add support for `bun`

[MarkLyck]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

https://bun.sh/ is quickly gaining traction and is now my preferred npm package manager.

It is faster than both yarn and pnpm, but the only thing left keeping me from moving to it for production use. Is the lack of support by dependabot or renovatebot.

Please add support for bun install and the bun.lockb lockfile.

[xhyrom]

any progress here?

[aradalvand]

Bun v1 has been released, this is very much needed now.

[Wazbat]

Surprised to not see any support on this yet. We're looking into moving our production applications to bun, however we make significate use of dependabot

[aradalvand]

@brrygrdn @JamieMagee @jurre @greysteil Sorry for tagging you guys, but just wanted to ask if this is going to be worked on soon?

[greysteil]

Afraid I don't work on Dependabot anymore, or at GitHub! 🤞 you get some traction - in the past the best / easiest integrations have been when the package manager team themselves collaborated with the Dependabot team.

[aradalvand]

Got ya! Thank you.

@Jarred-Sumner Any chance you guys (the Bun team) could perhaps take a look at this?

[czj]

Hey @GrantBirki @jurre or @jakecoffman ... sorry to bother you, but is bun support planned for our beloved Dependabot ?

Thanks :)

[winstxnhdw]

Hey guys, if any of you are willing to migrate from Dependabot.. Renovate has already introduced Bun support within ONLY 2 days since they announced that they have begun working on it. Unfortunately, Dependabot usually take anywhere from several months to years when it comes to implementing anything on the same level.

[GrantBirki]

@czj I do not work on the dependabot team here at GitHub but I let them know about this issue, thanks!

[carogalvin]

Hi everyone, PM for Dependabot here. We do not currently have Bun support planned for Dependabot. We will post here if that changes.

[czj]

Thanks @carogalvin for clarifying. Sincerely hope you will plan it sooner than later !

[DenisIrkhin]

for packaging updating I have a repo with bun. It works for me nicely with package-ecosystem: 'npm', but I have to put a subconfig for each folder in monorepo as a workaround currently. Without it Dependabot doesn't open new PRs even I see all dependencies for whole monorepo in the dependency graph.

[ImLunaHey]

@carogalvin is there a reason why?

It's really disappointing to see this when dependabot is built into Github. We shouldn't need to switch to a thirdparty like renovate for something like this. 😞

[carogalvin]

Yes, but the reasons aren't very satisfying I'm afraid :/

1. We have a lot of requests for new package managers, languages, and ecosystems (if you look at open issues and sort by most voted, you'll see a solid chunk of them are for adding such support). We cannot feasibly support every package manager, language, and ecosystem used on GitHub with just one engineering team.
2. Adding coverage for a new package manager and maintaining that support is non-trivial, and we already support 20+ package managers
3. Our top goal right now is improving the experience of working with Dependabot for ecosystems we already support; for example, our recent release of grouped version updates (which we're looking to extend to security updates next). When we look at our data, it's probably not too surprising to hear that a vast majority of Dependabot PRs are never merged - we're prioritizing features that address that.

Nothing against bun, it seems like a great package manager getting a lot of traction, but unfortunately with lots of feature requests and limited people we have to be very particular with how we prioritize. I'm sure we'll end up adding support eventually. I would encourage everyone looking at this to keep 👍 'ing this issue, because it helps us to see how many people will be helped with this.

[Jarred-Sumner]

We'd be happy to help with adding Bun support to Dependabot

[sambostock]

FWIW, until there is support at the Dependabot level, being able to losslessly import yarn.lock files into Bun would provide a workaround path.

For example, if a project dumped both a bun.lockb and an equivalent yarn.lock, Dependabot could update the yarn.lock and a GitHub Action could follow up by dumping the equivalent bun.lockb.

[thienandangthanh]

@sambostock So we must have this feature of bun implemented https://github.com/oven-sh/bun/issues/1751#issuecomment-1729237580?

And also this feature: https://github.com/oven-sh/bun/issues/6409

[mstuercke]

I've created a workflow, that runs whenever dependabot creates a pull request. It will execute bun install and commits the bun.lockb file. The original commit of dependabot will be overwritten.

I hope this helps someone!

name: 'Dependabot: Update bun.lockb'

on: pull_request

permissions:
  contents: write

jobs:
  update-bun-lockb:
    name: "Update bun.lockb"
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - uses: oven-sh/setup-bun@v1
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.ref }}
      - run: |
          bun install
          git add bun.lockb
          git config --global user.name 'dependabot[bot]'
          git config --global user.email 'dependabot[bot]@users.noreply.github.com'
          git commit --amend --no-edit 
          git push --force

Hint: This workflow, as written here, will only execute bun install in the project root folder

[czj]

Thanks a lot @mstuercke ! That's awesome :-)

To get rid of the skipped run status:

You can change the "on" to have a "paths" condition:

on:
  pull_request:
    paths:
      - "package.json"

[aifrim]

@czj @mstuercke

That means that I will also need to have a yarn.lock, package-lock.json or pnpm-lock.yaml so that dependabot can find out what version I am actually using (as part of the lockfile) and suggest an update.

Because, as per the dependency version I can specify: *, 1.x ^1.0.0 ~1.0.0.

[Marocco2]

@czj @mstuercke

That means that I will also need to have a yarn.lock, package-lock.json or pnpm-lock.yaml so that dependabot can find out what version I am actually using (as part of the lockfile) and suggest an update.

Because, as per the dependency version I can specify: *, 1.x ^1.0.0 ~1.0.0.

@aifrim You can set versioning-strategy: increase and it will update package.json without lockfiles

[isaachinman]

@Jarred-Sumner Any update on this? Vulnerability updates are critical for any serious team, and Bun support for dependabot should be trivial – @mstuercke's action is pretty much all that's needed. Can we get first-class support?

[tiagonrodrigues]

Are we really not getting any news on this?

[wJoenn]

Jared already said he'd be happy to help implement Bun support for dependabot but the Github team is pretty clear about not wanting to add support for any new package manager anymore. There's not much to wait for really, the answers are already here. We just don't like them

If you really wanna use Bun as your package manager you can check Renovate which does the same thing and has Bun support

If you really wanna use Dependabot you can check Pnpm which is a very good alternative instead of Bun as a package manager.

[isaachinman]

@wJoenn Strongly disagree with your take.

@carogalvin Has literally said:

I'm sure we'll end up adding support eventually

Meaning this issue is currently in a "prove to us it's worth it" phase.

[elliotlarson]

@Jarred-Sumner You mentioned some time ago that you'd be happy to work on adding Bun support to Dependabot. I'm curious if this is still something you are pursuing or if this is something that is back burnered indefinitely.