📦 Feat/use bun as package manager

[adriangohjw]

Problem

As part of learning month, im experimenting the use of bun as a package manager to improve DX (faster install time) as well as faster CI (on average 1.5mins saved per action). This will also translate to better codebuild time (if cold build)

Reference:

• Why is bun so fast as a package manager: https://bun.com/blog/behind-the-scenes-of-bun-install
• Crash course of bun: https://nextjs.org/conf/session/nextjs-bun (note: unfortunately we can't use it for nextjs app due to DD trace, as bun lacks libuv library)

Solution

Breaking Changes

• Yes - this PR contains breaking changes
  • Details ...
• No - this PR is backwards compatible

Features:

• Migrate from npm to bun as a package manager
  • note: and because this is a fresh install, we fixed the issue of unable to upgrade packages. dependeabot SHOULD also work now

Benchmarking from root package (locally on my macbook)

package install	time taken (fresh install)	time taken (cached install)
npm	1min 30 seconds	11 seconds
bun	9 seconds	1 second

*Setup stage on every CI action

package install	time taken
npm	1min 40 seconds
bun	14 seconds

*Codebuild (cold build without cache)

package install	time taken
npm	110 seconds
bun	60 seconds

Note

This also opens up the possibility for us to use catalogs and minimumReleaseAge (better protection against supply chain attack)

before

91 vulnerabilities (5 low, 25 moderate, 45 high, 16 critical)

After (WIP)

note: more in #1796

33 vulnerabilities (1 critical, 17 high, 10 moderate, 5 low)

---

Note

Medium Risk
Broad tooling and build pipeline migration (CI + Docker + lockfile) plus large dependency bumps could introduce install/build regressions or runtime incompatibilities despite limited app-logic changes.

Overview
Switches the repo’s package manager from npm to bun end-to-end: CI workflows, the shared GitHub Action setup, Chromatic builds, and docs now use bun/bunx, with caching and Dependabot updated to track bun.lock.

Updates local/dev environments to match (devcontainer installs Bun; Studio Docker build moves to node:22-slim and installs Bun/Turbo; removes apps/studio/render.yaml). Studio scripts are adjusted for bunx, next.config.mjs adds serverExternalPackages, and apps/studio/package.json refreshes a large set of dependencies plus regenerates vendored assets (mockServiceWorker.js, preview-tw.css).

^{Written by Cursor Bugbot for commit bba6385. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vitest/​coverage-istanbul@​2.1.2 ⏵ 2.1.9			-1	-1
	msw-storybook-addon@​2.0.4 ⏵ 2.0.6			+1	-1
	@​tiptap/​extension-text@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-document@​2.9.1 ⏵ 2.27.1				-1
	@​chakra-ui/​theme-tools@​2.2.7 ⏵ 2.2.9	+1		+1
	@​react-stately/​checkbox@​3.7.2 ⏵ 3.7.3	+1		+1	+1
	@​react-stately/​toggle@​3.9.2 ⏵ 3.9.3				+1
	tailwindcss-react-aria-components@​1.1.4 ⏵ 1.2.0	+1		+3	+1
	@​tanstack/​react-query-devtools@​5.85.3 ⏵ 5.91.2	+1		+3	+1
	@​tiptap/​extension-table-row@​2.9.1 ⏵ 2.27.1				-1
	@​react-aria/​button@​3.14.2 ⏵ 3.14.3				+1
	@​tiptap/​extension-dropcursor@​2.9.1 ⏵ 2.27.1				-1
	@​chakra-ui/​utils@​2.2.3 ⏵ 2.2.5
	@​react-aria/​checkbox@​3.16.2 ⏵ 3.16.3				+1
	@​tiptap/​extension-gapcursor@​2.9.1 ⏵ 2.27.1				-1
	@​react-aria/​textfield@​3.18.2 ⏵ 3.18.3	+1			+1
	@​tiptap/​extension-list-item@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-paragraph@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-table-header@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-table-cell@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-history@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-underline@​2.9.1 ⏵ 2.27.1				-1
	@​tanstack/​react-table@​8.21.2 ⏵ 8.21.3			+1
	@​tiptap/​extension-subscript@​2.9.1 ⏵ 2.27.1				-1
	@​tiptap/​extension-superscript@​2.9.1 ⏵ 2.27.1				-1
	@​next/​eslint-plugin-next@​14.2.13 ⏵ 14.2.35
	@​babel/​preset-typescript@​7.27.1 ⏵ 7.28.5
	@​tiptap/​extension-hard-break@​2.9.1 ⏵ 2.27.1	+1		+3
	@​tiptap/​html@​2.9.1 ⏵ 2.27.1	+1		+3	+1
	@​types/​pg@​8.11.6 ⏵ 8.16.0	+1		+1
	@​tiptap/​extension-bullet-list@​2.9.1 ⏵ 2.27.1				-1
	@​types/​request@​2.48.12 ⏵ 2.48.13
See 99 more rows in the dashboard

View full report

[adriangohjw]

note: bunx (or Bun in general) has some compatibility issues with Alpine Linux because Alpine uses musl libc instead of glibc, and Bun is built against glibc. So running Bun in a plain alpine image usually fails.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}