search

oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
https://bun.sh
Other
72.71k stars 2.63k forks source link

`bun add --exact` does not save an exact version in the lockfile #5647

Open jonahsnider opened 11 months ago

jonahsnider commented 11 months ago

What version of Bun is running?

1.0.2+37edd5a6e389265738e89265bcbdf2999cb81a49

What platform is your computer?

Darwin 22.6.0 arm64 arm

What steps can reproduce the bug?

Create a file lockfile.test.ts in a new directory with the following contents:

import { test, expect } from "bun:test";

const npmPackage = "convert";

function $(...script: string[]): string {
  const proc = Bun.spawnSync(script, {
    stdout: "pipe",
  });

  return new TextDecoder().decode(proc.stdout);
}

test("bun add --exact", () => {
  $("bun", "remove", npmPackage);
  $("bun", "add", "--exact", npmPackage);

  const lockfileBefore = $("bun", "./bun.lockb");

  $("bun", "install");

  const lockfileAfter = $("bun", "./bun.lockb");

  expect(lockfileBefore).toBe(lockfileAfter);
});

Run the script with bun test. The test fails because of this bug.

What is the expected behavior?

The updated lockfile from bun add --exact should contain an exact version of the added dependency, not a ^ range.

For example, for the package convert, bun.lockb should be:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
# bun ./bun.lockb --hash: 4749D76B88125522-3ba2f1195c0386b1-55C16EFD8BA940E5-d14ca2997ca458fd

convert@4.13.2:
  version "4.13.2"
  resolved "https://registry.npmjs.org/convert/-/convert-4.13.2.tgz"
  integrity sha512-KLkCaBqef9QiPJ5bSxF66h8x5MnnqI3mUs8uwF70X6CmqeXgGsvCfHO6D/KmvhQan0HrjoRC/NGJWeRSuVWgqg==

What do you see instead?

Instead, bun.lockb will be:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
# bun ./bun.lockb --hash: 4749D76B88125522-3ba2f1195c0386b1-55C16EFD8BA940E5-d14ca2997ca458fd

convert@^4.13.2:
  version "4.13.2"
  resolved "https://registry.npmjs.org/convert/-/convert-4.13.2.tgz"
  integrity sha512-KLkCaBqef9QiPJ5bSxF66h8x5MnnqI3mUs8uwF70X6CmqeXgGsvCfHO6D/KmvhQan0HrjoRC/NGJWeRSuVWgqg==

Additionally concerning: the --hash value in both lockfiles is the same, despite the lockfiles being different.

Additional information

No response

Kleywalker commented 10 months ago

Will this be fixed in 1.0.5?

nektro commented 4 months ago

for future readers:

after bun add convert --exact

# package.json
{
  "dependencies": {
    "convert": "5.0.0"
  }
}
# bun.lockb
convert@^5.0.0:
  version "5.0.0"
  resolved "https://registry.npmjs.org/convert/-/convert-5.0.0.tgz"
  integrity sha512-29kAvWXhWpL2Lhhmseb0Y/sJnE4RA62TAwG9qTJP4dJvnABqFOLNLlwuYCiRYCeOfTD0GPkCJBlKDY50gDjVbg==

then after bun install:

# package.json is unchanged
{
  "dependencies": {
    "convert": "5.0.0"
  }
}
# bun.lockb is fixed
convert@5.0.0:
  version "5.0.0"
  resolved "https://registry.npmjs.org/convert/-/convert-5.0.0.tgz"
  integrity sha512-29kAvWXhWpL2Lhhmseb0Y/sJnE4RA62TAwG9qTJP4dJvnABqFOLNLlwuYCiRYCeOfTD0GPkCJBlKDY50gDjVbg==