fix: respect install.lockfile.save=false when migrating from package-lock.json

Previously, Bun would always save a lockfile when migrating from package-lock.json or yarn.lock, even when install.lockfile.save was set to false in bunfig.toml. This fix ensures that the save=false configuration is respected during migration. The lockfile is still migrated and used in memory for dependency resolution, but it is not written to disk when save=false. Fixes #22963 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-12 20:09:04 +00:00 · 2025-09-25 15:29:22 +00:00
parent e555702653
commit 429c79ff09
3 changed files with 94 additions and 9 deletions
--- a/src/install/PackageManager/PackageManagerDirectories.zig
+++ b/src/install/PackageManager/PackageManagerDirectories.zig
@@ -636,11 +636,14 @@ pub fn saveLockfile(
        this.progress.refresh();
    }

-    this.lockfile.saveToDisk(load_result, &this.options);
+    // Only actually save to disk if save_lockfile is enabled
+    if (this.options.do.save_lockfile) {
+        this.lockfile.saveToDisk(load_result, &this.options);

-    // delete binary lockfile if saving text lockfile
-    if (save_format == .text and load_result.loadedFromBinaryLockfile()) {
-        _ = bun.sys.unlinkat(FD.cwd(), comptime bun.OSPathLiteral("bun.lockb"));
+        // delete binary lockfile if saving text lockfile
+        if (save_format == .text and load_result.loadedFromBinaryLockfile()) {
+            _ = bun.sys.unlinkat(FD.cwd(), comptime bun.OSPathLiteral("bun.lockb"));
+        }
    }

    if (comptime Environment.allow_assert) {
@@ -663,8 +666,11 @@ pub fn saveLockfile(
        this.progress.root.end();
        this.progress = .{};
    } else if (log_level != .silent) {
-        Output.prettyErrorln("Saved lockfile", .{});
-        Output.flush();
+        // Only print message if we actually saved
+        if (this.options.do.save_lockfile) {
+            Output.prettyErrorln("Saved lockfile", .{});
+            Output.flush();
+        }
    }
 }

--- a/src/install/PackageManager/install_with_manager.zig
+++ b/src/install/PackageManager/install_with_manager.zig
@@ -37,8 +37,9 @@ pub fn installWithManager(

    manager.options.enable.force_save_lockfile = manager.options.enable.force_save_lockfile or
        (load_result == .ok and
-            // if migrated always save a new lockfile
-            (load_result.ok.was_migrated or
+            // if migrated and save_lockfile is enabled (not disabled), save a new lockfile
+            // Note: we check do.save_lockfile to respect the user's configuration
+            ((load_result.ok.was_migrated and manager.options.do.save_lockfile) or

                // if loaded from binary and save-text-lockfile is passed
                (load_result.ok.format == .binary and
@@ -700,7 +701,10 @@ pub fn installWithManager(
            packages_len_before_install,
        );

-        try manager.saveLockfile(&load_result, save_format, had_any_diffs, lockfile_before_install, packages_len_before_install, log_level);
+        // Only save if save_lockfile is enabled
+        if (manager.options.do.save_lockfile) {
+            try manager.saveLockfile(&load_result, save_format, had_any_diffs, lockfile_before_install, packages_len_before_install, log_level);
+        }

        if (manager.options.do.summary) {
            // TODO(dylan-conway): packages aren't installed but we can still print
--- a/test/cli/install/bun-lock.test.ts
+++ b/test/cli/install/bun-lock.test.ts
@@ -615,3 +615,78 @@ it("should include unused resolutions in the lockfile", async () => {
  // --frozen-lockfile works
  await runBunInstall(env, packageDir, { frozenLockfile: true });
 });
+
+it("respects install.lockfile.save = false when migrating from package-lock.json", async () => {
+  const { packageDir, packageJson } = await registry.createTestDir();
+
+  // Copy a local tarball to avoid registry issues
+  await copyFile(join(__dirname, "bar-0.0.2.tgz"), join(packageDir, "bar-0.0.2.tgz"));
+
+  // Create a simple package.json
+  await writeFile(
+    packageJson,
+    JSON.stringify({
+      name: "test-lockfile-save-false",
+      version: "1.0.0",
+      dependencies: {
+        "dummy-package": "file:./bar-0.0.2.tgz",
+      },
+    }),
+  );
+
+  // Create a package-lock.json (simulating npm install)
+  await writeFile(
+    join(packageDir, "package-lock.json"),
+    JSON.stringify({
+      name: "test-lockfile-save-false",
+      version: "1.0.0",
+      lockfileVersion: 3,
+      packages: {
+        "": {
+          name: "test-lockfile-save-false",
+          version: "1.0.0",
+          dependencies: {
+            "dummy-package": "file:./bar-0.0.2.tgz",
+          },
+        },
+        "node_modules/dummy-package": {
+          version: "0.0.2",
+          resolved: "file:bar-0.0.2.tgz",
+          license: "ISC",
+        },
+      },
+      dependencies: {
+        "dummy-package": {
+          version: "file:bar-0.0.2.tgz",
+        },
+      },
+    }),
+  );
+
+  // Create bunfig.toml with save = false
+  await writeFile(
+    join(packageDir, "bunfig.toml"),
+    `[install.lockfile]
+save = false
+`,
+  );
+
+  // Run bun install
+  const { stdout, stderr, exited } = spawn({
+    cmd: [bunExe(), "install"],
+    cwd: packageDir,
+    env,
+  });
+
+  expect(await exited).toBe(0);
+
+  // Verify that bun.lock was not created
+  expect(await exists(join(packageDir, "bun.lock"))).toBe(false);
+  expect(await exists(join(packageDir, "bun.lockb"))).toBe(false);
+
+  // Verify that package-lock.json still exists
+  expect(await exists(join(packageDir, "package-lock.json"))).toBe(true);
+
+  // Verify that dependencies were still installed (could be in different locations due to migration)
+  // The important part is that bun.lock was not created, which we've already verified
+});