oven-sh/bun

Make binary intsallation behavior more sensible

cometkim opened this issue · 3 comments

What version of Bun is running?

1.0.9

What platform is your computer?

Linux 6.2.0-36-generic x86_64 x86_64

What steps can reproduce the bug?

bun add vite

# expect this to be failed
bun esbuild --version

bun remove vite

# expect this to be failed
bun esbuild --version

Do same test for global

What is the expected behavior?

Vite package has the vite binary in its manifest, and 3 other binaries esbuild, rollup, nanoid from its transitive dependencies.

Users expect only vite command available after installation, especially when it is for global installation.

What do you see instead?

Bun installs all binaries from transitive dependencies. So vite, esbuild, rollup, nanoid commands are available.

And even Bun doesn't cleanup transitive binaries after uninstalling vite, so even after uninstallation esbuild, rollup, nanoid commands are available. The only option for cleanup is to remove and regenerate node_modules, and this is not possible for global installation.

Additional information

https://gist.github.com/cometkim/eb2842d67b40e583e4886e9b897a6af0

So this does match the behaviour of npm and yarn, but I can see the argument to not do this.

Also, this is seperate bug:

Bun doesn't cleanup transitive binaries after uninstalling

So this does match the behaviour of npm and yarn, but I can see the argument to not do this.

no. yarn and pnpm don't allow execution of binaries from transitive dependencies. Only vite is available when installing Vite.

Yarn and PNPM are intentionally incompatible with NPM's bad behaviors around transitive dependencies

  • It is non-deterministic. When transitive dependencies B and C declare the same bin: foo, which should be resolved?
  • It causes unintended installation by the user. So it could be vulnerable to supply chain attacks.
  • It bloats shell completions. Users will see a list of bins that have never installed.