Inconsistent bun.lock when doing lockfile maintenance

[kevinmarrec]

What version of Bun is running?

1.1.45+196621f25

What platform is your computer?

Linux 5.15.167.4-microsoft-standard-WSL2 x86_64 x86_64

What steps can reproduce the bug?

• Have multiple sub dependencies using different versions of a sub-sub dependency.
• Do a lockfile maintenance : rm -rf bun.lock && bun install

What is the expected behavior?

Consistent bun.lock

What do you see instead?

I don't know how to explain the bug, but I've 3 sub-dependencies using theirselves a subdependency named xml-name-validator.

• 2 of them use v5.0
• 1 of them uses v4.0

And when I do a lockfile maintenance rm -rf bun.lock && bun install, I'm randomly having bun switching the versions, this is probably due to some parallelism or cache.

So sometimes it hoists v5.0 at top level bun.lock and hoists v4.0 to the sub dependency that is using a downgraded version compared to its siblings using v5.0.

Sometimes it hoists v4.0 at top level bun.lock and hoists v5.0 to the 2 sub dependencies that is using an upgraded version compared to its sibling using v4.0

Maybe I'm skewed by not using --no-cache option and that it sometimes read different caches, or skipping it because some package updates, then when redoing lock file maintenance it uses old cache (not saving new cache after package update?).

Still, with the --no-cache --force, i'm still having inconsistent updates, so it must be caused by random factor such as parallelism.

[dylan-conway]

Thanks for the bug report. This issue will likely be fixed when #16267 is merged. The pr isn't finished yet, but you can give it a try with bunx bun-pr 16267.