bun: preserve configVersion field in lockfiles (#13694)

a-schur · yeikel · web-flow · commit 72b5bf159af9 · 2025-12-04T15:42:41.000-06:00
* bun: preserve configVersion field in lockfiles Fixes #13623 Upgrades Bun from v1.2.5 to v1.3.3 and updates the lockfile parser to recognize and preserve the configVersion field introduced in Bun v1.3.2. The configVersion field (0 or 1) indicates which install behavior Bun should use: - 0: existing projects using the hoisted linker - 1: new projects with the isolated linker for workspace support Changes: - Upgrade BUN_VERSION from 1.2.5 to 1.3.3 in Dockerfile - Add configVersion validation in BunLock parser - Add test fixtures with configVersion field - Add test coverage for valid and invalid configVersion values * clarified configVersion preservation comments * Update bun/lib/dependabot/bun/file_parser/bun_lock.rb Co-authored-by: Yeikel Santana <email@yeikel.com> --------- Co-authored-by: Yeikel Santana <email@yeikel.com>
diff --git a/bun/Dockerfile b/bun/Dockerfile
@@ -5,7 +5,7 @@ FROM ghcr.io/dependabot/dependabot-updater-core
 ARG COREPACK_VERSION=0.33.0
 
 # Check for updates at https://github.com/oven-sh/bun/releases
-ARG BUN_VERSION=1.2.5
+ARG BUN_VERSION=1.3.3
 
 # See https://github.com/nodesource/distributions#installation-instructions
 ARG NODEJS_VERSION=20
diff --git a/bun/lib/dependabot/bun/file_parser/bun_lock.rb b/bun/lib/dependabot/bun/file_parser/bun_lock.rb
@@ -32,6 +32,16 @@ def parsed
             raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
             raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
 
+            # configVersion was introduced in Bun v1.3.2 to control install behavior.
+            # When present, it must be preserved or Bun will use different install defaults.
+            # See https://bun.sh/blog/bun-v1.3.2#lockfile-configversion-stabilizes-install-defaults
+            if content.key?("configVersion")
+              config_version = content["configVersion"]
+              unless config_version.is_a?(Integer) && config_version >= 0
+                raise_invalid!("expected 'configVersion' to be a non-negative integer")
+              end
+            end
+
             T.let(content, T.untyped)
           end
         end
diff --git a/bun/spec/dependabot/bun/file_parser/lockfile_parser_spec.rb b/bun/spec/dependabot/bun/file_parser/lockfile_parser_spec.rb
@@ -37,6 +37,29 @@
         end
       end
 
+      context "when the configVersion is invalid" do
+        let(:dependency_files) do
+          [
+            Dependabot::DependencyFile.new(
+              name: "package.json",
+              content: '{"dependencies": {"etag": "^1.0.0"}}'
+            ),
+            Dependabot::DependencyFile.new(
+              name: "bun.lock",
+              content: '{"lockfileVersion": 0, "configVersion": "invalid", "workspaces": {}, "packages": {}}'
+            )
+          ]
+        end
+
+        it "raises a DependencyFileNotParseable error" do
+          expect { dependencies }
+            .to raise_error(Dependabot::DependencyFileNotParseable) do |error|
+              expect(error.file_name).to eq("bun.lock")
+              expect(error.message).to include("configVersion")
+            end
+        end
+      end
+
       context "when dealing with v0 format" do
         context "with a simple project" do
           let(:dependency_files) { project_dependency_files("bun/simple_v0") }
@@ -90,6 +113,24 @@
           expect(dependencies.length).to eq(17)
         end
       end
+
+      context "when the lockfile has configVersion" do
+        context "with configVersion: 0" do
+          let(:dependency_files) { project_dependency_files("bun/simple_v0_with_config_version") }
+
+          it "parses dependencies properly" do
+            expect(dependencies.find { |d| d.name == "fetch-factory" }).to have_attributes(
+              name: "fetch-factory",
+              version: "0.0.1"
+            )
+            expect(dependencies.find { |d| d.name == "etag" }).to have_attributes(
+              name: "etag",
+              version: "1.8.1"
+            )
+            expect(dependencies.length).to eq(11)
+          end
+        end
+      end
     end
   end
 end
diff --git a/bun/spec/fixtures/projects/bun/simple_v0_with_config_version/bun.lock b/bun/spec/fixtures/projects/bun/simple_v0_with_config_version/bun.lock
@@ -0,0 +1,37 @@
+{
+  "lockfileVersion": 0,
+  "configVersion": 0,
+  "workspaces": {
+    "": {
+      "dependencies": {
+        "fetch-factory": "^0.0.1",
+      },
+      "devDependencies": {
+        "etag": "^1.0.0",
+      },
+    },
+  },
+  "packages": {
+    "encoding": ["encoding@0.1.13", "", { "dependencies": { "iconv-lite": "^0.6.2" } }, "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A=="],
+
+    "es6-promise": ["es6-promise@3.3.1", "", {}, "sha512-SOp9Phqvqn7jtEUxPWdWfWoLmyt2VaJ6MpvP9Comy1MceMXqE6bxvaTu4iaxpYYPzhny28Lc+M87/c2cPK6lDg=="],
+
+    "etag": ["etag@1.8.1", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="],
+
+    "fetch-factory": ["fetch-factory@0.0.1", "", { "dependencies": { "es6-promise": "^3.0.2", "isomorphic-fetch": "^2.1.1", "lodash": "^3.10.1" } }, "sha512-gexRwqIhwzDJ2pJvL0UYfiZwW06/bdYWxAmswFFts7C87CF8i6liApihTk7TZFYMDcQjvvDIvyHv0q379z0aWA=="],
+
+    "iconv-lite": ["iconv-lite@0.6.3", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="],
+
+    "is-stream": ["is-stream@1.1.0", "", {}, "sha512-uQPm8kcs47jx38atAcWTVxyltQYoPT68y9aWYdV6yWXSyW8mzSat0TL6CiWdZeCdF3KrAvpVtnHbTv4RN+rqdQ=="],
+
+    "isomorphic-fetch": ["isomorphic-fetch@2.2.1", "", { "dependencies": { "node-fetch": "^1.0.1", "whatwg-fetch": ">=0.10.0" } }, "sha512-9c4TNAKYXM5PRyVcwUZrF3W09nQ+sO7+jydgs4ZGW9dhsLG2VOlISJABombdQqQRXCwuYG3sYV/puGf5rp0qmA=="],
+
+    "lodash": ["lodash@3.10.1", "", {}, "sha512-9mDDwqVIma6OZX79ZlDACZl8sBm0TEnkf99zV3iMA4GzkIT/9hiqP5mY0HoT1iNLCrKc/R1HByV+yJfRWVJryQ=="],
+
+    "node-fetch": ["node-fetch@1.7.3", "", { "dependencies": { "encoding": "^0.1.11", "is-stream": "^1.0.1" } }, "sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ=="],
+
+    "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
+
+    "whatwg-fetch": ["whatwg-fetch@3.6.20", "", {}, "sha512-EqhiFU6daOA8kpjOWTL0olhVOF3i7OrFzSYiGsEMB8GcXS+RrzauAERX65xMeNWVqxA6HXH2m69Z9LaKKdisfg=="],
+  }
+}
diff --git a/bun/spec/fixtures/projects/bun/simple_v0_with_config_version/package.json b/bun/spec/fixtures/projects/bun/simple_v0_with_config_version/package.json
@@ -0,0 +1,8 @@
+{
+  "dependencies": {
+    "fetch-factory": "^0.0.1"
+  },
+  "devDependencies": {
+    "etag": "^1.0.0"
+  }
+}
diff --git a/bun/spec/fixtures/projects/bun/simple_v1/bun.lock b/bun/spec/fixtures/projects/bun/simple_v1/bun.lock
@@ -1,5 +1,6 @@
 {
   "lockfileVersion": 1,
+  "configVersion": 1,
   "workspaces": {
     "": {
       "name": "project_new",

-Original file line number
+Diff line change
@@ @@ -0,0 +1,37 @@ @@
 +{
 +  "lockfileVersion": 0,
 +  "configVersion": 0,
 +  "workspaces": {
 +    "": {
 +      "dependencies": {
 +        "fetch-factory": "^0.0.1",
 +      },
 +      "devDependencies": {
 +        "etag": "^1.0.0",
 +      },
 +    },
 +  },
 +  "packages": {
 +    "encoding": ["[email protected]", "", { "dependencies": { "iconv-lite": "^0.6.2" } }, "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A=="],
++
 +    "es6-promise": ["[email protected]", "", {}, "sha512-SOp9Phqvqn7jtEUxPWdWfWoLmyt2VaJ6MpvP9Comy1MceMXqE6bxvaTu4iaxpYYPzhny28Lc+M87/c2cPK6lDg=="],
++
 +    "etag": ["[email protected]", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="],
++
 +    "fetch-factory": ["[email protected]", "", { "dependencies": { "es6-promise": "^3.0.2", "isomorphic-fetch": "^2.1.1", "lodash": "^3.10.1" } }, "sha512-gexRwqIhwzDJ2pJvL0UYfiZwW06/bdYWxAmswFFts7C87CF8i6liApihTk7TZFYMDcQjvvDIvyHv0q379z0aWA=="],
++
 +    "iconv-lite": ["[email protected]", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="],
++
 +    "is-stream": ["[email protected]", "", {}, "sha512-uQPm8kcs47jx38atAcWTVxyltQYoPT68y9aWYdV6yWXSyW8mzSat0TL6CiWdZeCdF3KrAvpVtnHbTv4RN+rqdQ=="],
++
 +    "isomorphic-fetch": ["[email protected]", "", { "dependencies": { "node-fetch": "^1.0.1", "whatwg-fetch": ">=0.10.0" } }, "sha512-9c4TNAKYXM5PRyVcwUZrF3W09nQ+sO7+jydgs4ZGW9dhsLG2VOlISJABombdQqQRXCwuYG3sYV/puGf5rp0qmA=="],
++
 +    "lodash": ["[email protected]", "", {}, "sha512-9mDDwqVIma6OZX79ZlDACZl8sBm0TEnkf99zV3iMA4GzkIT/9hiqP5mY0HoT1iNLCrKc/R1HByV+yJfRWVJryQ=="],
++
 +    "node-fetch": ["[email protected]", "", { "dependencies": { "encoding": "^0.1.11", "is-stream": "^1.0.1" } }, "sha512-NhZ4CsKx7cYm2vSrBAr2PvFOe6sWDf0UYLRqA6svUYg7+/TSfVAu49jYC4BvQ4Sms9SZgdqGBgroqfDhJdTyKQ=="],
++
 +    "safer-buffer": ["[email protected]", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
++
 +    "whatwg-fetch": ["[email protected]", "", {}, "sha512-EqhiFU6daOA8kpjOWTL0olhVOF3i7OrFzSYiGsEMB8GcXS+RrzauAERX65xMeNWVqxA6HXH2m69Z9LaKKdisfg=="],
 +  }
 +}
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"lockfileVersion": 1,`
	`3`	`+ "configVersion": 1,`
`3`	`4`	`"workspaces": {`
`4`	`5`	`"": {`
`5`	`6`	`"name": "project_new",`