ci(.github/dependabot.yaml): switch npm ecosystem to bun#14
Merged
Conversation
The previous configuration declared package-ecosystem: "npm", which updates package.json plus npm, yarn, or pnpm lockfiles but never touches bun.lock. That caused the awesome-lint 0.18.6 -> 2.3.0 bump in #11 to fail CI on `bun install --frozen-lockfile` because the lockfile was left stale. Dependabot has supported the bun ecosystem since it went GA in February 2025 and writes the text bun.lock format used in this repo, so flipping the ecosystem is the targeted fix. Also adds conventional commit prefixes so Dependabot PRs land as "ci: bump <action>" for GitHub Actions updates and "chore(deps): bump <package>" for bun updates. This change was prepared by Coder Agents.
There was a problem hiding this comment.
Pull request overview
Updates Dependabot configuration to align dependency automation with this repository’s Bun-based install flow so that dependency bumps regenerate bun.lock and stop failing bun install --frozen-lockfile in CI.
Changes:
- Switch Dependabot
package-ecosystemfromnpmtobunfor JS dependencies. - Rename the dependency update group from
npmtobun. - Add
commit-message.prefixto standardize Dependabot PR commit prefixes for GitHub Actions and Bun dependency updates.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bpmct
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches the Dependabot configuration from the
npmecosystem tobun. The previous setting updatedpackage.jsonplus npm, yarn, or pnpm lockfiles but never regeneratedbun.lock, which left lockfile bumps inconsistent with how this repo actually installs.Why
PR #11 (Dependabot:
awesome-lint0.18.6 → 2.3.0) failed CI onbun install --frozen-lockfilebecause the lockfile was untouched whilepackage.jsonhad been bumped. Dependabot has supported thebunecosystem since it went GA in February 2025 and writes the textbun.lockformat used here (Bun 1.1.39+), so this is the targeted fix.This supersedes PR #13 (the Renovate migration)
Changes
package-ecosystem: "npm"→package-ecosystem: "bun"npmtobuncommit-message.prefixso Dependabot PRs land with conventional prefixes:ci: bump <action>chore(deps): bump <package>Verification
bun fmt:ci(Prettier) — cleanbun lint(awesome-lint) — cleantypos --config .github/typos.toml— cleanFollow-up
After this merges, Dependabot should re-open the
awesome-lint 0.18.6 → 2.3.0bump on the next weekly run withbun.lockregenerated. CI should pass at that point.Decision log
github-actionsentry for consistency.bun-version; Dependabot defaults to the version declared inpackage.json/enginesor the latest stable, which matches the repo's current behavior.This change was prepared by Coder Agents.