Not being able to use bun install in large companies

[anru]

What version of Bun is running?

1.1.12

What platform is your computer?

Darwin 23.5.0 x86_64 i386

What steps can reproduce the bug?

1. You need to set the registry setting in bunfig.toml pointing to your own registry (for all packages, no exceptions). In our case it is artifactory, but it doesn't seem to matter much.
2. On a relatively large project execute bun install

What is the expected behavior?

There are no entries in bun.lockdb with registry=registry.npmjs.org. Only with the one specified in bunfig.toml in the install.registry section.

What do you see instead?

With 100% probability there will be several entries in bun.lockdb, which will contain registry=registry.npmjs.org. And this is a blocker for switching to bun in local development and at the pipelines level, taking advantage of its speed advantage as a package manager.

Additional information

I would like to highlight the importance of one issue that prevents bun from being used as a package manager in all large companies and corporations.

The reason is that large companies are security-conscious and use internal package repositories, and not infrequently, they also use network-level blocking of public repositories.

The problem is as follows:

1. You need to set the registry setting in bunfig.toml pointing to your own registry (for all packages, no exceptions). In our case it is artifactory, but it doesn't seem to matter much.
2. On a relatively large project execute bun install
3. With 100% probability there will be several entries in bun.lockdb, which will contain registry=registry.npmjs.org. And it's a blocker to switch to bun, taking advantage of its speed advantage as a package manager.

The nature of the error seems to lie in some tricky race condition, as most entries are created correctly, but a few are bound to end up with the wrong entry, causing those packages to be downloaded from the wrong source, which will simply be unavailable on corporate networks.

Related issues:

• Bun auto-install does not leverage the registry settings from .bunfig.toml #11434
• When using global bunfig.toml, token for custom scoped registry isn't respected #9804
• Can't Install from a private package from registry.npmjs.org #7601
• Cannot install with multiple scopes #6347
• ConnectionRefused: Cannot create app offline or under corporate proxy / firewall #5722
• Reading private registry fails after bun.lockb is created  #5721
• When using bun install --yarn, bun.lockb and yarn.lock start referring to public registry URLs instead of the configured private registry URLs #5370
• bun install incorrectly parses custom registries #5029 (only in the aspect of parsing the registry setting)
• Bun doesn't alway respect bunfig.toml registry configuration #4901

[dylan-conway]

With #11606 merged this will be fixed in v1.1.13. Note that bun.lockb will need to be deleted and regenerated. If you continue have problems please reopen this issue or open a new one.