Migrate package management from pnpm to Bun and refresh vulnerable dependencies

[Copilot]

This updates the repo to use Bun as the package manager and script runner in place of pnpm, while keeping the existing runtime and test stack intact. It also refreshes the dependency set to current compatible versions and removes the audit findings reported in the project.

• Package management

  • switch repository metadata from pnpm to bun
  • remove pnpm-only enforcement/config (only-allow, .npmrc, pnpm-lock.yaml)
  • keep the application on Node.js and keep tests on Vitest

• Dependency updates

  • bump the TypeScript / ESLint / Vitest toolchain to the latest compatible releases
  • remove the unused direct npm dependency
  • add targeted overrides for vulnerable transitive packages:
    • flatted
    • picomatch

• CI and container flow

  • replace pnpm setup in GitHub Actions with Bun setup
  • update workflow commands from pnpm to bun
  • update the Docker build to install dependencies and build with Bun

• Developer workflow and docs

  • update README and CONTRIBUTING to use Bun commands
  • update VS Code Vitest command integration to run through Bun

Example of the intended behavior after this change:

{
  "packageManager": "bun@1.3.11",
  "scripts": {
    "test": "vitest run",
    "test:watch": "vitest",
    "build": "tsc"
  },
  "overrides": {
    "flatted": "3.4.2",
    "picomatch": "4.0.4"
  }
}

This means:

• dependencies install with bun install
• scripts run with bun run ...
• tests still execute through Vitest, not Bun’s test runner

[Copilot]

Pull request overview

This PR migrates the repository’s package management and script runner from pnpm to Bun, while updating dependency versions and aligning CI/Docker/dev docs to the new workflow.

Changes:

• Replace pnpm usage with Bun across package.json, GitHub Actions, Dockerfile, and developer documentation.
• Refresh the TypeScript/ESLint/Vitest toolchain and add overrides for vulnerable transitive dependencies.
• Remove pnpm-specific enforcement/config (only-allow, .npmrc, pnpm-lock.yaml).

Reviewed changes

Copilot reviewed 8 out of 10 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pnpm-lock.yaml	Removed pnpm lockfile as part of Bun migration.
package.json	Switch to Bun package manager metadata; update deps/devDeps; add overrides.
README.md	Update install/run/test commands to Bun equivalents.
Dockerfile	Install and use Bun for dependency installation and build steps.
CONTRIBUTING.md	Update contributor workflow commands from pnpm to Bun.
.vscode/settings.json	Update Vitest extension command to run via Bun.
.npmrc	Remove pnpm-specific install/hoist configuration.
.gitignore	Ignore non-Bun lockfiles (package-lock/yarn/pnpm).
.github/workflows/validate.yml	Replace pnpm setup/commands with Bun setup/commands.
.github/workflows/build.yml	Replace pnpm setup/commands with Bun setup/commands.

[Copilot]

As in validate.yml, bun install is not run in a frozen/locked mode. Once a Bun lockfile is committed, run installs with Bun’s frozen/locked flag so CI fails on lock drift and remains reproducible.

Suggested change

	run: bun install
	run: bun install --frozen-lockfile

[Copilot]

Bun is installed in the shared base stage, which means the final runtime image also contains Bun even though the container runs node dist/app.js. Consider installing Bun only in the dependency/build stages (or using a separate runtime base) to reduce image size and attack surface.

[Copilot]

The deps stage runs bun install --production with only package.json mounted. For reproducible builds and better caching, mount the Bun lockfile as well (bun.lockb/bun.lock) and run installs in Bun’s frozen/locked mode so dependency resolution can’t drift during image builds.

[Copilot]

Same issue in the build stage: bun install runs without the lockfile mounted/enforced, which can produce non-reproducible builds. Mount the Bun lockfile and use the frozen/locked install option here too.

Suggested change

	--mount=type=cache,id=s/${RAILWAY_SERVICE_ID}-bun-cache,target=/root/.bun/install/cache \
	bun install
	--mount=type=bind,source=bun.lockb,target=bun.lockb,readonly \
	--mount=type=cache,id=s/${RAILWAY_SERVICE_ID}-bun-cache,target=/root/.bun/install/cache \
	bun install --frozen-lockfile

[Copilot]

This migration removes pnpm-lock.yaml but the repo doesn’t include a Bun lockfile (bun.lockb/bun.lock). Without a committed Bun lockfile, installs in CI/Docker will be non-deterministic and can silently drift across runs. Add the Bun lockfile to the repo and ensure installs are run in a frozen/locked mode.

[Copilot]

actions/checkout@v6 and actions/setup-node@v6 are not valid released major versions (current majors are v4). This will cause the workflow to fail at runtime. Pin to the latest supported major versions instead (e.g., checkout@v4 and setup-node@v4).

[Copilot]

bun install is run without a lockfile being enforced (and currently there’s no Bun lockfile committed). Even after adding bun.lockb, consider running installs in CI with Bun’s frozen/locked option so the job fails if the lockfile would change.

Suggested change

	run: bun install
	run: bun install --frozen-lockfile

[Copilot]

actions/checkout@v6 / actions/setup-node@v6 are not valid released major versions, so this workflow will fail. Update them to supported majors (e.g., v4).