Support nested "resolutions" / "overrides"

[soneymathew]

What version of Bun is running?

1.0.6+969da088f5db3258a803ec186012e30f992829b4

What platform is your computer?

Darwin 23.0.0 arm64 arm

What steps can reproduce the bug?

in package.json add nested resolutions

example from a package.json that failed bun install

 "resolutions" : {
          "**/@myscope/pkg1/**/@anotherscope/pkg2": "187.8.3",
        "**/@myscope/pkg3/**/@emotion/react": "11.10.6",
        "**/@myscope/pkg4/**/@myscope/pkg5": "3.0.3",
        "**/jest-environment-enzyme/jest-environment-jsdom": "^28.0.0",
        "@myscope/pkg6/**/@anotherscope/pkg7": "^10.6.0",
        "@types/webpack-dev-server/**/webpack": "^4.44.1",
        "apollo/moment": "^2.29.4"
 }

What is the expected behavior?

bun install should succeed without errors

What do you see instead?

I see

warn: Bun currently does not support nested "resolutions"

Additional information

No response

[rostero1]

This would be helpful in mitigating findings from security scans, where the immediate dependency may not have the fix, but I know I can safely bump the nested dependency.

[ivanabrkic]

+1

[gerardmarquinarubio]

+1

Currently pdfjs-dist can't be used with bun because it doesn't support node_module_register and therefore canvas. This could be solved if we bun add canvas@npm:@napi-rs/canvas and:

"overrides": {
  "pdfjs-dist": {
      "canvas": "$canvas"
    }
}

I'm sure many other packages would benefit from nested overrides, especially in cases where there is a dependency that's not yet supported by bun but that has other dependencies that mimic the api but don't depend on node-specific functionality.

For others with a similar problem for now I had to:

1. bun add canvas@npm:@napi-rs/canvas
2. rsync -a --delete node_modules/canvas/ node_modules/pdfjs-dist/node_modules/canvas

I added the second command to the "postinstall" script to make it something reproducible.

[sainjay]

+1

warn: Bun currently does not support nested "overrides"

[jebarpg]

Is there any work being done on this yet?

[Jarred-Sumner]

Currently pdfjs-dist can't be used with bun because it doesn't support node_module_register and therefore canvas. This could be solved if we bun add canvas@npm:@napi-rs/canvas

@gerardmarquinarubio as of Bun v1.1.13, you can do this as an alternative to nested overrides for that specific scenario:

"overrides": {
   "canvas": "npm:@napi-rs/canvas@latest"
}

This installs @napi-rs/canvas into node_modules/canvas. This is not nested overrides, as nested overrides supports only applying to a specific dependency - this applies everywhere.

[gerardmarquinarubio]

Currently pdfjs-dist can't be used with bun because it doesn't support node_module_register and therefore canvas. This could be solved if we bun add canvas@npm:@napi-rs/canvas

@gerardmarquinarubio as of Bun v1.1.13, you can do this as an alternative to nested overrides for that specific scenario:

"overrides": {
   "canvas": "npm:@napi-rs/canvas@latest"
}

This installs @napi-rs/canvas into node_modules/canvas. This is not nested overrides, as nested overrides supports only applying to a specific dependency - this applies everywhere.

I see, totally missed it from the docs:

Add bar to the "overrides" field in package.json. Bun will defer to the specified version range when determining which version of bar to install, whether it's a dependency or a metadependency.

Didn't cross my mind that "metadependency" refers to dependencies of dependencies, but it totally makes sense.

[ljharb]

The typical term for that is “transitive dependency”, fwiw.

[Sliov]

We're facing difficulties with the latest Next 15 release & bun as a package manager, as most react/next related dependencies still use React 18, there's no current way for us to pin React 19 as a nested resolution.

Is it still planned for Q4?

[diavrank]

Same issue on Nestjs app, with docusign-esign/**/cookiejar and @temporalio/interceptors-opentelemetry/**/@opentelemetry/resources resolutions

[DaniGuardiola]

To add a use case, this is currently a blocker for Ariakit to migrate to Bun as pm and script & dev server runner. It's necessary because Ariakit tests @wordpress/components with depends on Ariakit, and tests against the local repo version (file: protocol). See ariakit/ariakit#4350 (comment)

Would love to see this land!