182006 +0000
    +++ /tmp/updated20250103-42610-jqc6nh       2025-01-03 01:35:22.414182006 +0000
    @@ -43,7 +43,7 @@
         "@types/react": "^18.3.11",
         "@types/ws": "^8.5.13",
         "eslint": "^9.17.0",
    -    "prettier": "3.0.3",
    +    "prettier": "3.4.2",
         "typescript": "~5.7"
       }
     }
    ~~~
    2 insertions (+), 2 deletions (-)

    ± bun.lock
    ~~~
    --- /tmp/original20250103-42610-wdnxjr      2025-01-03 01:35:22.415182006 +0000
    +++ /tmp/updated20250103-42610-txs2y1       2025-01-03 01:35:22.415182006 +0000
    @@ -21,7 +21,7 @@
             "@types/react": "^18.3.11",
             "@types/ws": "^8.5.13",
             "eslint": "^9.17.0",
    -        "prettier": "3.0.3",
    +        "prettier": "3.4.2",
             "typescript": "~5.7",
           },
           "peerDependencies": {
    @@ -422,7 +422,7 @@
     
         "prelude-ls": ["[email protected]", "", {}, "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g=="],
     
    -    "prettier": ["[email protected]", "", {}, "sha512-L/4pUDMxcNa8R/EthV08Zt42WBO4h1rarVtK0K+QJG0X187OLo7l699jWw0GKuwzkPQ//jMFA/8Xm6Fh3J/DAg=="],
    +    "prettier": ["[email protected]", "", { "bin": { "prettier": "bin/prettier.cjs" } }, "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ=="],
     
         "punycode": ["[email protected]", "", {}, "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg=="],
     
    ~~~
    3 insertions (+), 3 deletions (-)

Anything you want to highlight for special attention from reviewers?

Of course, tests and fixtures have been added to test Bun! Let me know if I missed anything.

How will you know you've accomplished your goal?

Here is a random sample of repositories using bun.lock that you can try with the dry-run scripts:

./bin/dry-run.rb npm_and_yarn ArnaudBarre/rds
./bin/dry-run.rb npm_and_yarn redphx/better-xcloud
./bin/dry-run.rb npm_and_yarn stacksjs/qar
./bin/dry-run.rb npm_and_yarn devSaifur/keeper

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@Electroid Electroid requested a review from a team as a code owner January 3, 2025 02:14
@Electroid Electroid mentioned this pull request Jan 3, 2025
Open
1 task
@Electroid Electroid changed the title Support Bun withbun.lock Support Bun with bun.lock Jan 3, 2025
Electroid
Electroid commented Jan 3, 2025
View reviewed changes
updater/config/.npmrc
# install from npm/cli/lib/pack.js as --ca="contents of ca file" - "ca" is
# populated automatically by npm when setting "--cafile" and passed through in
# when spawning the cli to install git dependencies.
cafile=/usr/local/share/ca-certificates/dbot-ca.crt
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A note for the reviewers: That CA file does not appear in the dev-shell. While npm and yarn silently ignore its absence, Bun throws an error since it can't be found. Let me know if this is okay to remove, it appears all the tests continue to pass without this.

@Electroid
Copy link
Author

Ready for review! The relevant tests run and are passing!

Regarding the CI status, some of the e2e tests unrelated to this PR fail with a transient error:

> gh release download --repo dependabot/cli -p "*linux-amd64.tar.gz"
HTTP 403: API rate limit exceeded for site ID installation. If you reach out to GitHub Support for help, please include the request ID 1140:1611F6:3781BE:6E96F0:67787B47 and timestamp 2025-01-04 00:05:28 UTC.

xtian
xtian reviewed Jan 6, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb

return @bun_lock if @bun_lock || directory == "/"

# Loop through parent directories looking for a pnpm-lock
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Loop through parent directories looking for a pnpm-lock
# Loop through parent directories looking for a bun.lock

glensc
glensc reviewed Jan 6, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

version = content["lockfileVersion"]
raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
Copy link

@glensc glensc Jan 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps stick to version 0 only, until newer versions are known to be compatible?

@abdulapopoola
Copy link
Member

Thank you so much @Electroid ! We'll try to expedite the reviews on our end

@glensc glensc mentioned this pull request Jan 7, 2025
Open
4 tasks
@markhallen
Copy link
Contributor

Thanks for the PR @Electroid 🙇‍♂️
I'm going to start reviewing this today

@markhallen markhallen self-assigned this Jan 7, 2025
This was referenced Jan 8, 2025
Draft
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xtian xtian xtian left review comments

@glensc glensc glensc left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@markhallen markhallen

Labels
L: javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Electroid @abdulapopoola @markhallen @glensc @xtian