refactor: replace bun with pnpm

[steveiliop56]

Don't get me wrong, I am was a huge fan of Bun. A fast package-manager, bundler, runtime that does everything and works. Never had issues with it.

However, the recent rewrite oven-sh/bun#30412 in Rust makes me no longer trust Bun as whole. Not because I don't like Rust, I like Rust, not a huge fan of it, but definitely better than writing C++. The issue lies in the nature of this rewrite. The whole thing was completely generated by an LLM and merged within 1 week. I cannot trust an algorithm that tells you it's better to walk to the car wash to wash your car to rewrite over a million lines of code and I also don't believe that the Bun team itself knows how to navigate and work in the new Rust codebase. Even if the change passes tests and works, I still don't trust it will work in the future and that it's not a mess of tech debt waiting to implode. These changes should happen throughout the duration of months not weeks.

This is why this pull request completely removes all use of Bun and instead replaces it with pnpm. Tinyauth only needs a package manager, not a runtime since the frontend compiles to static files and thus, pnpm is a perfect fit. It's a fast and intelligent package manager that solves npm's headaches (massive node modules, conflicts, speed). This change shouldn't have a big impact on development, just install pnpm with npm install -g pnpm and you should be good to go (pnpm has aliases for all regular npm commands).

It's been a fun ride, Bun.

Summary by CodeRabbit

• Chores
  • Migrated the frontend toolchain from Bun to pnpm across CI, builds, containers, and local dev workflows.
  • Declared pnpm as the frontend package manager and added workspace policy settings for safer installs.
  • Pinned the development debugger version for more reproducible dev environments.
  • Restored formatting checks to include generated build artifacts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 39f61a7b-a956-448d-a9e1-fbc2b45d1c5f

📥 Commits

Reviewing files that changed from the base of the PR and between d394eb5 and 5afbc42.

📒 Files selected for processing (1)

• frontend/pnpm-workspace.yaml

✅ Files skipped from review due to trivial changes (1)

• frontend/pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Project-wide migration from Bun to pnpm: package metadata now declares pnpm, dependabot switches ecosystem, CI workflows and release/nightly jobs add pnpm setup and use pnpm commands, Dockerfiles and Makefile targets switch to pnpm, and contributor docs/dev Dockerfiles updated accordingly.

Changes

Migrate frontend build toolchain from Bun to pnpm

Layer / File(s)	Summary
Package manager declaration and dependency ecosystem frontend/package.json, .github/dependabot.yml	packageManager: "pnpm@11.1.2" added to frontend/package.json; dependabot entry for /frontend changed from bun to npm.
CI, nightly, and release workflow updates .github/workflows/ci.yml, .github/workflows/nightly.yml, .github/workflows/release.yml, Makefile	Workflows add pnpm/action-setup and replace Bun commands with pnpm ci, pnpm run lint, and pnpm run build (using working-directory: ./frontend where appropriate). Makefile deps and webui targets now run pnpm ci / pnpm run build.
Production Docker frontend builder stages Dockerfile, Dockerfile.distroless	Frontend builder stages replace oven/bun with node:26.1-alpine3.23, install pnpm globally, copy pnpm-lock.yaml, run pnpm ci, and build via pnpm run build.
Development containers, contributor docs, and pnpm workspace frontend/Dockerfile.dev, Dockerfile.dev, CONTRIBUTING.md, frontend/pnpm-workspace.yaml	frontend/Dockerfile.dev switches base image to Node and uses pnpm for dev; entrypoint now pnpm run dev. Dockerfile.dev pins dlv to v1.26.3. CONTRIBUTING.md updates frontend install command to pnpm ci. frontend/pnpm-workspace.yaml adds workspace policy fields.

🎯 3 (Moderate) | ⏱️ ~20 minutes

A rabbit hops from Bun to pnpm bright,
Lockfiles snug and CI takes flight,
Dockerbuilders hum with Node’s new tune,
Contributors run dev with pnpm soon,
Small changes stitched — the build feels light. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor: replace bun with pnpm' accurately and concisely describes the primary change across all modified files—systematically replacing the Bun package manager with pnpm throughout the project's CI workflows, Dockerfiles, Makefile, and frontend configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/remove-bun

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 13: Update the packageManager entry in package.json to the correct stable
pnpm version: replace the current "packageManager" value "pnpm@11.1.2" with
"pnpm@11.0.6" so Corepack can resolve the tool; ensure the "packageManager"
field is updated (packageManager) and commit the change so CI will pick up the
valid pnpm version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0b5d917e-6dc1-4962-9cc1-63275eed2442

📥 Commits

Reviewing files that changed from the base of the PR and between e6b291d and d51e722.

⛔ Files ignored due to path filters (2)

• frontend/bun.lock is excluded by !**/*.lock
• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/nightly.yml
• .github/workflows/release.yml
• CONTRIBUTING.md
• Dockerfile
• Dockerfile.dev
• Dockerfile.distroless
• Makefile
• frontend/.prettierignore
• frontend/.prettierrc
• frontend/Dockerfile.dev
• frontend/package.json

💤 Files with no reviewable changes (2)

• frontend/.prettierrc
• frontend/.prettierignore

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci.yml (2)

18-21: ⚡ Quick win

Add explicit Node.js setup for version control.

While ubuntu-latest runners include Node.js by default, explicitly setting up Node.js ensures a consistent, reproducible environment and prevents potential issues if the runner's default version changes.

📦 Suggested addition of setup-node step

       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name: Setup Node.js
+        uses: actions/setup-node@42a0a3d7c0ee6a09c7adafc7d8f1d4da3f6b1cb4 # v6
+        with:
+          node-version: '26'
+
       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 18 - 21, Add an explicit Node.js setup
step before the "Setup pnpm" step to pin the Node version used by the runner:
insert an actions/setup-node@v3 step (e.g., with node-version: 18 or your
supported version) so the workflow deterministically installs the Node runtime
before the pnpm/action-setup step that references package_json_file
(./frontend/package.json); ensure the new step appears above the "Setup pnpm"
step in the job and uses the chosen node-version input.

---

18-47: ⚡ Quick win

Consider adding dependency caching for faster CI runs.

Adding caching for pnpm dependencies would significantly improve CI performance by avoiding re-downloading packages on every run.

⚡ Suggested pnpm caching configuration

Some versions of pnpm/action-setup include built-in caching. Check if your version supports it, or add explicit caching:

Option 1: Using setup-node with pnpm cache (if you add setup-node step)

       - name: Setup Node.js
         uses: actions/setup-node@42a0a3d7c0ee6a09c7adafc7d8f1d4da3f6b1cb4 # v6
         with:
           node-version: '26'
+          cache: 'pnpm'
+          cache-dependency-path: './frontend/pnpm-lock.yaml'

Option 2: Explicit cache action

       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json

+      - name: Cache pnpm store
+        uses: actions/cache@v4
+        with:
+          path: ~/.local/share/pnpm/store
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('frontend/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 18 - 47, Add caching steps to the
workflow to speed up CI: add an actions/cache step keyed on
frontend/node_modules/.pnpm-store (or pnpm store path used by pnpm/action-setup)
and the package-lock/sha of frontend/package.json around the "Setup pnpm" /
"Install frontend dependencies" steps to restore/save the pnpm store, and add a
separate actions/cache for Go modules (GOMODCACHE or ${{ runner.os }}-go-${{
hashFiles('**/go.sum') }}) around the "Go dependencies" step; reference the
existing step names ("Setup pnpm", "Install frontend dependencies", "Go
dependencies") and the action pnpm/action-setup to locate where to insert the
cache restore+save steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 18-21: The "Setup pnpm" GitHub Action currently uses
pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 with the
package_json_file input which is affected by a v6 bug; update the action usage
in the pnpm setup step (the step named "Setup pnpm" that uses pnpm/action-setup)
to explicitly set the pnpm version via the with: version input (e.g., version:
11.1.1) or alternatively bump the action to pnpm/action-setup v7+ so the
package_json_file workaround is not needed.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 18-21: Add an explicit Node.js setup step before the "Setup pnpm"
step to pin the Node version used by the runner: insert an actions/setup-node@v3
step (e.g., with node-version: 18 or your supported version) so the workflow
deterministically installs the Node runtime before the pnpm/action-setup step
that references package_json_file (./frontend/package.json); ensure the new step
appears above the "Setup pnpm" step in the job and uses the chosen node-version
input.
- Around line 18-47: Add caching steps to the workflow to speed up CI: add an
actions/cache step keyed on frontend/node_modules/.pnpm-store (or pnpm store
path used by pnpm/action-setup) and the package-lock/sha of
frontend/package.json around the "Setup pnpm" / "Install frontend dependencies"
steps to restore/save the pnpm store, and add a separate actions/cache for Go
modules (GOMODCACHE or ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}) around
the "Go dependencies" step; reference the existing step names ("Setup pnpm",
"Install frontend dependencies", "Go dependencies") and the action
pnpm/action-setup to locate where to insert the cache restore+save steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 74b0c56d-ce63-4387-b789-5703c61ec9a0

📥 Commits

Reviewing files that changed from the base of the PR and between d51e722 and d394eb5.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/nightly.yml
• .github/workflows/release.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/release.yml
• .github/workflows/nightly.yml

[scottmckendry]

lgtm

rip bun 🪦