fix(lambda-nodejs): do not require a frozen lockfile for bun

[blimmer]

Issue #32906

Closes #32906.

Reason for this change

When I implemented bun support, I accidentally used --frozen-lockfile, which caused issues when the lockfile contained additional entries other than what's being bundled in the docker container.

The issue has a small repro-case.

Description of changes

I removed the --frozen-lockfile flag, which resolved the problem.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

I added an additional package to the bun.lockb file in the integration test. This caused the issue to occur in the test suite. Once I made the changes in this PR, the test started passing again.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[blimmer]

Just bumped this to make the PR linter happy and to force re-run the integration test.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.21%. Comparing base (878ad54) to head (3098560).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32908   +/-   ##
=======================================
  Coverage   82.21%   82.21%           
=======================================
  Files         119      119           
  Lines        6876     6876           
  Branches     1162     1162           
=======================================
  Hits         5653     5653           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.21% <ø> (ø)

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[blimmer]

cc @rix0rrr - I see that you were working with this setup in #33022. Does this setup seem reasonable to you? I need to make sure that the lockfile will be modified during bundling to avoid the origin issue this PR fixes.

[rix0rrr]

Hey @blimmer,

It seems as reasonable as anything. I honestly don't quite know what the best way is to go about updating this test, I know it gave me a lot of grief in my previous PR.

I confess I haven't dived into the possible solutions too deeply, so you have more context than I do on this right now. If you think this is the way to go, I'll happily give it a shot!

[blimmer]

Gotcha. I TDD'ed this, and before my change, this test was broken. So I think this is as good as anything 👍

[blimmer]

It looks like the codecoverage collection step is failing on all PRs right now.

[samson-keung]

@blimmer Thanks for continuing to work on this. I am not familiar with bun so I have a few questions hoping you can help.

1. It seems that bun is in early stage and looks like they changed the lockfile to be text based now (bun's blog). As they evolve, I expect more changes like these in the future. Should we mark bun support in CDK as experimental for now? Because otherwise, we will have to maintain backward compatibility for old bun behaviour.
2. Will removing --frozen-lockfile have impact to CDK users who rely on or expects having --frozen-lockfile on? I see @suds-sky was interested in the original bun support feature requests. @suds-sky maybe you would have some input as well? I worry about this being a potential breaking change.

[blimmer]

Hey @samson-keung - thank you for your review.

Experimental?

It seems that bun is in early stage and looks like they changed the lockfile to be text based now (bun's blog). As they evolve, I expect more changes like these in the future. Should we mark bun support in CDK as experimental for now? Because otherwise, we will have to maintain backward compatibility for old bun behaviour.

Yes, bun is evolving rapidly. I filed #33270 a while back to support the text-based lockfile. From the linked blog:

We're planning to make bun.lock the default in Bun v1.2.0. In the meantime, we continue to support the binary bun.lockb format and will do so for awhile.

So it sounds like, for proper CDK support, we'd want to identify and support both. I did not tackle that as part of this PR, though, since it would increase scope and the behavior today is broken for most people.

I'm not very familiar with experimental features, so I'm open to additional ideas/discussion of this!

Affecting Existing Users?

Will removing --frozen-lockfile have impact to CDK users who rely on or expects having --frozen-lockfile on? I see @suds-sky was interested in the original bun support feature requests. @suds-sky maybe you would have some input as well? I worry about this being a potential breaking change.

I feel confident that this is not a breaking change for existing users of this feature. This bug is caused by having a package.json/bun.lockb file with additional packages from what's being bundled in-container via the nodeModules property.

When a nodeModules array is passed, this logic executes:

aws-cdk/packages/aws-cdk-lib/aws-lambda-nodejs/lib/bundling.ts

Lines 285 to 294 in 7538a84

	// Create dummy package.json, copy lock file if any and then install
	depsCommand = chain([
	isPnpm ? osCommand.write(pathJoin(options.outputDir, 'pnpm-workspace.yaml'), ''): '', // Ensure node_modules directory is installed locally by creating local 'pnpm-workspace.yaml' file
	osCommand.writeJson(pathJoin(options.outputDir, 'package.json'), { dependencies }),
	osCommand.copy(lockFilePath, pathJoin(options.outputDir, this.packageManager.lockFile)),
	osCommand.changeDirectory(options.outputDir),
	this.packageManager.installCommand.join(' '),
	isPnpm ? osCommand.remove(pathJoin(options.outputDir, 'node_modules', '.modules.yaml'), true) : '', // Remove '.modules.yaml' file which changes on each deployment
	isBun ? osCommand.removeDir(pathJoin(options.outputDir, 'node_modules', '.cache')) : '', // Remove node_modules/.cache folder since you can't disable its creation
	]);

As part of that logic, the lockfile is copied over, and bun install <packagename> is run. But, because the lockfile contains other dependencies, the error is thrown.

This is why we don't enforce a frozen lockfile on any other package managers.

So, the only way this feature would have worked for existing users is if:

a) they didn't specify any nodeModules, or;
b) their lockfile only contained the packages passed as nodeModules.

Therefore, I think it's OK to make this change without breaking existing users.

[samson-keung]

Experimental?

Thank you for sharing your thoughts. I don't have historical context on how CDK typically add experimental features either. I will check with the team. But this shouldn't be a blocker on this PR.

Affecting Existing Users?

Thank you for the clear explanation so I can understand how this part work! I agree that it shouldn't be a breaking change.

Pull request has been modified.

[samson-keung]

Experimental?

Thank you for sharing your thoughts. I don't have historical context on how CDK typically add experimental features either. I will check with the team. But this shouldn't be a blocker on this PR.

Affecting Existing Users?

Thank you for the clear explanation so I can understand how this part work! I agree that it shouldn't be a breaking change.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 3098560
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.