Skip to content

bun install discards an HTTP(S) tarball dependency/override when the tarball's internal name differs from the dependency key (npm & pnpm honor it) #33192

Description

@fengmk2

What version of Bun is running?

1.3.14

What platform is your computer?

macOS (Darwin arm64). Behavior is platform-independent.

What steps can reproduce the bug?

Minimal reproduction: https://github.com/why-reproductions-are-required/bun-http-url-override-name-mismatch

git clone https://github.com/why-reproductions-are-required/bun-http-url-override-name-mismatch
cd bun-http-url-override-name-mismatch
./reproduce.sh   # bash script; do NOT use `bun run` (it parses .sh as JS)

When a dependency (directly, or via overrides) points at an HTTP(S) tarball URL, Bun downloads the tarball and reads the name field from the package.json inside it. If that name does not equal the dependency key, Bun discards it.

The repo has four directories that are the same project — a vite dependency pointed at a tarball of @voidzero-dev/vite-plus-core, plus vitest (which declares a vite peer). Only the package manager and tarball differ:

// bun-bug/package.json — tarball's internal name is "@voidzero-dev/vite-plus-core"
{
  "devDependencies": {
    "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1944",
    "vitest": "3.2.4"
  },
  "overrides": {
    "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1944"
  }
}
// bun-control/package.json — tarball's internal name IS "vite"
{
  "devDependencies": {
    "vite": "https://registry.npmjs.org/vite/-/vite-5.4.0.tgz",
    "vitest": "3.2.4"
  },
  "overrides": {
    "vite": "https://registry.npmjs.org/vite/-/vite-5.4.0.tgz"
  }
}
Dir Package manager tarball internal name node_modules/vite
npm-reference npm 10.9.3 @voidzero-dev/vite-plus-core @voidzero-dev/vite-plus-core@0.2.1
pnpm-reference pnpm 10/11 @voidzero-dev/vite-plus-core @voidzero-dev/vite-plus-core@0.2.1
bun-control bun 1.3.14 vite vite@5.4.0
bun-bug bun 1.3.14 @voidzero-dev/vite-plus-core NOT INSTALLED

What is the expected behavior?

bun-bug should resolve vite to the tarball (@voidzero-dev/vite-plus-core), the same way:

  • npm and pnpm resolve it to @voidzero-dev/vite-plus-core@0.2.1, and
  • bun-control resolves vite to its vite@5.4.0 tarball.

bun-control vs bun-bug are identical except for the tarball's internal name, so neither the version range nor "it's a URL dependency" is the deciding factor: Bun installs a URL tarball named vite fine and rejects one named @voidzero-dev/vite-plus-core.

What do you see instead?

# bun-bug
error: vite@^5.0.0 || ^6.0.0 || ^7.0.0-0 failed to resolve
node_modules/vite: NOT INSTALLED

Bun drops the vite dependency/override because the tarball's internal name is not vite, so vitest's declared vite peer (^5.0.0 || ^6.0.0 || ^7.0.0-0) has nothing to resolve to. In graphs where another edge can satisfy vite, it silently falls back to that version instead of the intended tarball.

Additional information

Real-world impact: Vite+ aliases vite to its core package @voidzero-dev/vite-plus-core; testing an unreleased build points that alias/override at a pkg.pr.new tarball of the core package. npm and pnpm install the preview core as vite; Bun drops it, so the preview isn't exercised. (npm & pnpm honor it; pnpm additionally needs blockExoticSubdeps: false so the URL dep may satisfy vitest's peer. The pkg.pr.new@1944 URL relies on a live preview build; the same behavior reproduces with any tarball whose internal name differs from the key.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions