chore: switch package manager from bun to pnpm#967
Conversation
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "packageManager": "pnpm@10.11.0", | ||
| "pnpm": { | ||
| "patchedDependencies": { | ||
| "@stricli/core": "patches/@stricli%2Fcore@1.2.5.patch", |
There was a problem hiding this comment.
Patch version mismatch after silent dependency bump
Low Severity
The @stricli/core patch file was created for version 1.2.5 (confirmed in bun.lock), but under pnpm the patchedDependencies key omits the version ("@stricli/core" instead of bun's "@stricli/core@1.2.5"), and the lockfile now resolves to version 1.2.7. The patch applies today, but without a version qualifier in the key, any future pnpm update could bump @stricli/core further, potentially causing the patch to silently fail or produce incorrect behavior if the patched lines in dist/index.js change.
Reviewed by Cursor Bugbot for commit 124766a. Configure here.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| }, | ||
| "onlyBuiltDependencies": [ | ||
| "esbuild" | ||
| ] |
There was a problem hiding this comment.
Bug: The pnpm patch for @stricli/core uses a name-only key. If a future update changes the patched lines, the patch will silently fail, breaking the sentry api command.
Severity: MEDIUM
Suggested Fix
Change the patch key in package.json from the name-only "@stricli/core" to a versioned key like "@stricli/core@1.2.5" or a range like "@stricli/core@*". This will cause pnpm to error out if the patch cannot be applied, preventing silent failures in the future.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: package.json#L84
Potential issue: The `pnpm` patch for `@stricli/core` is configured with a name-only key
(`"@stricli/core"`) instead of a version-specific one. This patch, written for version
`1.2.5`, is being applied to `1.2.7`. While it may apply successfully now, `pnpm` v10
silently ignores patch application failures for name-only keys. If a future version of
`@stricli/core` changes the code at the patched location, the patch will fail to apply
silently. This would leave the `H` alias in `stricli`'s reserved list, causing
`src/commands/api.ts` to throw an error on load and making the `sentry api` command
completely non-functional.
Did we get this right? 👍 / 👎 to inform future reviews.
BYK
force-pushed
the
chore/switch-to-pnpm
branch
3 times, most recently
from
0c43a41 to
ba2f136
Compare
| "patchedDependencies": { | ||
| "@stricli/core": "patches/@stricli%2Fcore@1.2.5.patch", | ||
| "@sentry/node-core": "patches/@sentry%2Fnode-core@10.50.0.patch", | ||
| "@sentry/core": "patches/@sentry%2Fcore@10.50.0.patch" |
There was a problem hiding this comment.
Bug: Migrating to pnpm's name-only patchedDependencies keys will cause patch failures to be silently ignored on future version updates, potentially shipping unpatched packages to production.
Severity: HIGH
Suggested Fix
To ensure patch failures are not silent, change the name-only keys in patchedDependencies to use a version range, such as *. For example, change "@sentry/core" to "@sentry/core@*". According to pnpm documentation, using a version range like * will cause patch application failures to throw an error, preventing silent failures.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: package.json#L77-L80
Potential issue: The migration to `pnpm` changes `patchedDependencies` in `package.json`
to use name-only keys (e.g., `@sentry/core`) instead of version-specific ones. With
`pnpm`, name-only keys silently ignore patch application failures by default. If a
future dependency update causes a patch to become incompatible (e.g., `@sentry/core` is
updated), the patch will fail silently. This would result in the unpatched package, with
heavyweight modules that were meant to be stripped, being included in production builds,
causing significant bundle bloat or incorrect behavior without any warning.
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
BYK
force-pushed
the
chore/switch-to-pnpm
branch
5 times, most recently
from
b9a4fdd to
b1acf35
Compare
Codecov Results 📊✅ 6969 passed | Total: 6969 | Pass Rate: 100% | Execution Time: 0ms 📊 Comparison with Base Branch
✨ No test changes detected All tests are passing successfully. ✅ Patch coverage is 100.00%. Project has 14103 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 77.06% 77.09% +0.03%
==========================================
Files 320 320 —
Lines 61608 61570 -38
Branches 0 0 —
==========================================
+ Hits 47475 47467 -8
- Misses 14133 14103 -30
- Partials 0 0 —Generated by Codecov Action |
Switch the project's package manager from bun to pnpm while keeping bun as the TS runner and test runner for now (incremental migration). Changes: - Set packageManager to pnpm@10.11.0 - Move patchedDependencies into pnpm config section - Add onlyBuiltDependencies for esbuild build script approval - Add @sentry/core and @clack/prompts as explicit devDependencies (were phantom deps hoisted by bun's flat node_modules) - Generate pnpm-lock.yaml All 6968 unit tests pass. One pre-existing test fragility (sdk.run auth test) surfaces under pnpm's strict hoisting but is unrelated to this change.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 414cd3a. Configure here.
| "lint": "bunx ultracite check", | ||
| "lint:fix": "bunx ultracite fix", | ||
| "lint": "biome check --no-errors-on-unmatched --max-diagnostics=none ./", | ||
| "lint:fix": "biome check --write --no-errors-on-unmatched --max-diagnostics=none ./", |
There was a problem hiding this comment.
Unused ultracite dependency after lint script change
Low Severity
The lint and lint:fix scripts were changed from bunx ultracite check/bunx ultracite fix to direct biome check invocations, but ultracite remains in devDependencies at line 49. No script or source file references ultracite anymore, making it a dead dependency that adds unnecessary install weight.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 414cd3a. Configure here.
1 participant
Summary
First step of the Bun → Node.js migration. Switches the project's package manager from bun to pnpm while keeping bun as the TS runner and test runner for now (incremental migration).
Changes
packageManagertopnpm@10.11.0patchedDependenciesintopnpmconfig section (pnpm nests it under"pnpm": {})onlyBuiltDependencies: ["esbuild"]for pnpm's build script approval@sentry/coreand@clack/promptsas explicitdevDependencies— these were phantom deps hoisted by bun's flatnode_modulesbut imported directly by source codepnpm-lock.yamlTest results
All 6968 unit tests pass under
bun testwith pnpm'snode_modules. One pre-existing test fragility (sdk.run throws when auth is required but missingintest/lib/index.test.ts) surfaces under pnpm's strict hoisting — the mock fetch returns empty 200s which prevents the expected auth error. This is unrelated to this change and will be addressed separately.Notes
bun.lockis intentionally kept for now — will be removed in a cleanup PR after the full migration@stricli/core,@sentry/core,@sentry/node-core) apply successfully under pnpmbun run/bun testinternally — migrating those totsx/vitestis a separate step