Migrating package-lock.json with overrides produces bun.lockb without overrrides

[hborchardt]

What version of Bun is running?

1.0.13+f5bf67bd1

What platform is your computer?

Linux 5.15.0-47-generic x86_64 unknown

What steps can reproduce the bug?

Hi, I want to use bun in our CI to install dependencies based on an existing package-lock.json. My package.json contains overrides, which leads to the following problem:

• Have a package.json with overrides:

  {
  "name": "test",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
  "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
  "@swagger-api/apidom-parser-adapter-asyncapi-json-2": "0.81.0"
  },
  "overrides": {
  "@swagger-api/apidom-parser-adapter-json": "npm:empty-npm-package@1.0.0"
  }
  }

• Run the following:
  • npm install to generate package-lock.json
  • bun pm migrate to generate bun.lockb from package-lock.json
  • bun install --frozen-lockfile to reinstall dependencies
• Fails with error: lockfile had changes, but lockfile is frozen

What is the expected behavior?

No error, as the package.json did not change.

What do you see instead?

error: lockfile had changes, but lockfile is frozen

Additional information

With some debugging I identified that the problem is that during migration, the Lockfile's overrides field is not set. So the following code path is triggered, leading to a difference in lockfiles: https://github.com/oven-sh/bun/blob/778bad9dfd1b093cfd58a41a44ca9106828a9e0f/src/install/lockfile.zig#L2896-L2897 This is probably because the information is not explicitly contained in the package-lock.json file, and the migration only considers the package-lock.json, not the package.json. So my ideas would be:

• Set Lockfile.overrides based on package.json
• Somehow deduce overrides from the package-lock.json. E.g. in my case, the package-lock.json contains the following:

  "node_modules/@swagger-api/apidom-parser-adapter-json": {
    "name": "empty-npm-package",
    "version": "1.0.0",
    "resolved": "https://registry.npmjs.org/empty-npm-package/-/empty-npm-package-1.0.0.tgz",
    "integrity": "sha512-q4Mq/+XO7UNDdMiPpR/LIBIW1Zl4V0Z6UT9aKGqIAnBCtCb3lvZJM1KbDbdzdC8fKflwflModfjR29Nt0EpcwA=="
  },

  so it has an additional "name" field set, which indicates that it has been an override. But this seems more fragile than using the package.json.

[Jarred-Sumner]

Thanks for the detailed bug report

Yes this was an oversight. We implemented package-lock.json and then overrides, then didn’t go back and make sure overrides persisted as expected