Skip to content

fix(security): commit bun.lock to pin dependency versions#587

Closed
boinger wants to merge 1 commit into
garrytan:mainfrom
boinger:fix/commit-lockfile
Closed

fix(security): commit bun.lock to pin dependency versions#587
boinger wants to merge 1 commit into
garrytan:mainfrom
boinger:fix/commit-lockfile

Conversation

@boinger

@boinger boinger commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Remove bun.lock from .gitignore and commit the lockfile
  • Pins all dependency versions deterministically — bun install no longer resolves from npm on every ./setup or auto-upgrade

Problem

bun.lock was gitignored. Every ./setup and every auto-upgrade (git reset --hard origin/main && ./setup) resolved dependencies fresh from npm using floating ^ semver ranges. A compromised package within range would be silently pulled and executed.

This is the same class of supply chain vulnerability exploited in the LiteLLM attack (2026-03-24).

Fix

Commit bun.lock. Now bun install reads the lockfile and installs exact pinned versions. Registry resolution only happens when dependencies are explicitly added or updated.

Closes #566

Test plan

  • bun install produces deterministic output from the committed lockfile
  • bun test passes (610/611 — 1 pre-existing failure: VERSION/package.json mismatch on main)

@boinger
fix(security): commit bun.lock to pin dependency versions
51c008d 
bun.lock was gitignored, causing every ./setup and auto-upgrade to
resolve dependencies fresh from npm using floating ^semver ranges.
A compromised package within range would be silently pulled and
executed — the same class of supply chain vulnerability exploited
in the LiteLLM attack (2026-03-24).

Committing the lockfile pins exact dependency versions. bun install
now reads the lockfile deterministically instead of resolving from
the registry on every run.

Closes garrytan#566
@garrytan garrytan mentioned this pull request Mar 28, 2026
Merged
5 tasks
@garrytan

garrytan commented Apr 13, 2026

Copy link
Copy Markdown
Owner

Thanks for flagging this supply chain risk! bun.lock is now tracked in the repo (commit 9c4ae901). All dependencies are pinned to exact versions. Appreciate the security awareness!

@garrytan garrytan closed this Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: bun.lock is gitignored - unpinned dependencies resolved on every install/upgrade (similar to LiteLLM malware propagation)

2 participants

@boinger @garrytan