mirror of
https://github.com/oven-sh/bun
synced 2026-02-09 18:38:55 +00:00
d9742eece7
## Summary Optimizes the `--lockfile-only` flag to skip downloading **npm package tarballs** since they're not needed for lockfile generation. This saves bandwidth and improves performance for lockfile-only operations while preserving accuracy for non-npm dependencies. ## Changes - **Add `prefetch_resolved_tarballs` flag** to `PackageManagerOptions.Do` struct (defaults to `true`) - **Set flag to `false`** when `--lockfile-only` is used - **Skip tarball downloads for npm packages only** when flag is disabled: - `getOrPutResolvedPackageWithFindResult` - Main npm package resolution (uses `Task.Id.forNPMPackage`) - `enqueuePackageForDownload` - NPM package downloads (uses `bun.Semver.Version`) - **Preserve tarball downloads for non-npm dependencies** to maintain lockfile accuracy: - Remote tarball URLs (needed for lockfile generation) - GitHub dependencies (needed for lockfile generation) - Generic tarball downloads (may be remote) - Patch-related downloads (needed for patch application) - **Add comprehensive test** that verifies only package manifests are fetched for npm packages with `--lockfile-only` ## Rationale Only npm registry packages can safely skip tarball downloads during lockfile generation because: ✅ **NPM packages**: Metadata is available from registry manifests, tarball not needed for lockfile ❌ **Remote URLs**: Need tarball content to determine package metadata and generate accurate lockfile ❌ **GitHub deps**: Need tarball content to extract package.json and determine dependencies ❌ **Tarball URIs**: Need content to determine package structure and dependencies This selective approach maximizes bandwidth savings while ensuring lockfile accuracy. ## Test Plan - ✅ New test in `test/cli/install/lockfile-only.test.ts` verifies only npm manifest URLs are requested - ✅ Uses absolute package versions to ensure the npm resolution code path is hit - ✅ Test output normalized to work with both debug and non-debug builds - ✅ All existing install/update tests still pass (including remote dependency tests) ## Performance Impact For `--lockfile-only` operations with npm packages, this eliminates unnecessary tarball downloads, reducing: - **Network bandwidth usage** (manifests only, not tarballs) - **Installation time** (no tarball extraction/processing) - **Cache storage requirements** (tarballs not cached) The optimization only affects npm packages in `--lockfile-only` mode and has zero impact on: - Regular installs (npm packages still download tarballs) - Remote dependencies (always download tarballs for accuracy) - GitHub dependencies (always download tarballs for accuracy) ## Files Changed - `src/install/PackageManager/PackageManagerOptions.zig` - Add flag and configure for lockfile-only - `src/install/PackageManager/PackageManagerEnqueue.zig` - Skip npm tarball generation selectively - `test/cli/install/lockfile-only.test.ts` - Test with dummy registry 🤖 Generated with [Claude Code](https://claude.ai/code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com> Co-authored-by: Alistair Smith <hi@alistair.sh>