You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm / Node (npm create webjs / --runtime node, install-by-default): npm install resolves the package.json^ ranges to the latest-in-range version and pins the whole tree in package-lock.json.
So a fresh bun create webjs my-app and npm create webjs my-app of the same template can run different versions of @webjsdev/*, drizzle-orm, etc. The divergence is small at t=0 (latest equals latest-in-range when no out-of-range release exists) but GROWS once a dependency publishes a version outside the scaffold's range. Example: @webjsdev/core is pre-1.0, so once 0.8.0 ships, npm stays on 0.7.x (within ^0.7.0) while Bun jumps to 0.8.0.
The scaffold experience should be consistent across runtimes, especially the package versions an app actually runs.
Design / approach (decide, then implement)
Candidate directions:
Exact-pin the scaffold's package.json (the CLI knows the exact current versions at create time). Then BOTH runtimes resolve identical versions: Bun honors exact pins via the feat: pin Bun zero-install deps via an onLoad specifier-rewrite from package.json #685 rewrite, npm installs the exact versions. Most consistent and reproducible. Tradeoff: no automatic patch/minor bumps until the user loosens to ^ (reasonable for a starting point, and a fresh webjs create always emits the current versions anyway).
Accept and document the difference (Bun is an absolute-latest dev convenience, npm is latest-in-range pinned) as a deliberate per-runtime tradeoff, no code change. Cheapest, but leaves real divergence.
Recommendation to evaluate: option 1 (exact pins) gives the strongest consistency and is the only thing that makes Bun zero-install pin at all (#690 showed only exact pins hold). The owner previously accepted absolute-latest for Bun dev (#682), so the decision is whether cross-runtime CONSISTENCY is worth switching the templates to exact pins.
If going with exact pins: emit the CLI's current @webjsdev/* version plus the known-good drizzle-orm and other dep versions as EXACT (no ^). Keep them in sync on each cli release (the changelog/release flow already bumps versions).
Tests + docs: a test asserting both scaffold paths resolve consistent versions for the same template (or a documented, asserted difference); update the runtime docs + scaffold AGENTS if the version strategy changes.
Acceptance criteria
A fresh bun create and npm create of the same template resolve CONSISTENT dependency versions (or the difference is a deliberate, documented, tested decision).
The chosen strategy is reflected in the scaffold package.json generation and the runtime docs.
Problem
After #682 (bun create skips install by default), the two scaffold paths can resolve DIFFERENT dependency versions for the same template:
bun create webjs/--runtime bun, skip-install): nonode_modules, sobun run devauto-installs each dep at its absolute latest version. Thepackage.jsonsemver range AND anybun.lockare IGNORED at runtime (only an exactpackage.jsonpin holds, via the feat: pin Bun zero-install deps via an onLoad specifier-rewrite from package.json #685 onLoad rewrite), empirically confirmed in research: respect full package.json (ranges + tree) under Bun zero-install (default auto-install) #690.npm create webjs/--runtime node, install-by-default):npm installresolves thepackage.json^ranges to the latest-in-range version and pins the whole tree inpackage-lock.json.So a fresh
bun create webjs my-appandnpm create webjs my-appof the same template can run different versions of@webjsdev/*,drizzle-orm, etc. The divergence is small at t=0 (latest equals latest-in-range when no out-of-range release exists) but GROWS once a dependency publishes a version outside the scaffold's range. Example:@webjsdev/coreis pre-1.0, so once0.8.0ships, npm stays on0.7.x(within^0.7.0) while Bun jumps to0.8.0.The scaffold experience should be consistent across runtimes, especially the package versions an app actually runs.
Design / approach (decide, then implement)
Candidate directions:
package.json(the CLI knows the exact current versions at create time). Then BOTH runtimes resolve identical versions: Bun honors exact pins via the feat: pin Bun zero-install deps via an onLoad specifier-rewrite from package.json #685 rewrite, npm installs the exact versions. Most consistent and reproducible. Tradeoff: no automatic patch/minor bumps until the user loosens to^(reasonable for a starting point, and a freshwebjs createalways emits the current versions anyway).bun.lockdoes NOT pin under Bun zero-install (research: respect full package.json (ranges + tree) under Bun zero-install (default auto-install) #690), so a lockfile alone cannot align Bun.Recommendation to evaluate: option 1 (exact pins) gives the strongest consistency and is the only thing that makes Bun zero-install pin at all (#690 showed only exact pins hold). The owner previously accepted absolute-latest for Bun dev (#682), so the decision is whether cross-runtime CONSISTENCY is worth switching the templates to exact pins.
Implementation notes (for the implementing agent)
package.jsongeneration inpackages/cli/lib/create.js(the dep specifiers it writes); the per-runtime install defaultresolveCreateInstall()(bun create defaults to no install (zero-install onboarding); node unchanged #682); the research: respect full package.json (ranges + tree) under Bun zero-install (default auto-install) #690 zero-install behavior (exact pins only).@webjsdev/*version plus the known-gooddrizzle-ormand other dep versions as EXACT (no^). Keep them in sync on each cli release (the changelog/release flow already bumps versions).bun.lockdoes NOT make Bun zero-install pin (ignored at runtime, research: respect full package.json (ranges + tree) under Bun zero-install (default auto-install) #690), so do not rely on committing a lock to align Bun. Node'spackage-lock.jsonDOES pin (npm install). The feat: pin Bun zero-install deps via an onLoad specifier-rewrite from package.json #685 rewrite only pins EXACT package.json pins under Bun zero-install.Acceptance criteria
bun createandnpm createof the same template resolve CONSISTENT dependency versions (or the difference is a deliberate, documented, tested decision).package.jsongeneration and the runtime docs.