fix(lockfile): store bun dependency tails

[jdx]

Summary

• Store Bun package dependency values as dep-path tails instead of full name@version strings.
• Keep workspace-link dependency emission compatible with the tail form.
• Update Bun lockfile tests to assert the shared LockedPackage.dependencies contract.

Why

Bun lockfile imports were producing dependency entries like node-gyp-build -> node-gyp-build@node-gyp-build@4.8.4, which broke transitive sibling links and dep-local .bin generation. Approved postinstall scripts could then fail after migrating from bun install to aube install, because tools such as node-gyp-build and packages such as @electron/get were not resolvable from the virtual store package.

Validation

• cargo fmt --check
• cargo test -p aube-lockfile bun::tests
• cargo test -p aube-lockfile
• Reproduced the reported Bun-to-Aube install with bufferutil@4.0.9, electron@39.2.7, and fs-extra@10.1.0; verified aube install --no-side-effects-cache now exits successfully.

---

Note

Medium Risk
Changes Bun lockfile parsing/writing semantics for LockedPackage.dependencies, which affects downstream linking and script/bin resolution; regressions could break installs if any consumer still expects full name@version dep values.

Overview
Bun lockfile parsing now stores transitive dependency values as dep-path tails (e.g. "3.1.0" instead of "nested@3.1.0"), using the shared npm::dep_path_tail helper so downstream consumers see the same dependency-map shape across lockfile formats.

Bun workspace package emission was updated to match the tail form, fixing reachability checks for workspace-link targets by comparing against canonical keys rather than raw dep values.

Tests were updated/added to assert the new contract (including a regression covering lifecycle-script-related deps like node-gyp-build and @electron/get).

^{Reviewed by Cursor Bugbot for commit 9483919. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a Bun lockfile parsing bug where transitive dependency values were stored as full name@version dep_paths (e.g. "node-gyp-build@4.8.4") instead of the tail-only form (e.g. "4.8.4") used by the pnpm parser. The fix applies the existing dep_path_tail helper (already used by npm.rs) in the Bun second-pass resolution, and corrects the workspace-link write path to compare canonical_key against workspace_dep_paths rather than raw dep_value, which would have silently dropped workspace-to-workspace dep edges under the new encoding.

Confidence Score: 5/5

Safe to merge — the fix is narrowly scoped to Bun dep_value encoding and is well-covered by existing and new tests.

No P0 or P1 issues found. The parse change correctly uses dep_path_tail(dname, &target_dep_path) where target_dep_path is always "{dname}@{dver}", so the strip can never misfire. The write-side change to workspace_dep_paths.contains(&canonical_key) is consistent with how child_canonical_key reconstructs the full name@version key from either encoding. New lifecycle-deps regression test covers the reported bufferutil/electron scenario.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-lockfile/src/bun.rs	Fixes dep_value storage to use dep_path tails (e.g. "4.8.4" instead of "node-gyp-build@4.8.4"); updates workspace write check from raw dep_value comparison to canonical_key lookup; adds lifecycle-deps regression test.
crates/aube-lockfile/src/npm.rs	Widens dep_path_tail visibility from private to pub(crate) so bun.rs can reuse it; no other logic changes.

_{Reviews (2): Last reviewed commit: "fix(lockfile): store bun dependency tail..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0870f77. Configure here.}