Migrate package management from pnpm to Bun and refresh vulnerable dependencies

.github/workflows/build.yml

@@ -15,28 +15,27 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v6
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
         with:
-          version: 9.15.4
+          bun-version: 1.3.11
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
           node-version: '22'
-          cache: 'pnpm'
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: bun install
 
       - name: Type checking
-        run: pnpm type-check
+        run: bun run type-check
 
       - name: Run tests
-        run: pnpm test
+        run: bun run test
 
       - name: Generate coverage
-        run: pnpm test:coverage
+        run: bun run test:coverage
         continue-on-error: true
 
   build:

.github/workflows/validate.yml

@@ -13,32 +13,31 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v6
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
         with:
-          version: 9.15.4
+          bun-version: 1.3.11
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
           node-version: '22'
-          cache: 'pnpm'
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: bun install
 
       - name: Type checking
-        run: pnpm type-check
+        run: bun run type-check
 
       - name: Run tests
-        run: pnpm test
+        run: bun run test
 
       - name: Generate coverage
-        run: pnpm test:coverage
+        run: bun run test:coverage
         continue-on-error: true
 
       - name: Build TypeScript
-        run: pnpm build
+        run: bun run build
 
       - name: Test Docker build (no push)
         run: |

.gitignore

@@ -138,8 +138,9 @@ Thumbs.db
 docs/
 ai_context/
 
-# Enforce pnpm usage - ignore npm and yarn lockfiles
+# Enforce bun usage - ignore non-bun lockfiles
 package-lock.json
+pnpm-lock.yaml
 yarn.lock
 
 # Environment files with sensitive data

.vscode/settings.json

@@ -22,7 +22,7 @@
     "editor.defaultFormatter": "dbaeumer.vscode-eslint"
   },
   "vitest.enable": true,
-  "vitest.commandLine": "pnpm test:watch",
+  "vitest.commandLine": "bun run test:watch",
   "python-envs.defaultEnvManager": "ms-python.python:system",
   "python-envs.pythonProjects": []
 }

CONTRIBUTING.md

@@ -26,9 +26,9 @@ To get started with development:
 
 2. **Install dependencies**
    ```bash
-   pnpm install
+   bun install
    ```
-   > ⚠️ **Important**: This project enforces the use of pnpm. npm and yarn install will be blocked automatically.
+   > ⚠️ **Important**: This project currently uses Bun as the package manager.
 
 3. **Set up environment variables**
    - Copy `.env.example` to `.env`
@@ -52,7 +52,7 @@ To get started with development:
 
 5. **Start the project in development mode**
    ```bash
-   pnpm dev
+   bun run dev
    ```
 
 Please refer to the [README](./README.md) for more detailed setup instructions.
@@ -61,31 +61,31 @@ Please refer to the [README](./README.md) for more detailed setup instructions.
 
 ```bash
 # Development with auto-reload
-pnpm dev
+bun run dev
 
 # Build for production
-pnpm build
+bun run build
 
 # Type checking only
-pnpm type-check
+bun run type-check
 
 # Linting
-pnpm lint              # Run ESLint on all source files
-pnpm lint:fix          # Run ESLint with auto-fix
-pnpm lint:security     # Focus on security-related issues
-pnpm lint:ci           # CI-friendly linting (fails on warnings)
+bun run lint              # Run ESLint on all source files
+bun run lint:fix          # Run ESLint with auto-fix
+bun run lint:security     # Focus on security-related issues
+bun run lint:ci           # CI-friendly linting (fails on warnings)
 
 # Clean build artifacts
-pnpm clean
+bun run clean
 
 # Start production build
-pnpm start
+bun run start
 
 # Run tests
-pnpm test                # Run all tests once
-pnpm test:watch          # Run tests in watch mode
-pnpm test:ui             # Interactive test UI
-pnpm test:coverage       # Generate coverage report
+bun run test                # Run all tests once
+bun run test:watch          # Run tests in watch mode
+bun run test:ui             # Interactive test UI
+bun run test:coverage       # Generate coverage report
 ```
 
 #### 🏛️ Project Structure
@@ -116,7 +116,7 @@ src/
 - **Code Quality**: Follow ESLint rules and security best practices enforced by automated linting
 - **Structured Logging**: Use `@wgtechlabs/log-engine` for all logging with built-in PII protection and security features
 - **Error Handling**: Implement comprehensive error handling with detailed logging
-- **Package Manager**: Use pnpm exclusively (enforced via preinstall script)
+- **Package Manager**: Use Bun for dependency management and project scripts
 - **Code Style**: Follow existing patterns and maintain consistency
 - **Environment**: Use Node.js 22+ for development
 - **Redis Integration**: Ensure Redis connectivity for all webhook-related features
@@ -138,16 +138,16 @@ This project uses **ESLint** with comprehensive security plugins to maintain cod
 
 ```bash
 # Check for issues
-pnpm lint
+bun run lint
 
 # Automatically fix issues
-pnpm lint:fix
+bun run lint:fix
 
 # Security-focused check
-pnpm lint:security
+bun run lint:security
 
 # CI mode (fails on warnings)
-pnpm lint:ci
+bun run lint:ci
 ```
 
 **Comprehensive ESLint Configuration:**
@@ -174,8 +174,8 @@ For complete configuration details, see [eslint.config.js](./eslint.config.js).
 - **Fix all linting errors** before submitting PRs (required)
 - **Address security warnings** unless there's a documented reason to ignore them
 - **Use ESLint disable comments sparingly** and only with proper justification
-- **Run `pnpm lint:fix`** to auto-fix style issues before committing
-- **Test security rules** with `pnpm lint:security` for security-focused checks
+- **Run `bun run lint:fix`** to auto-fix style issues before committing
+- **Test security rules** with `bun run lint:security` for security-focused checks
 - **VSCode users** get automatic linting and auto-fix on save with ESLint extension
 - **Document any rule disables** in code comments explaining why they're necessary
 
@@ -197,10 +197,10 @@ This project uses [Vitest](https://vitest.dev/) for automated testing. When cont
 
 **Automated Testing:**
 - Write tests for new features and bug fixes
-- Ensure all tests pass: `pnpm test`
-- Maintain minimum 80% code coverage: `pnpm test:coverage`
+- Ensure all tests pass: `bun run test`
+- Maintain minimum 80% code coverage: `bun run test:coverage`
 - Follow co-located test patterns (e.g., `signature.ts` → `signature.test.ts`)
-- Use `pnpm test:watch` for development, `pnpm test:ui` for interactive testing
+- Use `bun run test:watch` for development, `bun run test:ui` for interactive testing
 
 **Manual Testing:**
 - Test your changes using tools like ngrok for webhook testing
@@ -212,15 +212,15 @@ This project uses [Vitest](https://vitest.dev/) for automated testing. When cont
 #### 🔍 Code Review Process
 
 1. **Pre-submission checks**:
-   - [ ] Code builds without errors (`pnpm build`)
-   - [ ] TypeScript type checking passes (`pnpm type-check`)
-   - [ ] Linting passes without errors (`pnpm lint`)
-   - [ ] All tests pass (`pnpm test`)
-   - [ ] Coverage requirements met (`pnpm test:coverage`)
-   - [ ] Development server starts successfully (`pnpm dev`)
+   - [ ] Code builds without errors (`bun run build`)
+   - [ ] TypeScript type checking passes (`bun run type-check`)
+   - [ ] Linting passes without errors (`bun run lint`)
+   - [ ] All tests pass (`bun run test`)
+   - [ ] Coverage requirements met (`bun run test:coverage`)
+   - [ ] Development server starts successfully (`bun run dev`)
    - [ ] Redis integration works properly
    - [ ] Error handling is comprehensive
-   - [ ] No security warnings from `pnpm lint:security`
+   - [ ] No security warnings from `bun run lint:security`
 
 2. **Pull Request Requirements**:
    - [ ] Target the `dev` branch (PRs to `main` will be rejected)

Dockerfile

@@ -34,10 +34,9 @@ RUN apk update && apk upgrade && \
     apk add --no-cache dumb-init && \
     rm -rf /var/cache/apk/*
 
-# Enable and install pnpm via corepack
-# Note: Version must match packageManager field in package.json (currently 9.15.4)
-RUN corepack enable && \
-    corepack prepare pnpm@9.15.4 --activate
+# Install Bun for dependency management
+# Note: Version must match packageManager field in package.json (currently 1.3.11)
+RUN npm install --global bun@1.3.11
 
 # Set working directory for all subsequent stages
 WORKDIR /usr/src/app
@@ -51,10 +50,8 @@ FROM base AS deps
 # Use bind mounts and cache for faster builds
 # Downloads dependencies without copying package files into the layer
 RUN --mount=type=bind,source=package.json,target=package.json \
-    --mount=type=bind,source=pnpm-lock.yaml,target=pnpm-lock.yaml \
-    --mount=type=bind,source=.npmrc,target=.npmrc \
-    --mount=type=cache,id=s/${RAILWAY_SERVICE_ID}-pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --prod --frozen-lockfile
+    --mount=type=cache,id=s/${RAILWAY_SERVICE_ID}-bun-cache,target=/root/.bun/install/cache \
+    bun install --production
 
 # =============================================================================
 # STAGE 3: Build Application  
@@ -64,14 +61,12 @@ FROM deps AS build
 
 # Install all dependencies (including devDependencies for building)
 RUN --mount=type=bind,source=package.json,target=package.json \
-    --mount=type=bind,source=pnpm-lock.yaml,target=pnpm-lock.yaml \
-    --mount=type=bind,source=.npmrc,target=.npmrc \
-    --mount=type=cache,id=s/${RAILWAY_SERVICE_ID}-pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --frozen-lockfile
+    --mount=type=cache,id=s/${RAILWAY_SERVICE_ID}-bun-cache,target=/root/.bun/install/cache \
+    bun install
 
 # Copy source code and build the application
 COPY . .
-RUN pnpm run build
+RUN bun run build
 
 # =============================================================================
 # STAGE 4: Final Runtime Image
@@ -109,4 +104,4 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
 
 # Use dumb-init for proper signal handling and start the application
 ENTRYPOINT ["dumb-init", "--"]
-CMD ["node", "dist/app.js"]
+CMD ["node", "dist/app.js"]

README.md

@@ -23,11 +23,11 @@ These outstanding organizations partner with us to support our open-source work:
 
 ## 🚀 Quick Start
 
-**Requirements**: Node.js 22+, Redis, pnpm
+**Requirements**: Node.js 22+, Redis, Bun
 
 ```bash
 # 1. Install dependencies
-pnpm install
+bun install
 
 # 2. Configure environment
 cp .env.example .env
@@ -40,8 +40,8 @@ sudo systemctl start redis-server     # Linux
 docker run -d -p 6379:6379 redis:alpine  # Docker
 
 # 4. Run the server
-pnpm dev        # Development with auto-reload
-pnpm start      # Production mode
+bun run dev     # Development with auto-reload
+bun run start   # Production mode
 ```
 
 Server runs on `http://localhost:3000` with endpoints:
@@ -117,7 +117,7 @@ docker-compose down
 
 ## 🏗️ Development Container
 
-Dev container with Node.js 22.16, pnpm, and essential VS Code extensions (Copilot, ESLint, Docker, GitLens).
+Dev container with Node.js 22.16, Bun, and essential VS Code extensions (Copilot, ESLint, Docker, GitLens).
 
 **Quick Start:** Open in VS Code → Click "Reopen in Container" → Start coding
 
@@ -227,22 +227,22 @@ Events are queued with this enhanced structure:
 ### Build Commands
 
 ```bash
-pnpm clean      # Clean previous builds
-pnpm build      # Build for production
-pnpm type-check # TypeScript type checking only
-pnpm dev        # Development with hot-reload
-pnpm start      # Run production build
+bun run clean       # Clean previous builds
+bun run build       # Build for production
+bun run type-check  # TypeScript type checking only
+bun run dev         # Development with hot-reload
+bun run start       # Run production build
 ```
 
 ### Code Quality & Linting
 
 This project enforces strict code quality and security standards using ESLint with comprehensive security plugins.
 
 ```bash
-pnpm lint              # Run ESLint on all source files
-pnpm lint:fix          # Run ESLint with auto-fix
-pnpm lint:security     # Focus on security-related issues
-pnpm lint:ci           # CI-friendly linting (fails on warnings)
+bun run lint              # Run ESLint on all source files
+bun run lint:fix          # Run ESLint with auto-fix
+bun run lint:security     # Focus on security-related issues
+bun run lint:ci           # CI-friendly linting (fails on warnings)
 ```
 
 **Security Plugins Enabled:**
@@ -286,16 +286,16 @@ This project uses [Vitest](https://vitest.dev/) for fast, modern testing with fi
 
 ```bash
 # Run all tests (one-time)
-pnpm test
+bun run test
 
 # Run tests in watch mode (development)
-pnpm test:watch
+bun run test:watch
 
 # Run tests with interactive UI
-pnpm test:ui
+bun run test:ui
 
 # Generate coverage report
-pnpm test:coverage
+bun run test:coverage
 ```
 
 ### Writing Tests