Support both bun/pnpm

[ian]

Summary by cubic

Adds first-class support for both pnpm and Bun. The CLI now lets you choose or specify a package manager and configures scripts, CI, and docs to match, addressing STARTUP-114.

• New Features

  • CLI init prompts for pnpm (default) or Bun, or accepts --package-manager to skip the prompt; installs with the chosen PM.
  • Templated repo and CI workflow use placeholders that the CLI replaces to set up pnpm or Bun (including version: pnpm 10.28.2 or Bun 1.1.27).
  • README updated with pnpm/Bun equivalents for common commands.
  • link-local script and CI updated to reference both PMs and add a Bun install test.

• Dependencies

  • Bump root packageManager to pnpm@10.28.2.

^{Written for commit 102debc. Summary will update on new commits.}

[linear]

STARTUP-114 Upgrade pnpm or switch to bun

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​storybook/​react-vite@​8.6.15
	@​storybook/​react@​8.6.15
	@​types/​react-dom@​19.0.2
	startupkit@​0.6.6
	tailwindcss-animate@​1.0.7
	@​types/​react@​19.0.1
	@​types/​node@​22.12.0
	tsx@​4.19.3
	@​intellectronica/​ruler@​0.3.11
	dotenv-cli@​7.4.4
	postcss@​8.4.47
	storybook@​8.6.15
	react@​19.0.0
	@​storybook/​addon-onboarding@​8.6.15
	@​storybook/​addon-essentials@​8.6.14
	turbo@​2.5.0
	tailwindcss@​3.4.14
	autoprefixer@​10.4.20
	@​tailwindcss/​typography@​0.5.16
	typescript@​5.8.3
	react-dom@​19.0.0
	@​vitejs/​plugin-react@​4.7.0
	@​storybook/​addon-docs@​8.6.15

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: templates/repo/pnpm-lock.yaml → npm/@storybook/react-vite@8.6.15 → npm/@vitejs/plugin-react@4.7.0 → npm/vite@6.4.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@6.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cubic-dev-ai]

1 issue found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/cli/src/cmd/init.ts">

<violation number="1" location="packages/cli/src/cmd/init.ts:289">
P2: The workflow pins Bun to `latest` while `packageManager` is set to `bun@1.1.27`. CI can run a different Bun version than local/dev, which can cause lockfile drift or install differences. Pin the workflow to the same version.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cloudflare-workers-and-pages]

Deploying startupkit with    Cloudflare Pages

Latest commit:	102debc
Status:	✅  Deploy successful!
Preview URL:	https://fb3db86f.startupkit-975.pages.dev
Branch Preview URL:	https://ian-startup-114-upgrade-pnpm.startupkit-975.pages.dev

View logs