fix(lockfile): set back versions to the actual latest one in the lockfile

[lorypelli]

This pull request adds logic to the cleanWithLogger function in src/install/lockfile.zig to improve how dependency versions are recorded during a bun update --latest operation. Now, when updating all dependencies to their latest versions, version literals like "latest" are replaced with the actual resolved versions (e.g., ^19.0.0). This ensures the lockfile contains explicit version numbers instead of vague references.

Dependency update improvements:

• When running bun update --latest without specifying packages, the lockfile now records the resolved version (e.g., ^19.0.0) instead of "latest" for each dependency, making version tracking more accurate and explicit.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f3053386-c0ad-4f56-8c3d-9399faab8868

📥 Commits

Reviewing files that changed from the base of the PR and between 85c7598 and 8b551e6.

📒 Files selected for processing (2)

• src/install/lockfile.zig
• test/cli/install/bun-install-registry.test.ts

---

Walkthrough

When running bun update --latest with no explicit package args and some packages updating, the cleanWithLogger path now rewrites workspace dependency version literals in the cloned lockfile: it computes resolved semver strings (respecting exact_versions and alias prefixes) and reparses/assigns updated Dependency objects for workspace deps.

Changes

Cohort / File(s)	Summary
Lockfile rewrite logic src/install/lockfile.zig	Added logic in cleanWithLogger to iterate workspace dependencies whose resolutions are npm-based, derive resolved version literals from lockfile resolutions (respecting exact_versions, ~/^ pin styles, and patch-exact), reconstruct alias forms when present, re-parse into Dependency and assign back to ws_dep.version.
Regression tests for update --latest test/cli/install/bun-install-registry.test.ts	Added three bun update --latest regression tests exercising: converting "latest" to resolved range in package.json and text lockfile, preserving existing pin styles (~/^) in package.json while updating lockfile, and handling aliased deps (e.g. npm:name@latest → npm:name@^x.y.z).

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: setting versions to actual resolved ones in the lockfile during bun update --latest operations.
Description check	✅ Passed	The description adequately covers what the PR does and includes key improvement details, though verification steps are minimal.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/install/lockfile.zig`:
- Around line 847-881: The code only replaces ws_dep.version.literal leaving the
parsed Dependency.Version stale and leaking allocPrint buffers; fix by mirroring
preprocessUpdateRequests(): build the final version string into a temporary
stack/StringBuilder (use string_buf_alloc or a stack buffer), append that slice
into new.buffers.string_bytes via string_buf_alloc.append (so ownership is
tracked), then set ws_dep.version = Dependency.parse(the_appended_slice) instead
of only assigning ws_dep.version.literal; ensure you stop using the raw
allocPrint results (don't keep pointers to their buffers) so they aren't leaked
and the in-memory parsed state (latest/dist-tag/range) is updated correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3a56f278-b332-48c4-b613-226cdd67e58d

📥 Commits

Reviewing files that changed from the base of the PR and between 700fc11 and 85c7598.

📒 Files selected for processing (1)

• src/install/lockfile.zig

[lorypelli]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[lorypelli]

@claude review