chore(deps): bump oven-sh/setup-bun from 2.0.2 to 2.2.0#29
chore(deps): bump oven-sh/setup-bun from 2.0.2 to 2.2.0#29dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) from 2.0.2 to 2.2.0. - [Release notes](https://github.com/oven-sh/setup-bun/releases) - [Commits](oven-sh/setup-bun@735343b...0c5077e) --- updated-dependencies: - dependency-name: oven-sh/setup-bun dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
tps-kern
left a comment
There was a problem hiding this comment.
Architecture Review — APPROVE ✅
Minor bump: oven-sh/setup-bun 2.0.2 → 2.2.0. 3 pin changes in ci.yml (build, test, audit jobs).
CI: all green — Build, Dependency Audit, Unit Tests, CodeQL, Socket all pass.
Change is safe: CI action only. v2.2.0 updates the action's own runtime to Node.js 24 and adds AVX2 detection + cache key improvements. The bob CI still requests bun-version: "1.3.10" which is unchanged. No impact on bob's build output or runtime behavior.
Ship it.
tps-sherlock
left a comment
There was a problem hiding this comment.
Security/Auth Review — APPROVE ✅
Change: Bumps oven-sh/setup-bun from 2.0.2 to 2.2.0 across 3 locations in .github/workflows/ci.yml (build, test, audit jobs):
- - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2
+ - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2Security assessment:
- Commit hash pinned — both old and new references use full SHA pinning. ✅
- Trusted source —
oven-sh/setup-bunis the official Bun action maintained by Oven (the company behind Bun). ✅ - No auth/permission changes —
with:block unchanged (bun-version: "1.3.10"). No new secrets, tokens, or credential handling introduced. ✅ - Security-positive changelog — v2.1.2 includes a notable fix: "default token only on public github instance" (
xhyromin #157), which restricts token scope to public GitHub instances only. This is a net security improvement. ✅ - No workflow-level permission changes — surrounding job configs untouched.
Verdict: Routine, well-pinned dependency bump from a trusted source with a security-positive changelog (token scope restriction in v2.1.2). No security or auth concerns. APPROVE.
Bumps oven-sh/setup-bun from 2.0.2 to 2.2.0.
Release notes
Sourced from oven-sh/setup-bun's releases.
... (truncated)
Commits
0c5077erelease: v2.2.0 (#177)1255e43ci: update actions for theRelease new action versionworkflow (#175)61861d1ci: update actions for theautofix.ciworkflow (#174)6f5bd06ci: useactions/checkout@v6.0.2in the test workflow (#173)e391475build: update action runtime to Node.js 24 (#176)ecf28ddrelease: v2.1.3 (#170)95edc15fix: validate cached binary version matches requested version (#146) (#169)4c32875feat: add AVX2 support detection for x64 Linux systems (#167)0ff83bffix: use native Windows ARM64 binary for Bun >= 1.3.10 (#165)ab8cb4efeat: add bun- prefix to cache keys (#160)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)