fix(bun): error on mismatched checksums

Author: chris-olszewski

crates/turborepo-lockfiles/src/bun/de.rs

@@ -50,13 +50,17 @@ impl<'de> Deserialize<'de> for PackageEntry {
             .pop_front()
             .and_then(val_to_info)
             .or_else(|| vals.pop_front().and_then(val_to_info));
+        let checksum = vals.pop_front().and_then(|val| match val {
+            Vals::Str(sha) => Some(sha),
+            Vals::Info(_) => None,
+        });
         Ok(Self {
             ident: key,
             info,
             // The rest are only necessary for serializing a lockfile and aren't needed until adding
             // `prune` support
             registry: None,
-            checksum: None,
+            checksum,
             root: None,
         })
     }
@@ -117,7 +121,7 @@ mod test {
                     .collect(),
                 ..Default::default()
             }),
-            checksum: None,
+            checksum: Some("sha".into()),
             root: None,
         }
     );

crates/turborepo-lockfiles/src/bun/mod.rs

@@ -13,7 +13,7 @@ use crate::Lockfile;
 mod de;
 mod id;
 
-type Map<K, V> = std::collections::HashMap<K, V>;
+type Map<K, V> = std::collections::BTreeMap<K, V>;
 
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
@@ -25,12 +25,18 @@ pub enum Error {
     Print(#[from] biome_formatter::PrintError),
     #[error("Turborepo cannot serialize Bun lockfiles.")]
     NotImplemented,
+    #[error("{ident} had two entries with differing checksums: {sha1}, {sha2}")]
+    MismatchedShas {
+        ident: String,
+        sha1: String,
+        sha2: String,
+    },
 }
 
 #[derive(Debug)]
 pub struct BunLockfile {
     data: BunLockfileData,
-    key_to_entry: Map<String, String>,
+    key_to_entry: HashMap<String, String>,
 }
 
 #[derive(Debug, Deserialize)]
@@ -230,9 +236,22 @@ impl FromStr for BunLockfile {
         .map_err(Error::from)?;
         let strict_json = format.print().map_err(Error::from)?;
         let data: BunLockfileData = serde_json::from_str(strict_json.as_code())?;
-        let mut key_to_entry = Map::new();
+        let mut key_to_entry = HashMap::with_capacity(data.packages.len());
         for (path, info) in data.packages.iter() {
-            key_to_entry.insert(info.ident.clone(), path.clone());
+            if let Some(prev_path) = key_to_entry.insert(info.ident.clone(), path.clone()) {
+                let prev_info = data
+                    .packages
+                    .get(&prev_path)
+                    .expect("we just got this path from the packages list");
+                if prev_info.checksum != info.checksum {
+                    return Err(Error::MismatchedShas {
+                        ident: info.ident.clone(),
+                        sha1: prev_info.checksum.clone().unwrap_or_default(),
+                        sha2: info.checksum.clone().unwrap_or_default(),
+                    }
+                    .into());
+                }
+            }
         }
         Ok(Self { data, key_to_entry })
     }
@@ -264,6 +283,7 @@ impl PackageInfo {
 #[cfg(test)]
 mod test {
     use pretty_assertions::assert_eq;
+    use serde_json::json;
     use test_case::test_case;
 
     use super::*;
@@ -298,10 +318,13 @@ mod test {
         "validate-npm-package-name",
     ]
     .as_slice();
+    // Both @turbo/gen and log-symbols depend on the same version of chalk
+    // log-symbols version wins out, but this is okay since they are the same exact
+    // version of chalk.
     const TURBO_GEN_CHALK_DEPS: &[&str] = [
-        "@turbo/gen/chalk/ansi-styles",
-        "@turbo/gen/chalk/escape-string-regexp",
-        "@turbo/gen/chalk/supports-color",
+        "log-symbols/chalk/ansi-styles",
+        "log-symbols/chalk/escape-string-regexp",
+        "log-symbols/chalk/supports-color",
     ]
     .as_slice();
     const CHALK_DEPS: &[&str] = ["ansi-styles", "supports-color"].as_slice();
@@ -336,4 +359,29 @@ mod test {
             crate::Package::new("[email protected]", "3.0.0+patches/[email protected]")
         );
     }
+
+    #[test]
+    fn test_failure_if_mismatched_keys() {
+        let contents = serde_json::to_string(&json!({
+            "lockfileVersion": 0,
+            "workspaces": {
+                "": {
+                    "name": "test",
+                    "dependencies": {
+                        "foo": "^1.0.0",
+                        "bar": "^1.0.0",
+                    }
+                }
+            },
+            "packages": {
+                "bar": ["[email protected]", { "dependencies": { "shared": "^1.0.0" } }, "sha512-goodbye"],
+                "bar/shared": ["[email protected]", {}, "sha512-bar"],
+                "foo": ["[email protected]", { "dependencies": { "shared": "^1.0.0" } }, "sha512-hello"],
+                "foo/shared": ["[email protected]", { }, "sha512-foo"],
+            }
+        }))
+        .unwrap();
+        let lockfile = BunLockfile::from_str(&contents);
+        assert!(lockfile.is_err(), "matching packages have differing shas");
+    }
 }