Hi, I want to use bun in our CI to install dependencies based on an existing package-lock.json. My package.json contains overrides, which leads to the following problem:
bun pm migrate to generate bun.lockb from package-lock.json
bun install --frozen-lockfile to reinstall dependencies
Fails with error: lockfile had changes, but lockfile is frozen
What is the expected behavior?
No error, as the package.json did not change.
What do you see instead?
error: lockfile had changes, but lockfile is frozen
Additional information
With some debugging I identified that the problem is that during migration, the Lockfile's overrides field is not set. So the following code path is triggered, leading to a difference in lockfiles:
https://github.com/oven-sh/bun/blob/778bad9dfd1b093cfd58a41a44ca9106828a9e0f/src/install/lockfile.zig#L2896-L2897
This is probably because the information is not explicitly contained in the package-lock.json file, and the migration only considers the package-lock.json, not the package.json.
So my ideas would be:
Set Lockfile.overrides based on package.json
Somehow deduce overrides from the package-lock.json. E.g. in my case, the package-lock.json contains the following:
What version of Bun is running?
1.0.13+f5bf67bd1
What platform is your computer?
Linux 5.15.0-47-generic x86_64 unknown
What steps can reproduce the bug?
Hi, I want to use bun in our CI to install dependencies based on an existing package-lock.json. My package.json contains overrides, which leads to the following problem:
npm install
to generatepackage-lock.json
bun pm migrate
to generatebun.lockb
frompackage-lock.json
bun install --frozen-lockfile
to reinstall dependencieserror: lockfile had changes, but lockfile is frozen
What is the expected behavior?
No error, as the package.json did not change.
What do you see instead?
error: lockfile had changes, but lockfile is frozen
Additional information
With some debugging I identified that the problem is that during migration, the Lockfile's overrides field is not set. So the following code path is triggered, leading to a difference in lockfiles: https://github.com/oven-sh/bun/blob/778bad9dfd1b093cfd58a41a44ca9106828a9e0f/src/install/lockfile.zig#L2896-L2897 This is probably because the information is not explicitly contained in the package-lock.json file, and the migration only considers the package-lock.json, not the package.json. So my ideas would be:
Lockfile.overrides
based onpackage.json
package-lock.json
. E.g. in my case, thepackage-lock.json
contains the following:so it has an additional
"name"
field set, which indicates that it has been an override. But this seems more fragile than using thepackage.json
.