Resolve npm versions from bun.lock#63
Open
danielnc wants to merge 1 commit into
Open
Conversation
Add bun.lock to the lockfile resolution chain so `opensrc path <pkg> --cwd <project>` resolves the installed version in Bun projects. Since Bun 1.2 the default lockfile is the text `bun.lock` (it replaced the binary `bun.lockb`). Previously only package-lock.json, pnpm-lock.yaml and yarn.lock were detected, so a Bun project with no node_modules (e.g. a fresh CI checkout) fell through to the package.json range-stripping fallback, which returns the declared range (^1.0.0 -> 1.0.0) rather than the actually-installed version. bun.lock is JSONC (trailing commas are valid), so it is parsed with the jsonc-parser crate's serde bridge rather than serde_json directly. The top-level `packages` map keys an install entry to an array whose first element is the resolved "name@version" descriptor; the version is read from element [0] (not the key) so npm-alias entries resolve correctly, e.g. "@ai-sdk/provider-utils-v6": ["@ai-sdk/provider-utils@4.0.27", ...]. Resolution priority is unchanged for existing ecosystems; bun.lock slots in after yarn.lock and before the package.json fallback: node_modules > package-lock > pnpm-lock > yarn.lock > bun.lock > package.json Adds 6 unit tests (basic + scoped, prefers resolved over workspace range, npm alias, missing package, no-substring-false-match, invalid input).
|
@danielnc is attempting to deploy a commit to the Vercel Labs Team on Vercel. A member of the Team first needs to authorize it. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
bun.lockto the npm version-resolution chain incore/version.rs, soopensrc path <pkg> --cwd <project>resolves the installed version in Bun projects.Today only
package-lock.json,pnpm-lock.yaml, andyarn.lockare detected. A Bun project with nonode_modules(e.g. a fresh CI checkout) and none of those lockfiles falls through to thepackage.jsonrange-stripping fallback — so a spec like^1.0.0resolves to1.0.0instead of the actually-installed version. Since Bun 1.2 the default lockfile is the textbun.lock(it replaced the binarybun.lockb), so this is increasingly common.Approach
bun.lockis JSONC — trailing commas are valid — so a strictserde_jsonparse fails on it. This uses thejsonc-parsercrate's serde bridge (parse_to_serde_valuewithallow_trailing_commas).The top-level
packagesmap keys an install entry to an array whose first element is the resolvedname@versiondescriptor:The version is read from element
[0], not the key — which makes npm-alias entries resolve correctly, where the key differs from the resolved package:Resolution priority is unchanged for existing ecosystems;
bun.lockslots in afteryarn.lockand before thepackage.jsonfallback:Tests
6 new unit tests in
core::version::tests: basic + scoped, prefers the resolvedpackagesversion over a workspace range, npm alias, missing package, no-substring-false-match (foomust not matchfoo-bar), and invalid input.End-to-end against a real ~219 KB
bun.lock(isolated dir, onlybun.lockpresent so the bun path is actually exercised):@mastra/core1.37.11.37.1ai6.0.1936.0.193zod^3.25.76(range)3.25.76@ai-sdk/openai^3.0.67(range)3.0.67@mastra/memory1.20.01.20.0Notes
jsonc-parser(serde feature); no new transitive crates beyond it. Happy to switch to a hand-rolled scan of thepackagesblock instead if you'd prefer to avoid the dependency — the other lockfile parsers in this file are hand-rolled, so I can match that style.bun.locktext format (Bun >= 1.2) is supported; the legacy binarybun.lockbis not parsed. Projects withbun.lockbstill resolve vianode_modules/package.jsonas before.