experiment: pnpm->bun

[juliusmarminge]

EXPERIMENTAL DO NOT USE

For now this is not intended to be merged, just trying it out

I'll post comments throughout this PR what pain points I've experienced trying to migrate this repo to use bun

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
create-t3-turbo-tanstack-start	Error			Oct 26, 2025 2:38am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript-eslint@​8.46.2
	next@​16.0.0
	postcss@​8.5.6
	jiti@​2.6.1
	superjson@​2.2.3
	tw-animate-css@​1.4.0
	prettier-plugin-tailwindcss@​0.7.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] has Obfuscated code. Confidence: 0.94 Location: Package overview From: ? → npm/@turbo/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has Obfuscated code. Confidence: 0.94 Location: Package overview From: ? → npm/@turbo/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[juliusmarminge]

Configuration

• LSP plugin is outdated? I don't understand TOML so I don't even know where it's sourcing the options from, why not a .json file with $schema field pointing at the correctly versioned schema?

  

• I don't know where to put configs? I very much like that pnpm takes all their config in pnpm-workspace.yaml. With bun, I have workspaces, catalog, catalogs, overrides in package.json, whereas linkWorkspacePackages in bunfig.toml. Would prefer all of these to be in bunfig.

[juliusmarminge]

Module Resolution

Bun's linker = "hoisted" | "isolated" is an all-or-nothing setting. In the current PNPM version of the repo, we have publicHoistPatterns to granularly opt into hoisting for packages that don't handle the isolated modules very well:

create-t3-turbo/pnpm-workspace.yaml

Lines 41 to 43 in 0b93601

	publicHoistPattern:
	- "@ianvs/prettier-plugin-sort-imports"
	- prettier-plugin-tailwindcss

Without this, prettier fails: . To workaround this issue, I had to install these deps in root (023702c) to "force-hoist" them...

[juliusmarminge]

Installed multiple "versions" of vite??

There appears to be 2 versions of [email protected] installed?

This causes type-errors:

• bun pm why vite is not very helpful here as it does not distinguish between these different hash versions so I have no idea why these are different...

• This issue persisted despite adding vite to overrides (b01618d):

• The only fix I found for this was to use rolldown-vite (f30ea12)? Not sure why this helps but I guess it resolves different deps?

[juliusmarminge]

Now I'm seeing weird module resolution errors again.

• When building the Next.js app: @tailwindcss/postcss is installed here:

  create-t3-turbo/tooling/tailwind/package.json

  Line 17 in f30ea12

  "@tailwindcss/postcss": "catalog:",

• When building the Tanstack Start app: nitro is installed here

  create-t3-turbo/apps/tanstack-start/package.json

  Line 34 in f30ea12

  "nitro": "npm:nitro-nightly@latest",