Skip to content

refactor: migrate from Bun to pnpm as package manager#224

Merged
pffigueiredo merged 2 commits intomainfrom
refactor/bun-to-pnpm
Apr 14, 2026
Merged

refactor: migrate from Bun to pnpm as package manager#224
pffigueiredo merged 2 commits intomainfrom
refactor/bun-to-pnpm

Conversation

@pffigueiredo
Copy link
Copy Markdown
Collaborator

@pffigueiredo pffigueiredo commented Apr 14, 2026
edited
Loading

Summary

  • Replace Bun with pnpm as the project's package manager. Bun's lockfile embeds 818 absolute registry URLs, breaking --frozen-lockfile across environments (dev proxy, CI JFrog, Vercel). pnpm stores only integrity hashes — no registry URLs — restoring lockfile portability.
  • Add JFrog OIDC to CI for npm registry access on protected runners (follows neondatabase/serverless pattern).
  • Pin pnpm 10.33.0 via Corepack packageManager field. CI installs pnpm via jf npm install -g.
  • Update all CI workflows (pr.yml, claude.yml, claude-code-review.yml): replace bun setup/cache/install/scripts with pnpm equivalents.
  • Add tsx as devDependency for TS script execution (replaces bun run scripts/*.ts).
  • Rewrite preinstall registry validation script for pnpm (validates .npmrc instead of generating bunfig.toml).
  • Update docs (CLAUDE.md, README.md) to reflect pnpm workflow.

Test plan

  • CI passes: pnpm install --frozen-lockfile, fmt, lint, knip, typecheck, test, build
  • pnpm-lock.yaml contains zero registry URLs
  • Verify Vercel preview deployment auto-detects pnpm from pnpm-lock.yaml
  • No bun references remain in workflows or docs

This pull request was AI-assisted by Isaac.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 14, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
mcp-server-neon Ignored Ignored Preview Apr 14, 2026 5:11pm

Request Review

@pffigueiredo pffigueiredo force-pushed the refactor/bun-to-pnpm branch from f83d628 to 166b1b0 Compare April 14, 2026 13:57
@pffigueiredo pffigueiredo changed the base branch from main to fix/jfrog-npm-registry-proxy April 14, 2026 13:58
@pffigueiredo pffigueiredo force-pushed the refactor/bun-to-pnpm branch from 166b1b0 to 7b96a36 Compare April 14, 2026 14:00
@pffigueiredo pffigueiredo changed the base branch from fix/jfrog-npm-registry-proxy to main April 14, 2026 14:04
@pffigueiredo pffigueiredo force-pushed the refactor/bun-to-pnpm branch 3 times, most recently from d2f9519 to 24b125d Compare April 14, 2026 14:17
@pffigueiredo pffigueiredo changed the base branch from main to fix/jfrog-npm-registry-proxy April 14, 2026 14:27
@pffigueiredo pffigueiredo force-pushed the refactor/bun-to-pnpm branch 3 times, most recently from 2b0c9e8 to b6c3931 Compare April 14, 2026 14:44
@pffigueiredo pffigueiredo mentioned this pull request Apr 14, 2026
Closed
4 tasks
@pffigueiredo pffigueiredo changed the base branch from fix/jfrog-npm-registry-proxy to main April 14, 2026 14:50
@pffigueiredo pffigueiredo force-pushed the refactor/bun-to-pnpm branch from b6c3931 to b5af7c9 Compare April 14, 2026 14:50
@pffigueiredo
refactor: migrate from Bun to pnpm as package manager
4b26f02 
Bun's lockfile embeds absolute registry URLs, breaking --frozen-lockfile
across environments (dev proxy, CI JFrog, Vercel). pnpm stores only
integrity hashes, restoring lockfile portability and satisfying supply
chain hardening requirement R3.

- Pin pnpm 10.33.0 via Corepack packageManager field
- Add shamefully-hoist=true for Next.js compatibility
- Add tsx for TS script execution (replaces bun runtime)
- Create preinstall registry validation script for pnpm
- Add JFrog OIDC to CI for npm registry access
- Install pnpm via jf npm, matching neondatabase/serverless pattern
- Update all CI workflows (pr.yml, claude.yml, claude-code-review.yml)
- Update CLAUDE.md and README.md

Co-authored-by: Isaac
@pffigueiredo pffigueiredo force-pushed the refactor/bun-to-pnpm branch from b5af7c9 to 4b26f02 Compare April 14, 2026 14:54
@pffigueiredo
fix: address review findings for bun-to-pnpm migration
82b0847 
- Remove preinstall registry guard that blocked Vercel builds and
  external contributors; add troubleshooting note to CLAUDE.md instead
- Mask JFrog OIDC token in CI logs with ::add-mask::
- Scope id-token: write to job level instead of workflow level
- Fix trailing newline in .npmrc
- Update stale Bun reference in vercel-migration.md

Co-authored-by: Isaac
@pffigueiredo pffigueiredo merged commit 9a3417c into main Apr 14, 2026
5 checks passed
@pffigueiredo pffigueiredo deleted the refactor/bun-to-pnpm branch April 14, 2026 17:20
andrelandgraf pushed a commit that referenced this pull request Apr 16, 2026
@pffigueiredo @andrelandgraf
refactor: migrate from Bun to pnpm as package manager (#224)
be70fcc 
- **Replace Bun with pnpm** as the project's package manager. Bun's
lockfile embeds 818 absolute registry URLs, breaking `--frozen-lockfile`
across environments (dev proxy, CI JFrog, Vercel). pnpm stores only
integrity hashes — no registry URLs — restoring lockfile portability.
- **Add JFrog OIDC** to CI for npm registry access on protected runners
(follows `neondatabase/serverless` pattern).
- **Pin pnpm 10.33.0 via Corepack** `packageManager` field. CI installs
pnpm via `jf npm install -g`.
- **Update all CI workflows** (`pr.yml`, `claude.yml`,
`claude-code-review.yml`): replace bun setup/cache/install/scripts with
pnpm equivalents.
- **Add `tsx`** as devDependency for TS script execution (replaces `bun
run scripts/*.ts`).
- **Rewrite preinstall registry validation script** for pnpm (validates
`.npmrc` instead of generating `bunfig.toml`).
- **Update docs** (CLAUDE.md, README.md) to reflect pnpm workflow.

- [ ] CI passes: `pnpm install --frozen-lockfile`, fmt, lint, knip,
typecheck, test, build
- [ ] `pnpm-lock.yaml` contains zero registry URLs
- [ ] Verify Vercel preview deployment auto-detects pnpm from
`pnpm-lock.yaml`
- [ ] No `bun` references remain in workflows or docs

This pull request was AI-assisted by Isaac.
andrelandgraf pushed a commit that referenced this pull request Apr 16, 2026
@pffigueiredo @andrelandgraf
refactor: migrate from Bun to pnpm as package manager (#224)
6cbb8b3 
- **Replace Bun with pnpm** as the project's package manager. Bun's
lockfile embeds 818 absolute registry URLs, breaking `--frozen-lockfile`
across environments (dev proxy, CI JFrog, Vercel). pnpm stores only
integrity hashes — no registry URLs — restoring lockfile portability.
- **Add JFrog OIDC** to CI for npm registry access on protected runners
(follows `neondatabase/serverless` pattern).
- **Pin pnpm 10.33.0 via Corepack** `packageManager` field. CI installs
pnpm via `jf npm install -g`.
- **Update all CI workflows** (`pr.yml`, `claude.yml`,
`claude-code-review.yml`): replace bun setup/cache/install/scripts with
pnpm equivalents.
- **Add `tsx`** as devDependency for TS script execution (replaces `bun
run scripts/*.ts`).
- **Rewrite preinstall registry validation script** for pnpm (validates
`.npmrc` instead of generating `bunfig.toml`).
- **Update docs** (CLAUDE.md, README.md) to reflect pnpm workflow.

- [ ] CI passes: `pnpm install --frozen-lockfile`, fmt, lint, knip,
typecheck, test, build
- [ ] `pnpm-lock.yaml` contains zero registry URLs
- [ ] Verify Vercel preview deployment auto-detects pnpm from
`pnpm-lock.yaml`
- [ ] No `bun` references remain in workflows or docs

This pull request was AI-assisted by Isaac.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Shridhad Shridhad Awaiting requested review from Shridhad Shridhad is a code owner

@andrelandgraf andrelandgraf Awaiting requested review from andrelandgraf andrelandgraf is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pffigueiredo