chore: bun + biome + Astro 6 for v1#22
Merged
Merged
Conversation
Standardize tempus on bun + biome for v1 while keeping the Astro playground and its pages. Replaces the earlier Vite-rewrite direction (#20/#21) with a smaller change: swap the package manager, leave the demos as-is. Package manager (pnpm → bun): - pnpm-lock.yaml + pnpm-workspace.yaml → bun.lock and a package.json "workspaces" field - scripts: pnpm → bun run / bun --filter; npm version → bun pm version (supports --preid/--no-git-tag-version); npm publish → bun publish - dev now runs the playground; dev:build stays for bundle-watching - bump tsup 8.3.6 → 8.5.1 (resolves secure transitive deps under bun) - CI: pnpm/action-setup → oven-sh/setup-bun; playground build is now a real gate (Astro builds green under bun) Fixes surfaced by bun's stricter resolution: - packages/react declared "tempus": "workspace:tempus*" (a pnpm-ism bun can't parse) → "workspace:*" - playground tsconfig: add tempus* paths so astro check resolves the library types from source (bun doesn't hoist the root exports the way pnpm did); without this astro check can't find 'tempus/react' - removed a dead `export * from './src/types'` re-exporting an empty 0-byte file; deleted packages/react/src/types.ts - biome ignore: pnpm-lock.yaml → bun.lock Verified: bun install --frozen-lockfile, library build, biome lint, and `astro check && astro build` all green under bun; all 4 demo pages (index/core/react/landing) render and run live in the browser. Core bundle byte-identical (1985 B gz). Audit: 7 advisories remain, all dev-only in the Astro playground (4 Astro core CVEs needing Astro 6 to clear, + yaml/esbuild transitives). None reach the published library, which has zero runtime deps. Astro 6 is a deliberate follow-up.
This was referenced Jun 22, 2026
Bump the playground from Astro 5 to 6 to clear its 4 outstanding Astro CVEs (host-header SSRF, reflected XSS via slot name, XSS in spread props, XSS in define:vars) — 5.18.2 is the last 5.x, so the fixes only exist in 6. - astro ^5.18.2 -> ^6.4.8 - @astrojs/react ^4.4.2 -> ^5.0.7 (the Astro 6 line) - overrides: yaml >=2.8.3, esbuild >=0.28.1 — pin patched versions of the last two dev-only transitives (a stack-overflow and a Windows dev-server file-read) bun audit is now 0. Astro 6 needs Node >=22.12 to build, but that's a playground (dev-only) constraint; the published library keeps node>=18. Verified: bun install --frozen-lockfile, library build, biome lint, and astro check && astro build all green; all 4 pages compile and serve 200. Pages are unchanged (the demo code is identical; Astro.props, client:only, defineConfig/integrations are all stable across 5->6).
arzafran
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Gets tempus to its v1 toolchain — bun + biome — and brings the Astro playground up to Astro 6, with a clean security audit. The published library is untouched (it ships
dist/only, zero runtime deps); everything here is dev tooling and the non-published playground.This is the single PR to review for v1. It consolidates and supersedes the earlier exploratory PRs (#20 Vite rewrite, #21 bun-on-Vite), both closed. No other open PRs or issues.
Summary
Package manager (pnpm → bun)
pnpm-lock.yaml+pnpm-workspace.yaml→bun.lock+ aworkspacesfieldpnpm→bun run/bun --filter;npm version→bun pm version;npm publish→bun publishtsup8.3.6 → 8.5.1pnpm/action-setup→oven-sh/setup-bun; the playground build is now a real gateAstro 5 → 6 (clears all advisories)
astro^5.18.2 → ^6.4.8,@astrojs/react^4.4.2 → ^5.0.7overrides:yaml >=2.8.3,esbuild >=0.28.1— the last two dev-only transitivesbun audit→ 0 vulnerabilities (was 23 onmain)node>=18Fixes bun's stricter resolution surfaced
packages/react"tempus": "workspace:tempus*"→workspace:*tsconfig:tempus*paths soastro checkresolves library types from sourceexport * from './src/types'(empty 0-byte file); deleted itVerification
bun install --frozen-lockfilecleanbun run build— dist intact, core bundle byte-identical (1985 B gz)bun run lint(biome) passesbun --filter playground build—astro check && astro buildgreen, all 4 pagesbun audit→ 0Pages are unchanged — same demos, same markup.