What version of Bun is running?
1.3.14
What platform is your computer?
macOS (Darwin arm64). Behavior is platform-independent.
What steps can reproduce the bug?
Minimal reproduction: https://github.com/why-reproductions-are-required/bun-http-url-override-name-mismatch
git clone https://github.com/why-reproductions-are-required/bun-http-url-override-name-mismatch
cd bun-http-url-override-name-mismatch
./reproduce.sh # bash script; do NOT use `bun run` (it parses .sh as JS)
When a dependency (directly, or via overrides) points at an HTTP(S) tarball URL, Bun downloads the tarball and reads the name field from the package.json inside it. If that name does not equal the dependency key, Bun discards it.
The repo has four directories that are the same project — a vite dependency pointed at a tarball of @voidzero-dev/vite-plus-core, plus vitest (which declares a vite peer). Only the package manager and tarball differ:
| Dir |
Package manager |
tarball internal name |
node_modules/vite |
npm-reference |
npm 10.9.3 |
@voidzero-dev/vite-plus-core |
@voidzero-dev/vite-plus-core@0.2.1 ✅ |
pnpm-reference |
pnpm 10/11 |
@voidzero-dev/vite-plus-core |
@voidzero-dev/vite-plus-core@0.2.1 ✅ |
bun-control |
bun 1.3.14 |
vite |
vite@5.4.0 ✅ |
bun-bug |
bun 1.3.14 |
@voidzero-dev/vite-plus-core |
NOT INSTALLED ❌ |
What is the expected behavior?
bun-bug should resolve vite to the tarball (@voidzero-dev/vite-plus-core), the same way:
- npm and pnpm resolve it to
@voidzero-dev/vite-plus-core@0.2.1, and
bun-control resolves vite to its vite@5.4.0 tarball.
bun-control vs bun-bug are identical except for the tarball's internal name, so neither the version range nor "it's a URL dependency" is the deciding factor: Bun installs a URL tarball named vite fine and rejects one named @voidzero-dev/vite-plus-core.
What do you see instead?
# bun-bug
error: vite@^5.0.0 || ^6.0.0 || ^7.0.0-0 failed to resolve
node_modules/vite: NOT INSTALLED
Bun drops the vite dependency/override because the tarball's internal name is not vite, so vitest's declared vite peer (^5.0.0 || ^6.0.0 || ^7.0.0-0) has nothing to resolve to. In graphs where another edge can satisfy vite, it silently falls back to that version instead of the intended tarball.
Additional information
Real-world impact: Vite+ aliases vite to its core package @voidzero-dev/vite-plus-core; testing an unreleased build points that alias/override at a pkg.pr.new tarball of the core package. npm and pnpm install the preview core as vite; Bun drops it, so the preview isn't exercised. (npm & pnpm honor it; pnpm additionally needs blockExoticSubdeps: false so the URL dep may satisfy vitest's peer. The pkg.pr.new@1944 URL relies on a live preview build; the same behavior reproduces with any tarball whose internal name differs from the key.)
What version of Bun is running?
1.3.14
What platform is your computer?
macOS (Darwin arm64). Behavior is platform-independent.
What steps can reproduce the bug?
Minimal reproduction: https://github.com/why-reproductions-are-required/bun-http-url-override-name-mismatch
When a dependency (directly, or via
overrides) points at an HTTP(S) tarball URL, Bun downloads the tarball and reads thenamefield from thepackage.jsoninside it. If thatnamedoes not equal the dependency key, Bun discards it.The repo has four directories that are the same project — a
vitedependency pointed at a tarball of@voidzero-dev/vite-plus-core, plusvitest(which declares avitepeer). Only the package manager and tarball differ:namenode_modules/vitenpm-reference@voidzero-dev/vite-plus-core@voidzero-dev/vite-plus-core@0.2.1✅pnpm-reference@voidzero-dev/vite-plus-core@voidzero-dev/vite-plus-core@0.2.1✅bun-controlvitevite@5.4.0✅bun-bug@voidzero-dev/vite-plus-coreWhat is the expected behavior?
bun-bugshould resolveviteto the tarball (@voidzero-dev/vite-plus-core), the same way:@voidzero-dev/vite-plus-core@0.2.1, andbun-controlresolvesviteto itsvite@5.4.0tarball.bun-controlvsbun-bugare identical except for the tarball's internalname, so neither the version range nor "it's a URL dependency" is the deciding factor: Bun installs a URL tarball namedvitefine and rejects one named@voidzero-dev/vite-plus-core.What do you see instead?
Bun drops the
vitedependency/override because the tarball's internalnameis notvite, sovitest's declaredvitepeer (^5.0.0 || ^6.0.0 || ^7.0.0-0) has nothing to resolve to. In graphs where another edge can satisfyvite, it silently falls back to that version instead of the intended tarball.Additional information
Real-world impact: Vite+ aliases
viteto its core package@voidzero-dev/vite-plus-core; testing an unreleased build points that alias/override at a pkg.pr.new tarball of the core package. npm and pnpm install the preview core asvite; Bun drops it, so the preview isn't exercised. (npm & pnpm honor it; pnpm additionally needsblockExoticSubdeps: falseso the URL dep may satisfy vitest's peer. Thepkg.pr.new@1944URL relies on a live preview build; the same behavior reproduces with any tarball whose internal name differs from the key.)