fix(bun): apply top-level patchedDependencies

[jdx]

Summary

• read Bun's top-level package.json#patchedDependencies field from the manifest model
• merge Bun patch declarations into install-time patch loading alongside existing pnpm/aube config
• add parser and install-level regression coverage for Bun-authored patched dependencies

Root Cause

Aube preserved Bun patchedDependencies in bun.lock, but install-time patch loading only read pnpm.patchedDependencies, aube.patchedDependencies, and workspace YAML entries from package.json/pnpm-workspace.yaml. Bun-only projects could therefore install successfully while materializing the unpatched package contents.

Validation

• cargo test -p aube-manifest bun_patched_dependencies_reads_top_level_field
• cargo test -p aube load_reads_bun_top_level_patched_dependencies
• ./test/bats/bin/bats test/import.bats --filter 'aube install smoke installs messy bun.lock fixture'
• cargo fmt --check
• git diff --check
• linked repro under /tmp/tmp-aube-issues-722/bun-patched-dependencies with local target/debug/aube

---

Note

Medium Risk
Changes install-time patch resolution to honor Bun’s top-level package.json#patchedDependencies, which can alter the on-disk contents of installed packages for Bun projects. Scope is limited to patch loading/removal paths with added regression tests.

Overview
Aube now reads Bun’s top-level package.json#patchedDependencies and merges it into the patch sources used during aube install, alongside existing pnpm/aube-namespaced entries and workspace YAML declarations.

Patch management is updated to also remove Bun top-level patch entries (dropping the map when it becomes empty), and new unit/integration coverage ensures Bun-authored patches are loaded and applied correctly (including BOM-prefixed package.json).

^{Reviewed by Cursor Bugbot for commit 9c2a7b1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes Bun-only projects silently installing unpatched packages by teaching the manifest model to parse top-level package.json#patchedDependencies and merging those entries into both the install-time patch loader and the patch-removal path.

• Adds bun_patched_dependencies() to PackageJson and merges it into load_patches / read_package_json_patched_dependencies with Bun entries having lowest precedence (overridden by pnpm/aube namespaced entries, which are in turn overridden by workspace-yaml).
• Adds remove_bun_patched_dependency so that patch-remove correctly clears top-level patchedDependencies from package.json, dropping the map when it becomes empty and guarding against spurious writes when the key was already absent.
• Extends the bun-messy-fixture bats smoke test with a runtime assertion and adds unit regression tests for load, remove, and BOM-prefixed files.

Confidence Score: 5/5

Safe to merge; the core load and removal logic is correct and well-covered by the new tests.

The removal function correctly guards the empty-map cleanup behind the removed flag, the *obj == before short-circuit prevents spurious writes, and both load_patches and read_package_json_patched_dependencies apply the same bun-then-pnpm merge order. The only issue is a misleading phrase in the module doc comment.

The module-level doc comment in crates/aube/src/patches.rs has a misleading precedence description worth correcting before merging if comment accuracy matters to the team.

Important Files Changed

Filename	Overview
crates/aube-manifest/src/lib.rs	Adds bun_patched_dependencies() to parse top-level patchedDependencies from package.json, silently ignoring non-string values; includes a unit test. Implementation is clean and consistent with the existing pnpm_patched_dependencies() helper.
crates/aube/src/patches.rs	Merges Bun top-level entries into load_patches and read_package_json_patched_dependencies, and adds remove_bun_patched_dependency to handle removal. The removal logic correctly guards against spurious writes and empty-map cleanup. The module-level doc comment lists sources in ascending-priority order but describes it with "in that precedence order", which implies the opposite priority direction.
test/import.bats	Extends the bun-messy-fixture smoke test with a runtime assertion that the patched is-odd error message surfaces correctly after install, providing end-to-end regression coverage for the patch-apply path.

_{Reviews (4): Last reviewed commit: "fix(bun): avoid stale patch removal rewr..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9ac4785. Configure here.}