Turbo prune emits invalid Bun lockfile for pruned workspace with nested npm package entries

[RedEagle-dh]

Verify canary release

• I verified that the issue exists in the latest Turborepo canary release.

Link to code that reproduces this issue

https://github.com/RedEagle-dh/turbo-bun-prune-frozen-repro

Which canary version will you have in your reproduction?

v2.9.10-canary.1

Environment information

CLI:
   Version: 2.9.10-canary.1
   Path to executable: /tmp/bunx-1000-turbo@2.9.10-canary.1/node_modules/@turbo/linux-64/bin/turbo
   Daemon status: Not running
   Package manager: bun

Platform:
   Architecture: x86_64
   Operating system: linux
   WSL: false
   Available memory (MB): 18590
   Available CPU cores: 16

Environment:
   CI: None
   AI agent: None
   Terminal (TERM): dumb
   Terminal program (TERM_PROGRAM): unknown
   Terminal program version (TERM_PROGRAM_VERSION): unknown
   Shell (SHELL): /bin/fish
   stdin: false
   Node.js version: v25.9.0

Expected behavior

turbo prune @eventmate/migrations --docker should generate a pruned Bun lockfile that remains valid for the pruned workspace.

Running this in the Docker installer stage should succeed without modifying the lockfile:

bun install --frozen-lockfile --ignore-scripts

Actual behavior

The root bun.lock is valid, but the lockfile generated in out/json/bun.lock by turbo prune --docker is invalid for Bun's frozen install.

With turbo@2.9.10-canary.1, the pruned lockfile keeps this package:

npm/@npmcli/arborist

That package depends on @npmcli/metavuln-calculator, but the pruned lockfile drops the matching nested package entry:

npm/@npmcli/metavuln-calculator

The frozen install then fails with:

bun install v1.3.13 (bf2e2cec)
1259 |     "npm/@npmcli/arborist": ["@npmcli/arborist@8.0.5", "", { "dependencies": { "@isa
           ^
error: Failed to resolve prod dependency '@npmcli/metavuln-calculator' for package 'npm/@npmcli/arborist'
    at bun.lock:1259:5
InvalidPackageInfo: failed to parse lockfile: 'bun.lock'

warn: Ignoring lockfile
error: lockfile had changes, but lockfile is frozen

The Docker build fails at:

RUN bun install --frozen-lockfile --ignore-scripts

To Reproduce

git clone https://github.com/RedEagle-dh/turbo-bun-prune-frozen-repro.git
cd turbo-bun-prune-frozen-repro
docker build --no-cache -t turbo-bun-prune-frozen-repro -f apps/migrations/Dockerfile .

The Dockerfile uses:

COPY --from=pruner /app/out/json/ .
RUN bun install --frozen-lockfile --ignore-scripts

Canary control check without Docker:

bunx turbo@2.9.10-canary.1 prune @eventmate/migrations --docker --out-dir=/tmp/repro_issue_canary_prune
cd /tmp/repro_issue_canary_prune/json
bun install --frozen-lockfile --ignore-scripts

Root lockfile control check:

bun install --frozen-lockfile --ignore-scripts

The root lockfile installs correctly with frozen lockfile enabled. The failure appears only after turbo prune --docker generates the pruned out/json/bun.lock.

Additional context

This reproduces locally with oven/bun:1.3.13-alpine and with Bun 1.3.13 outside Docker.

The repro intentionally includes an unrelated docs workspace dependency:

"@asyncapi/cli": "4.1.0"

The pruned target is @eventmate/migrations, which does not depend on the docs workspace. The unrelated dependency changes the global Bun lockfile enough to include multiple nested @npmcli/* package identities. Turbo then emits a pruned lockfile that keeps a package whose dependency target was removed.

This looks related to #11171 and #12653 but this repro verifies the behavior against the current canary 2.9.10-canary.1.