Skip to content

fix(lockfile): honor bun workspace-scoped direct deps#489

Merged
jdx merged 5 commits intomainfrom
fix/bun-workspace-nested-direct-deps
May 3, 2026
Merged

fix(lockfile): honor bun workspace-scoped direct deps#489
jdx merged 5 commits intomainfrom
fix/bun-workspace-nested-direct-deps

Conversation

@jdx
Copy link
Copy Markdown
Contributor

@jdx jdx commented May 3, 2026
edited by cursor Bot
Loading

Summary

  • resolve Bun workspace direct dependencies through <workspace package name>/<dep> before falling back to hoisted entries
  • keep the existing workspace-path guard so directory segments do not alias package nesting
  • add a regression for the z-app/tslib shape from https://github.com/johnpyp/aube-bun-lock-scoped-entry-repro

Validation

  • cargo fmt --check
  • cargo test -p aube-lockfile workspace_dep
  • cargo test -p aube-lockfile test_parse_workspace_path_does_not_alias_npm_package
  • cargo clippy -p aube-lockfile --all-targets -- -D warnings
  • cargo build
  • cloned johnpyp/aube-bun-lock-scoped-entry-repro and verified aube install --disable-global-virtual-store links packages/z-app/node_modules/tslib to ../../../node_modules/.aube/tslib@2.4.0/node_modules/tslib

Note

Medium Risk
Changes bun.lock parsing for workspace direct-dep resolution and rewrites certain workspace-scoped local paths, which can affect which package versions/paths are installed in monorepos.

Overview
Fixes bun workspace direct-dependency resolution to prefer workspace package name-scoped entries (e.g. z-app/tslib) before falling back to workspace-path scoped (e.g. packages/z-app/tslib) and finally hoisted keys.

Adds rebasing for bun workspace-scoped file:/local entries that contain .. so importer-relative paths are normalized back to project-root-relative form, and centralizes lexical path normalization in aube-util (reused by the resolver). New regression tests cover both the name-scoped workspace dep shape and the local tarball rebasing behavior.

Reviewed by Cursor Bugbot for commit 42a2342. Bugbot is set up for automated code reviews on this repo. Configure here.

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 3, 2026
edited
Loading

Greptile Summary

Fixes Bun workspace direct-dependency resolution to prefer the workspace-name-scoped key (z-app/tslib) before the path-scoped key (packages/z-app/tslib) and the hoisted entry, and rebases ..-relative local sources in name-scoped entries to project-root-relative form at parse time. Also promotes the normalize_lexical helper to aube-util to eliminate the duplicate copy in aube-resolver.

Confidence Score: 5/5

Safe to merge — logic is correct, well-tested, and the PR's own end-to-end validation confirms the target scenario works.

No P0 or P1 findings. The workspace_scopes prefix-match uses a / suffix guard that makes false positives impossible regardless of name-overlap, normalize_lexical is moved unchanged, and both new tests cover the name-scoped resolution and local-tarball rebasing paths (including the previously-missing hoisted-sibling assertion).

No files require special attention.

Important Files Changed

Filename Overview
crates/aube-lockfile/src/bun.rs Adds workspace-name-scoped dep resolution (highest priority) and path rebasing for name-scoped ..-relative local sources at parse time; updates comment; adds two regression tests
crates/aube-resolver/src/local_source.rs Removes normalize_path (now deduplicated into aube-util) and replaces all call sites with normalize_lexical; no logic change
crates/aube-util/src/path.rs Adds normalize_lexical as a public cross-crate utility, lifted verbatim from local_source.rs; three unit tests added

Reviews (5): Last reviewed commit: "refactor: share lexical path normalizati..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 3, 2026
View reviewed changes
Comment thread crates/aube-lockfile/src/bun.rs
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026
edited
Loading

Benchmark changes

Versions:

  • aube: 1.6.2 -> 1.7.0
  • pnpm: 11.0.3 -> 11.0.4

Public ratios: warm installs vs Bun 7x -> 6x; warm installs vs pnpm 11x -> 10x.

Benchmark aube bun pnpm
Fresh install (warm cache) 332ms -> 320ms (-4%) 2242ms -> 1990ms (-11%) 3500ms -> 3066ms (-12%)
CI install (warm cache, GVS disabled) 930ms -> 993ms (+7%) 1447ms -> 1956ms (+35%) 2475ms -> 2447ms (-1%)
CI install (cold cache, GVS disabled) 4364ms -> 3632ms (-17%) 4083ms -> 4145ms (+2%) 5380ms -> 5582ms (+4%)

42a2342 vs b3ec965 | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.

cursor[bot]
cursor Bot reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 76d3de3. Configure here.

Comment thread crates/aube-lockfile/src/bun.rs Outdated
@jdx jdx merged commit 9eb7b96 into main May 3, 2026
18 checks passed
@jdx jdx deleted the fix/bun-workspace-nested-direct-deps branch May 3, 2026 08:45
@greptile-apps greptile-apps Bot mentioned this pull request May 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx