Separate bun from npm_and_yarn as an Independent Ecosystem (#11559)

.github/ci-filters.yml

@@ -5,6 +5,9 @@ shared: &shared
   - 'updater/Gemfil*'
   - 'omnibus/**'
   - '.github/workflows/ci.yml'
+bun:
+  - *shared
+  - 'bun/**'
 bundler:
   - *shared
   - 'bundler/**'
@@ -45,9 +48,6 @@ gradle:
 hex:
   - *shared
   - 'hex/**'
-javascript:
-  - *shared
-  - 'javascript/**'
 maven:
   - *shared
   - 'maven/**'

.github/labeler.yml

@@ -41,6 +41,7 @@
 "L: javascript":
 - changed-files:
   - any-glob-to-any-file:
+    - bun/**
     - javascript/**
     - npm_and_yarn/**
 

.github/smoke-filters.yml

@@ -7,6 +7,9 @@ common: &common
 github_actions:
   - *common
   - 'github_actions/**'
+bun:
+  - *common
+  - 'bun/**'
 bundler:
   - *common
   - 'bundler/**'
@@ -38,9 +41,6 @@ gradle:
 hex:
   - *common
   - 'hex/**'
-javascript:
-  - *common
-  - 'javascript/**'
 maven:
   - *common
   - 'maven/**'

.github/workflows/ci.yml

@@ -36,7 +36,7 @@ jobs:
           - { path: swift, name: swift, ecosystem: swift }
           - { path: devcontainers, name: devcontainers, ecosystem: devcontainers }
           - { path: terraform, name: terraform, ecosystem: terraform }
-          - { path: javascript, name: javascript, ecosystem: bun }
+          - { path: bun, name: bun, ecosystem: bun }
 
     steps:
       - name: Checkout code

.github/workflows/images-branch.yml

@@ -76,7 +76,7 @@ jobs:
           - { name: swift, ecosystem: swift }
           - { name: devcontainers, ecosystem: devcontainers }
           - { name: terraform, ecosystem: terraform }
-          - { name: javascript, ecosystem: bun }
+          - { name: bun, ecosystem: bun }
     permissions:
       contents: read
       id-token: write

Dockerfile.updater-core

@@ -82,6 +82,7 @@ COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependab
 
 COPY --chown=dependabot:dependabot common/.bundle common/dependabot-common.gemspec common/
 COPY --chown=dependabot:dependabot common/lib/dependabot.rb common/lib/dependabot.rb
+COPY --chown=dependabot:dependabot bun/.bundle bun/dependabot-bun.gemspec bun/
 COPY --chown=dependabot:dependabot bundler/.bundle bundler/dependabot-bundler.gemspec bundler/
 COPY --chown=dependabot:dependabot cargo/.bundle cargo/dependabot-cargo.gemspec cargo/
 COPY --chown=dependabot:dependabot composer/.bundle composer/dependabot-composer.gemspec composer/
@@ -94,7 +95,6 @@ COPY --chown=dependabot:dependabot github_actions/.bundle github_actions/dependa
 COPY --chown=dependabot:dependabot go_modules/.bundle go_modules/dependabot-go_modules.gemspec go_modules/
 COPY --chown=dependabot:dependabot gradle/.bundle gradle/dependabot-gradle.gemspec gradle/
 COPY --chown=dependabot:dependabot hex/.bundle hex/dependabot-hex.gemspec hex/
-COPY --chown=dependabot:dependabot javascript/.bundle javascript/dependabot-bun.gemspec javascript/
 COPY --chown=dependabot:dependabot maven/.bundle maven/dependabot-maven.gemspec maven/
 COPY --chown=dependabot:dependabot npm_and_yarn/.bundle npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
 COPY --chown=dependabot:dependabot nuget/.bundle nuget/dependabot-nuget.gemspec nuget/
@@ -105,15 +105,11 @@ COPY --chown=dependabot:dependabot swift/.bundle swift/dependabot-swift.gemspec
 COPY --chown=dependabot:dependabot terraform/.bundle terraform/dependabot-terraform.gemspec terraform/
 
 # prevent having all the source in every ecosystem image
-RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler silent swift devcontainers dotnet_sdk; do \
+RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler silent swift devcontainers dotnet_sdk bun; do \
     mkdir -p $ecosystem/lib/dependabot; \
     touch $ecosystem/lib/dependabot/$ecosystem.rb; \
   done
 
-# Special cases: 
-#  - Bun ecosystem is a special case that is under the javascript folder
-RUN mkdir -p javascript/lib/dependabot && touch javascript/lib/dependabot/bun.rb
-
 WORKDIR $DEPENDABOT_HOME/dependabot-updater
 
 # RubyGems & Bundler should be bumped together following these steps:

Gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "dependabot-bun", path: "javascript"
+gem "dependabot-bun", path: "bun"
 gem "dependabot-bundler", path: "bundler"
 gem "dependabot-cargo", path: "cargo"
 gem "dependabot-common", path: "common"

Gemfile.lock

@@ -1,3 +1,9 @@
+PATH
+  remote: bun
+  specs:
+    dependabot-bun (0.296.2)
+      dependabot-common (= 0.296.2)
+
 PATH
   remote: bundler
   specs:
@@ -97,13 +103,6 @@ PATH
     dependabot-hex (0.296.2)
       dependabot-common (= 0.296.2)
 
-PATH
-  remote: javascript
-  specs:
-    dependabot-bun (0.296.2)
-      dependabot-common (= 0.296.2)
-      zeitwerk (~> 2.7)
-
 PATH
   remote: maven
   specs:

Rakefile

@@ -35,7 +35,7 @@ GEMSPECS = %w(
   swift/dependabot-swift.gemspec
   devcontainers/dependabot-devcontainers.gemspec
   dotnet_sdk/dependabot-dotnet_sdk.gemspec
-  javascript/dependabot-bun.gemspec
+  bun/dependabot-bun.gemspec
 ).freeze
 
 def run_command(command)

bin/docker-dev-shell

@@ -119,6 +119,12 @@ docker run --rm -ti \
   -v "$(pwd)/.rubocop_todo.yml:$CODE_DIR/.rubocop_todo.yml" \
   -v "$(pwd)/.ruby-version:$CODE_DIR/.ruby-version" \
   -v "$(pwd)/bin:$CODE_DIR/bin" \
+  -v "$(pwd)/bun/.rubocop.yml:$CODE_DIR/bun/.rubocop.yml" \
+  -v "$(pwd)/bun/dependabot-bun.gemspec:$CODE_DIR/bun/dependabot-bun.gemspec" \
+  -v "$(pwd)/bun/helpers:$CODE_DIR/bun/helpers" \
+  -v "$(pwd)/bun/lib:$CODE_DIR/bun/lib" \
+  -v "$(pwd)/bun/script:$CODE_DIR/bun/script" \
+  -v "$(pwd)/bun/spec:$CODE_DIR/bun/spec" \
   -v "$(pwd)/bundler/.rubocop.yml:$CODE_DIR/bundler/.rubocop.yml" \
   -v "$(pwd)/bundler/dependabot-bundler.gemspec:$CODE_DIR/bundler/dependabot-bundler.gemspec" \
   -v "$(pwd)/bundler/helpers:$CODE_DIR/bundler/helpers" \
@@ -190,12 +196,6 @@ docker run --rm -ti \
   -v "$(pwd)/hex/lib:$CODE_DIR/hex/lib" \
   -v "$(pwd)/hex/script:$CODE_DIR/hex/script" \
   -v "$(pwd)/hex/spec:$CODE_DIR/hex/spec" \
-  -v "$(pwd)/javascript/.rubocop.yml:$CODE_DIR/javascript/.rubocop.yml" \
-  -v "$(pwd)/javascript/dependabot-bun.gemspec:$CODE_DIR/javascript/dependabot-bun.gemspec" \
-  -v "$(pwd)/javascript/helpers:$CODE_DIR/javascript/helpers" \
-  -v "$(pwd)/javascript/lib:$CODE_DIR/javascript/lib" \
-  -v "$(pwd)/javascript/script:$CODE_DIR/javascript/script" \
-  -v "$(pwd)/javascript/spec:$CODE_DIR/javascript/spec" \
   -v "$(pwd)/maven/.rubocop.yml:$CODE_DIR/maven/.rubocop.yml" \
   -v "$(pwd)/maven/dependabot-maven.gemspec:$CODE_DIR/maven/dependabot-maven.gemspec" \
   -v "$(pwd)/maven/lib:$CODE_DIR/maven/lib" \

bin/dry-run.rb

@@ -51,6 +51,7 @@
   exit 1
 end
 
+$LOAD_PATH << "./bun/lib"
 $LOAD_PATH << "./bundler/lib"
 $LOAD_PATH << "./cargo/lib"
 $LOAD_PATH << "./common/lib"
@@ -64,7 +65,6 @@
 $LOAD_PATH << "./go_modules/lib"
 $LOAD_PATH << "./gradle/lib"
 $LOAD_PATH << "./hex/lib"
-$LOAD_PATH << "./javascript/lib"
 $LOAD_PATH << "./maven/lib"
 $LOAD_PATH << "./npm_and_yarn/lib"
 $LOAD_PATH << "./nuget/lib"
@@ -112,7 +112,6 @@
 require "dependabot/go_modules"
 require "dependabot/gradle"
 require "dependabot/hex"
-require "dependabot/javascript"
 require "dependabot/maven"
 require "dependabot/npm_and_yarn"
 require "dependabot/nuget"

bun/.bundle/config

@@ -0,0 +1 @@
+BUNDLE_GEMFILE: "../dependabot-updater/Gemfile"

bun/.gitignore

@@ -0,0 +1,7 @@
+/.bundle/*
+!.bundle/config
+/.env
+/tmp
+/dependabot-*.gem
+/helpers/node_modules
+/helpers/install-dir

bun/.rubocop.yml

@@ -0,0 +1 @@
+inherit_from: ../.rubocop.yml

bun/Dockerfile

@@ -0,0 +1,66 @@
+FROM ghcr.io/dependabot/dependabot-updater-core
+
+# Check for updates at https://github.com/nodejs/corepack/releases
+ARG COREPACK_VERSION=0.31.0
+
+# Check for updates at https://github.com/pnpm/pnpm/releases
+ARG PNPM_VERSION=9.15.5
+
+# Check for updates at https://github.com/yarnpkg/berry/releases
+ARG YARN_VERSION=4.5.3
+
+# Check for updates at https://github.com/oven-sh/bun/releases
+ARG BUN_VERSION=1.2
+
+# See https://github.com/nodesource/distributions#installation-instructions
+ARG NODEJS_VERSION=20
+
+# Check for updates at https://github.com/npm/cli/releases
+# This version should be compatible with the Node.js version declared above. See https://nodejs.org/en/download/releases as well
+# TODO: Upgrade to 9.6.7 depending on the outcome of https://github.com/npm/cli/issues/6742
+ARG NPM_VERSION=9.6.5
+
+# Install Node and npm
+RUN mkdir -p /etc/apt/keyrings \
+  && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+  && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODEJS_VERSION}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends \
+  nodejs \
+  && rm -rf /var/lib/apt/lists/* \
+  && npm install -g corepack@$COREPACK_VERSION \
+  && npm install -g corepack@$COREPACK_VERSION bun@$BUN_VERSION \
+  && rm -rf ~/.npm
+
+USER dependabot
+
+# Install pnpm and set it to a stable version
+RUN corepack install pnpm@$PNPM_VERSION --global
+
+# Install yarn berry and set it to a stable version
+RUN corepack install yarn@$YARN_VERSION --global
+
+# Install npm and set it to a stable version
+RUN corepack install npm@$NPM_VERSION --global
+
+ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
+COPY --chown=dependabot:dependabot bun/helpers /opt/bun/helpers
+RUN bash /opt/bun/helpers/build
+
+# START: HACKY WORKAROUND FOR NPM GIT INSTALLS SPAWNING CHILD PROCESS
+
+# TODO: Remove these hacks once we've deprecated npm 6 support as it no longer
+# spawns a child process to npm install git dependencies.
+
+# Create the config file manually instead of using yarn/npm config set as this
+# executes the package manager outputs to every job log
+COPY --chown=dependabot:dependabot updater/config/.yarnrc updater/config/.npmrc $DEPENDABOT_HOME/
+
+# For Yarn Berry we can set this via an environment variable
+ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
+
+# END: HACKY WORKAROUND FOR NPM GIT INSTALLS SPAWNING CHILD PROCESS
+
+COPY --chown=dependabot:dependabot bun $DEPENDABOT_HOME/bun
+COPY --chown=dependabot:dependabot common $DEPENDABOT_HOME/common
+COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater

bun/README.md

@@ -0,0 +1,18 @@
+## `dependabot-bun`
+
+Bun support for [`dependabot-core`][core-repo].
+
+### Running locally
+
+1. Start a development shell
+
+  ```
+  $ bin/docker-dev-shell bun
+  ```
+
+2. Run tests
+   ```
+   [dependabot-core-dev] ~ $ cd bun && rspec
+   ```
+
+[core-repo]: https://github.com/dependabot/dependabot-core

bun/dependabot-bun.gemspec

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  common_gemspec =
+    Bundler.load_gemspec_uncached("../common/dependabot-common.gemspec")
+
+  spec.name         = "dependabot-bun"
+  spec.summary      = "Provides Dependabot support for Javascript"
+  spec.description  = "Dependabot-BUN provides support for bumping Javascript libraries via " \
+                      "Dependabot. " \
+                      "If you want support for multiple package managers, you probably want the meta-gem " \
+                      "dependabot-omnibus."
+
+  spec.author       = common_gemspec.author
+  spec.email        = common_gemspec.email
+  spec.homepage     = common_gemspec.homepage
+  spec.license      = common_gemspec.license
+
+  spec.metadata = {
+    "bug_tracker_uri" => common_gemspec.metadata["bug_tracker_uri"],
+    "changelog_uri" => common_gemspec.metadata["changelog_uri"]
+  }
+
+  spec.version = common_gemspec.version
+  spec.required_ruby_version = common_gemspec.required_ruby_version
+  spec.required_rubygems_version = common_gemspec.required_ruby_version
+
+  spec.require_path = "lib"
+  spec.files        = []
+
+  spec.add_dependency "dependabot-common", Dependabot::VERSION
+
+  common_gemspec.development_dependencies.each do |dep|
+    spec.add_development_dependency dep.name, *dep.requirement.as_list
+  end
+
+  next unless File.exist?("../.gitignore")
+
+  spec.files += `git -C #{__dir__} ls-files lib helpers -z`.split("\x0")
+end

bun/helpers/.eslintrc

@@ -0,0 +1,11 @@
+{
+  "extends": [
+    "prettier"
+  ],
+  "env": {
+    "node": true
+  },
+  "parserOptions": {
+    "ecmaVersion": "latest"
+  }
+}

bun/helpers/README.md

@@ -0,0 +1,29 @@
+Native JavaScript helpers
+-------------------------
+
+This directory contains helper functions for npm and yarn, natively written in
+Javascript so that we can utilize the package managers internal APIs and other
+native tooling for these ecosystems.
+
+These helpers are called from the Ruby code via `run.js`, they are passed
+arguments via stdin and return JSON data to stdout.
+
+## Testing
+
+When working on these helpers, it's convenient to write some high level tests in
+JavaScript to make it easier to debug the code.
+
+You can now run the tests from this directory by running:
+
+```
+yarn test path/to/test.js
+```
+
+### Debugging
+
+In order to run an interactive debugger:
+
+- `node --inspect-brk node_modules/.bin/jest --runInBand path/to/test/test.js`
+- In Chrome, navigate to `chrome://inspect`
+- Click `Open dedicated DevTools for Node`
+- You'll now be able to interactively debug using the Chrome dev tools.

bun/helpers/build

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
+  echo "Unable to build, DEPENDABOT_NATIVE_HELPERS_PATH is not set"
+  exit 1
+fi
+
+install_dir="$DEPENDABOT_NATIVE_HELPERS_PATH/bun"
+mkdir -p "$install_dir"
+
+helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
+cp -r \
+  "$helpers_dir/lib" \
+  "$helpers_dir/test" \
+  "$helpers_dir/run.js" \
+  "$helpers_dir/.eslintrc" \
+  "$helpers_dir/jest.config.js" \
+  "$helpers_dir/package.json" \
+  "$helpers_dir/package-lock.json" \
+  "$helpers_dir/patches" \
+  "$install_dir"
+
+cd "$install_dir"
+npm ci --no-audit --fetch-timeout=600000 --fetch-retries=5 --no-dry-run --no-ignore-scripts