dependabot-npm_and_yarn 0.292.0 → 0.294.0

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -110,7 +110,8 @@ module Dependabot
         {
           npm: package_lock || shrinkwrap,
           yarn: yarn_lock,
-          pnpm: pnpm_lock
+          pnpm: pnpm_lock,
+          bun: bun_lock
         }
       end
 
@@ -142,49 +143,56 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def shrinkwrap
         @shrinkwrap ||= T.let(dependency_files.find do |f|
-          f.name == NpmPackageManager::SHRINKWRAP_LOCKFILE_NAME
+          f.name.end_with?(NpmPackageManager::SHRINKWRAP_LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def package_lock
         @package_lock ||= T.let(dependency_files.find do |f|
-          f.name == NpmPackageManager::LOCKFILE_NAME
+          f.name.end_with?(NpmPackageManager::LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def yarn_lock
         @yarn_lock ||= T.let(dependency_files.find do |f|
-          f.name == YarnPackageManager::LOCKFILE_NAME
+          f.name.end_with?(YarnPackageManager::LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pnpm_lock
         @pnpm_lock ||= T.let(dependency_files.find do |f|
-          f.name == PNPMPackageManager::LOCKFILE_NAME
+          f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME)
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def bun_lock
+        @bun_lock ||= T.let(dependency_files.find do |f|
+          f.name.end_with?(BunPackageManager::LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def npmrc
         @npmrc ||= T.let(dependency_files.find do |f|
-          f.name == NpmPackageManager::RC_FILENAME
+          f.name.end_with?(NpmPackageManager::RC_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def yarnrc
         @yarnrc ||= T.let(dependency_files.find do |f|
-          f.name == YarnPackageManager::RC_FILENAME
+          f.name.end_with?(YarnPackageManager::RC_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(DependencyFile)) }
       def yarnrc_yml
         @yarnrc_yml ||= T.let(dependency_files.find do |f|
-          f.name == YarnPackageManager::RC_YML_FILENAME
+          f.name.end_with?(YarnPackageManager::RC_YML_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
@@ -204,7 +212,7 @@ module Dependabot
             next unless requirement.is_a?(String)
 
             # Skip dependencies using Yarn workspace cross-references as requirements
-            next if requirement.start_with?("workspace:")
+            next if requirement.start_with?("workspace:", "catalog:")
 
             requirement = "*" if requirement == ""
             dep = build_dependency(

data/lib/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater.rb

@@ -0,0 +1,144 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/update_checker/registry_finder"
+require "dependabot/npm_and_yarn/registry_parser"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class BunLockfileUpdater
+        require_relative "npmrc_builder"
+        require_relative "package_json_updater"
+
+        def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @repo_contents_path = repo_contents_path
+          @credentials = credentials
+        end
+
+        def updated_bun_lock_content(bun_lock)
+          @updated_bun_lock_content ||= {}
+          return @updated_bun_lock_content[bun_lock.name] if @updated_bun_lock_content[bun_lock.name]
+
+          new_content = run_bun_update(bun_lock: bun_lock)
+          @updated_bun_lock_content[bun_lock.name] = new_content
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_bun_lock_updater_error(e, bun_lock)
+        end
+
+        private
+
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :repo_contents_path
+        attr_reader :credentials
+
+        ERR_PATTERNS = {
+          /get .* 404/i => Dependabot::DependencyNotFound,
+          /installfailed cloning repository/i => Dependabot::DependencyNotFound,
+          /file:.* failed to resolve/i => Dependabot::DependencyNotFound,
+          /no version matching/i => Dependabot::DependencyFileNotResolvable,
+          /failed to resolve/i => Dependabot::DependencyFileNotResolvable
+        }.freeze
+
+        def run_bun_update(bun_lock:)
+          SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+            File.write(".npmrc", npmrc_content(bun_lock))
+
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              run_bun_updater
+
+              write_final_package_json_files
+
+              run_bun_install
+
+              File.read(bun_lock.name)
+            end
+          end
+        end
+
+        def run_bun_updater
+          dependency_updates = dependencies.map do |d|
+            "#{d.name}@#{d.version}"
+          end.join(" ")
+
+          Helpers.run_bun_command(
+            "install #{dependency_updates} --save-text-lockfile",
+            fingerprint: "install <dependency_updates> --save-text-lockfile"
+          )
+        end
+
+        def run_bun_install
+          Helpers.run_bun_command(
+            "install --save-text-lockfile"
+          )
+        end
+
+        def lockfile_dependencies(lockfile)
+          @lockfile_dependencies ||= {}
+          @lockfile_dependencies[lockfile.name] ||=
+            NpmAndYarn::FileParser.new(
+              dependency_files: [lockfile, *package_files],
+              source: nil,
+              credentials: credentials
+            ).parse
+        end
+
+        def handle_bun_lock_updater_error(error, _bun_lock)
+          error_message = error.message
+
+          ERR_PATTERNS.each do |pattern, error_class|
+            raise error_class, error_message if error_message.match?(pattern)
+          end
+
+          raise error
+        end
+
+        def write_final_package_json_files
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, updated_package_json_content(file))
+          end
+        end
+
+        def npmrc_content(bun_lock)
+          NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files,
+            dependencies: lockfile_dependencies(bun_lock)
+          ).npmrc_content
+        end
+
+        def updated_package_json_content(file)
+          @updated_package_json_content ||= {}
+          @updated_package_json_content[file.name] ||=
+            PackageJsonUpdater.new(
+              package_json: file,
+              dependencies: dependencies
+            ).updated_package_json.content
+        end
+
+        def package_files
+          @package_files ||= dependency_files.select { |f| f.name.end_with?("package.json") }
+        end
+
+        def base_dir
+          dependency_files.first.directory
+        end
+
+        def npmrc_file
+          dependency_files.find { |f| f.name == ".npmrc" }
+        end
+
+        def sanitize_message(message)
+          message.gsub(/"|\[|\]|\}|\{/, "")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -18,6 +18,10 @@ module Dependabot
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
+          @error_handler = PnpmErrorHandler.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files
+          )
         end
 
         def updated_pnpm_lock_content(pnpm_lock)
@@ -36,6 +40,7 @@ module Dependabot
         attr_reader :dependency_files
         attr_reader :repo_contents_path
         attr_reader :credentials
+        attr_reader :error_handler
 
         IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
         INVALID_REQUIREMENT = "ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER"
@@ -46,12 +51,12 @@ module Dependabot
         UNAUTHORIZED_PACKAGE = /ERR_PNPM_FETCH_401[ [^:print:]]+GET (?<dependency_url>.*): Unauthorized - 401/
 
         # ERR_PNPM_FETCH ERROR CODES
-        ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):  - 401/
-        ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*):  - 403/
-        ERR_PNPM_FETCH_404 = /ERR_PNPM_FETCH_404.*GET (?<dependency_url>.*):  - 404/
-        ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*):  - 500/
-        ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*):  - 502/
-        ERR_PNPM_FETCH_503 = /ERR_PNPM_FETCH_503.*GET (?<dependency_url>.*):  - 503/
+        ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_404 = /ERR_PNPM_FETCH_404.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_503 = /ERR_PNPM_FETCH_503.*GET (?<dependency_url>.*):/
 
         # ERR_PNPM_UNSUPPORTED_ENGINE
         ERR_PNPM_UNSUPPORTED_ENGINE = /ERR_PNPM_UNSUPPORTED_ENGINE/
@@ -62,6 +67,13 @@ module Dependabot
 
         ERR_PNPM_PATCH_NOT_APPLIED = /ERR_PNPM_PATCH_NOT_APPLIED/
 
+        # this intermittent issue is related with Node v20
+        ERR_INVALID_THIS = /ERR_INVALID_THIS/
+        URL_SEARCH_PARAMS = /URLSearchParams/
+
+        # A modules directory is present and is linked to a different store directory.
+        ERR_PNPM_UNEXPECTED_STORE = /ERR_PNPM_UNEXPECTED_STORE/
+
         # ERR_PNPM_UNSUPPORTED_PLATFORM
         ERR_PNPM_UNSUPPORTED_PLATFORM = /ERR_PNPM_UNSUPPORTED_PLATFORM/
         PLATFORM_PACAKGE_DEP = /Unsupported platform for (?<dep>.*)\: wanted/
@@ -78,12 +90,22 @@ module Dependabot
         ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND = /ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND*.*Could not install from \"(?<dir>.*)\" /
         ERR_PNPM_WORKSPACE_PKG_NOT_FOUND = /ERR_PNPM_WORKSPACE_PKG_NOT_FOUND/
 
+        # Unparsable package.json file
+        ERR_PNPM_INVALID_PACKAGE_JSON = /Invalid package.json in package/
+
+        # Unparsable lockfile
+        ERR_PNPM_UNEXPECTED_PKG_CONTENT_IN_STORE = /ERR_PNPM_UNEXPECTED_PKG_CONTENT_IN_STORE/
+        ERR_PNPM_OUTDATED_LOCKFILE = /ERR_PNPM_OUTDATED_LOCKFILE/
+
+        # Peer dependencies configuration error
+        ERR_PNPM_PEER_DEP_ISSUES = /ERR_PNPM_PEER_DEP_ISSUES/
+
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
-              run_pnpm_updater
+              run_pnpm_update_packages
 
               write_final_package_json_files
 
@@ -94,15 +116,22 @@ module Dependabot
           end
         end
 
-        def run_pnpm_updater
+        def run_pnpm_update_packages
           dependency_updates = dependencies.map do |d|
             "#{d.name}@#{d.version}"
           end.join(" ")
 
-          Helpers.run_pnpm_command(
-            "install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
-            fingerprint: "install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
-          )
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            Helpers.run_pnpm_command(
+              "update #{dependency_updates}  --lockfile-only --no-save -r",
+              fingerprint: "update <dependency_updates>  --lockfile-only --no-save -r"
+            )
+          else
+            Helpers.run_pnpm_command(
+              "install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
+              fingerprint: "install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
+            )
+          end
         end
 
         def run_pnpm_install
@@ -196,15 +225,46 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
+          if error_message.match?(ERR_PNPM_INVALID_PACKAGE_JSON) || error_message.match?(ERR_PNPM_UNEXPECTED_STORE)
+            msg = "Error while resolving package.json."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          [ERR_PNPM_UNEXPECTED_PKG_CONTENT_IN_STORE, ERR_PNPM_OUTDATED_LOCKFILE]
+            .each do |regexp|
+            next unless error_message.match?(regexp)
+
+            error_msg = T.let("Error while resolving pnpm-lock.yaml file.", String)
+
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, error_msg
+          end
+
+          if error_message.match?(ERR_PNPM_PEER_DEP_ISSUES)
+            msg = "Missing or invalid configuration while installing peer dependencies."
+
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           raise_patch_dependency_error(error_message) if error_message.match?(ERR_PNPM_PATCH_NOT_APPLIED)
 
           raise_unsupported_engine_error(error_message, pnpm_lock) if error_message.match?(ERR_PNPM_UNSUPPORTED_ENGINE)
 
+          if error_message.match?(ERR_INVALID_THIS) && error_message.match?(URL_SEARCH_PARAMS)
+            msg = "Error while resolving dependencies."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           if error_message.match?(ERR_PNPM_UNSUPPORTED_PLATFORM)
             raise_unsupported_platform_error(error_message,
                                              pnpm_lock)
           end
 
+          error_handler.handle_pnpm_error(error)
+
           raise
         end
         # rubocop:enable Metrics/AbcSize
@@ -314,5 +374,60 @@ module Dependabot
         end
       end
     end
+
+    class PnpmErrorHandler
+      extend T::Sig
+
+      # remote connection closed
+      ECONNRESET_ERROR = /ECONNRESET/
+
+      # socket hang up error code
+      SOCKET_HANG_UP = /socket hang up/
+
+      # ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC error
+      ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC = /ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC/
+
+      # duplicate package error code
+      DUPLICATE_PACKAGE = /Found duplicates/
+
+      ERR_PNPM_NO_VERSIONS = /ERR_PNPM_NO_VERSIONS/
+
+      # Initializes the YarnErrorHandler with dependencies and dependency files
+      sig do
+        params(
+          dependencies: T::Array[Dependabot::Dependency],
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
+      def initialize(dependencies:, dependency_files:)
+        @dependencies = dependencies
+        @dependency_files = dependency_files
+      end
+
+      private
+
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      attr_reader :dependencies
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+
+      public
+
+      # Handles errors with specific to yarn error codes
+      sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
+      def handle_pnpm_error(error)
+        if error.message.match?(DUPLICATE_PACKAGE) || error.message.match?(ERR_PNPM_NO_VERSIONS) ||
+           error.message.match?(ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC)
+
+          raise DependencyFileNotResolvable, "Error resolving dependency"
+        end
+
+        ## Clean error message from ANSI escape codes
+        return unless error.message.match?(ECONNRESET_ERROR) || error.message.match?(SOCKET_HANG_UP)
+
+        raise InconsistentRegistryResponse, "Inconsistent registry response while resolving dependency"
+      end
+    end
   end
 end

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -18,6 +18,7 @@ module Dependabot
       require_relative "file_updater/npm_lockfile_updater"
       require_relative "file_updater/yarn_lockfile_updater"
       require_relative "file_updater/pnpm_lockfile_updater"
+      require_relative "file_updater/bun_lockfile_updater"
 
       class NoChangeError < StandardError
         extend T::Sig
@@ -47,6 +48,7 @@ module Dependabot
         ]
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
         updated_files = T.let([], T::Array[DependencyFile])
@@ -55,6 +57,22 @@ module Dependabot
         updated_files += updated_lockfiles
 
         if updated_files.none?
+
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            # when all dependencies are transitive
+            all_transitive = dependencies.none?(&:top_level?)
+            # when there is no update in package.json
+            no_package_json_update = package_files.empty?
+            # handle the no change error for transitive dependency updates
+            if pnpm_locks.any? && dependencies.length.positive? && all_transitive && no_package_json_update
+              raise ToolFeatureNotSupported.new(
+                tool_name: "pnpm",
+                tool_type: "package_manager",
+                feature: "updating transitive dependencies"
+              )
+            end
+          end
+
           raise NoChangeError.new(
             message: "No files were updated!",
             error_context: error_context(updated_files: updated_files)
@@ -71,6 +89,7 @@ module Dependabot
 
         vendor_updated_files(updated_files)
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       private
 
@@ -189,6 +208,15 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def bun_locks
+        @bun_locks ||= T.let(
+          filtered_dependency_files
+          .select { |f| f.name.end_with?("bun.lock") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def shrinkwraps
         @shrinkwraps ||= T.let(
@@ -217,6 +245,11 @@ module Dependabot
         pnpm_lock.content != updated_pnpm_lock_content(pnpm_lock)
       end
 
+      sig { params(bun_lock: Dependabot::DependencyFile).returns(T::Boolean) }
+      def bun_lock_changed?(bun_lock)
+        bun_lock.content != updated_bun_lock_content(bun_lock)
+      end
+
       sig { params(package_lock: Dependabot::DependencyFile).returns(T::Boolean) }
       def package_lock_changed?(package_lock)
         package_lock.content != updated_lockfile_content(package_lock)
@@ -237,6 +270,8 @@ module Dependabot
         end
       end
 
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def updated_lockfiles
         updated_files = []
@@ -259,6 +294,15 @@ module Dependabot
           )
         end
 
+        bun_locks.each do |bun_lock|
+          next unless bun_lock_changed?(bun_lock)
+
+          updated_files << updated_file(
+            file: bun_lock,
+            content: updated_bun_lock_content(bun_lock)
+          )
+        end
+
         package_locks.each do |package_lock|
           next unless package_lock_changed?(package_lock)
 
@@ -279,6 +323,8 @@ module Dependabot
 
         updated_files
       end
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
 
       sig { params(yarn_lock: Dependabot::DependencyFile).returns(String) }
       def updated_yarn_lock_content(yarn_lock)
@@ -294,6 +340,13 @@ module Dependabot
           pnpm_lockfile_updater.updated_pnpm_lock_content(pnpm_lock)
       end
 
+      sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }
+      def updated_bun_lock_content(bun_lock)
+        @updated_bun_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_bun_lock_content[bun_lock.name] ||=
+          bun_lockfile_updater.updated_bun_lock_content(bun_lock)
+      end
+
       sig { returns(Dependabot::NpmAndYarn::FileUpdater::YarnLockfileUpdater) }
       def yarn_lockfile_updater
         @yarn_lockfile_updater ||= T.let(
@@ -320,6 +373,19 @@ module Dependabot
         )
       end
 
+      sig { returns(Dependabot::NpmAndYarn::FileUpdater::BunLockfileUpdater) }
+      def bun_lockfile_updater
+        @bun_lockfile_updater ||= T.let(
+          BunLockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            repo_contents_path: repo_contents_path,
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::NpmAndYarn::FileUpdater::BunLockfileUpdater)
+        )
+      end
+
       sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
       def updated_lockfile_content(file)
         @updated_lockfile_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -29,6 +29,10 @@ module Dependabot
       PNPM_DEFAULT_VERSION = PNPM_V9
       PNPM_FALLBACK_VERSION = PNPM_V6
 
+      # BUN Version Constants
+      BUN_V1 = 1
+      BUN_DEFAULT_VERSION = BUN_V1
+
       # YARN Version Constants
       YARN_V3 = 3
       YARN_V2 = 2
@@ -36,6 +40,9 @@ module Dependabot
       YARN_DEFAULT_VERSION = YARN_V3
       YARN_FALLBACK_VERSION = YARN_V1
 
+      # corepack supported package managers
+      SUPPORTED_COREPACK_PACKAGE_MANAGERS = %w(npm yarn pnpm).freeze
+
       # Determines the npm version depends to the feature flag
       # If the feature flag is enabled, we are going to use the minimum version npm 8
       # Otherwise, we are going to use old versionining npm 6
@@ -159,6 +166,11 @@ module Dependabot
         PNPM_FALLBACK_VERSION
       end
 
+      sig { params(_bun_lock: T.nilable(DependencyFile)).returns(Integer) }
+      def self.bun_version_numeric(_bun_lock)
+        BUN_DEFAULT_VERSION
+      end
+
       sig { params(key: String, default_value: String).returns(T.untyped) }
       def self.fetch_yarnrc_yml_value(key, default_value)
         if File.exist?(".yarnrc.yml") && (yarnrc = YAML.load_file(".yarnrc.yml"))
@@ -315,8 +327,8 @@ module Dependabot
           package_manager_run_command(NpmPackageManager::NAME, command, fingerprint: fingerprint)
         else
           Dependabot::SharedHelpers.run_shell_command(
-            "corepack npm #{command}",
-            fingerprint: "corepack npm #{fingerprint}"
+            "npm #{command}",
+            fingerprint: "npm #{fingerprint}"
           )
         end
       end
@@ -352,6 +364,35 @@ module Dependabot
         raise
       end
 
+      sig { returns(T.nilable(String)) }
+      def self.bun_version
+        version = run_bun_command("--version", fingerprint: "--version").strip
+        if version.include?("+")
+          version.split("+").first # Remove build info, if present
+        end
+      rescue StandardError => e
+        Dependabot.logger.error("Error retrieving Bun version: #{e.message}")
+        nil
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_bun_command(command, fingerprint: nil)
+        full_command = "bun #{command}"
+
+        Dependabot.logger.info("Running bun command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "bun #{fingerprint || command}"
+        )
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running bun command: #{full_command}, Error: #{e.message}")
+        raise
+      end
+
       # Setup yarn and run a single yarn command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_yarn_command(command, fingerprint: nil)
@@ -446,6 +487,8 @@ module Dependabot
           .returns(String)
       end
       def self.package_manager_install(name, version, env: {})
+        return "Corepack does not support #{name}" unless corepack_supported_package_manager?(name)
+
         Dependabot::SharedHelpers.run_shell_command(
           "corepack install #{name}@#{version} --global --cache-only",
           fingerprint: "corepack install <name>@<version> --global --cache-only",
@@ -456,6 +499,8 @@ module Dependabot
       # Prepare the package manager for use by using corepack
       sig { params(name: String, version: String).returns(String) }
       def self.package_manager_activate(name, version)
+        return "Corepack does not support #{name}" unless corepack_supported_package_manager?(name)
+
         Dependabot::SharedHelpers.run_shell_command(
           "corepack prepare #{name}@#{version} --activate",
           fingerprint: "corepack prepare <name>@<version> --activate"
@@ -496,6 +541,8 @@ module Dependabot
         ).returns(String)
       end
       def self.package_manager_run_command(name, command, fingerprint: nil)
+        return run_bun_command(command, fingerprint: fingerprint) if name == BunPackageManager::NAME
+
         full_command = "corepack #{name} #{command}"
 
         result = Dependabot::SharedHelpers.run_shell_command(
@@ -526,6 +573,11 @@ module Dependabot
           dependency
         end
       end
+
+      sig { params(name: String).returns(T::Boolean) }
+      def self.corepack_supported_package_manager?(name)
+        SUPPORTED_COREPACK_PACKAGE_MANAGERS.include?(name)
+      end
     end
   end
 end