CM-67195: Add Bun package manager support to SCA local scans#478
Merged
Conversation
Add a dedicated Bun restore handler so `cycode scan -t sca` correctly restores Bun project dependencies before scanning, mirroring the existing pnpm/yarn pattern. - New RestoreBunDependencies: detects Bun via bun.lock or a packageManager/engines bun signal; reads an existing bun.lock directly, otherwise runs `bun install --ignore-scripts` to generate it. - Enforce Bun >=1.2 (text bun.lock) before generating a lockfile; skip with a warning on older or missing Bun. - Register the handler ahead of the npm fallback and add bun.lock to npm's alternative-lockfile guard so npm does not claim Bun projects. - Add bun.lock to the SCA supported files and npm ecosystem map. - Unit tests for detection, version gating, restore, and cleanup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…dencies Move the Bun-specific version check into the base class as a reusable, opt-in capability so the logic lives in one place instead of a single handler. - BaseRestoreDependencies gains parse_tool_version() and is_supported_tool_version(), enforced automatically right before the install command runs. - Handlers opt in by overriding get_version_command() and get_minimum_supported_version() (both default to None = no check), so every existing handler is unchanged. - RestoreBunDependencies now just declares ['bun', '--version'] and (1, 2); its bespoke _parse_bun_version/_is_supported_bun_version are removed. - Version-parsing and gate tests moved to the base-class test module. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ee443f1 to
e41b00e
Compare
Some tools print versions with a leading 'v' (e.g. `node --version` -> v20.1.0). Since parse_tool_version is now a shared base-class helper, make it strip an optional leading 'v' so a future opt-in handler isn't misparsed as "could not determine version". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
omer-roth
reviewed
Jun 29, 2026
omer-roth
reviewed
Jun 29, 2026
Per review: the minimum-version check is only used by Bun, so keep it co-located in the Bun handler rather than as generic machinery on the base class. - Revert BaseRestoreDependencies to its original form (no version hooks, no parse_tool_version). - Restore _parse_bun_version + _is_supported_bun_version in restore_bun_dependencies.py; the generate path verifies Bun >=1.2 before running `bun install`. - Move the version-parse/gate tests back to the Bun test module. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
omer-roth
reviewed
Jun 29, 2026
omer-roth
previously approved these changes
Jun 29, 2026
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
omer-roth
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Enables
cycode scan -t scato support Bun projects during local SCA scans, so CLI users get the same coverage as platform scans. Closes the CLI portion of Bun Phase 1 (CM-67195).Bun is now a first-class package manager alongside npm, Yarn, and Pnpm — the implementation mirrors the existing Pnpm/Yarn restore handlers.
Changes
RestoreBunDependencieshandler — detects a Bun project viabun.lockor apackageManager/enginesbun signal inpackage.json. Ifbun.lockalready exists it's read directly; otherwisebun install --ignore-scriptsis run to generate it (then cleaned up).bun.lockwe parse (older Bun writes binarybun.lockb). Before generating a lockfile the handler verifiesbun --version; on older/missing Bun it logs a warning and skips the restore rather than producing an unparseable lockfile. An already-presentbun.lockskips the check (its existence implies Bun ≥ 1.2).bun.lockadded to npm's alternative-lockfile guard so npm doesn't claim Bun projects, and the Bun handler is registered ahead of the npm fallback.consts.py—bun.lockadded to the SCA supported files and the npm ecosystem map.Acceptance criteria
bun.lock→bun installrestores deps before scanningTesting
ruff checkandruff formatclean.bun.lockproject reads the lockfile directly (npm skipped); no-lockfile project runs the version gate +bun install --ignore-scriptsand generates/parsesbun.lock.Note
There is a documented NOTE in
restore_npm_dependencies.py::is_project: the npm guard is lockfile-on-disk based, so a project declaringpackageManager: "bun@..."with no lockfile is claimed by both handlers (pre-existing behavior shared by pnpm/yarn). Left as-is for consistency; tracked on CM-67195.🤖 Generated with Claude Code