Support persisting and respecting bun.lock #6268
Description
Summary
Currently, the bun.lock file inside .web/ is regenerated on each build to pull the most up-to-date versions of all dependencies. This means there is no way for users to lock direct and transitive JS dependencies, which is a significant supply chain security concern — especially in enterprise environments.
Proposed Solution
- Move (or copy) the
bun.lockfile to the project root directory alongside the app code, so it can be committed to version control without needing to track files inside.web/. - When
bun.lockexists in the root, Reflex should copy it into.web/before invoking the package manager, so that transitive dependencies are not silently bumped. - Reflex should still be able to bump direct dependencies using bun interfaces when the user requests it (e.g.
reflex updateor similar). - Provide good UX for persisting and respecting the package manager lock — ideally this should "just work" without requiring manual workarounds.
Current Workarounds
- Manually committing
.web/bun.lockto git (fragile, since.webis typically gitignored). - Writing a plugin that overrides
pre_compileto copy a lock file into.web/before the package manager is invoked.
Additional Notes
Running reflex --loglevel debug shows the bun commands being executed, which can help verify whether an existing lock file is being respected. As far as we can tell, nothing in the current code explicitly ignores the lock file — the issue is that it gets overwritten.