Should bun.lockb file be versioned?

Question

I'm migrating a Laravel+Sail project to use bun instead nodejs.

According the Bun docs, after run bun i, a binary lockfile named bun.lockb (similar to yarn.lock) is created to increase performance. Should I add this file into my .gitignore file?

Answer 1

The versioning of the bun.lockb is useful if you need ensure the reproducible dependencies on install.

Reusing the example of @Joachim Bauer, imagine to have a dependency like foo = ˆ3.0.0 (so latest minor release) and a CICD pipeline that install and build it every time. If the foo repo suddenly upgrade it will install a new version of that dependency, with a possible result on some new bugs because you referenced the old version when developing.

But maybe you don't want to avoid using the ˆ character so you don't have to check for updates manually. Bun has the option --frozen-lockfile on install command so it will retrieve the exact version on the bun.lockb file to ensure the dependencies you worked when developing it.

Answer 2

It should if you want reproducible builds, which you probably do for any big project. For small experiments you don't really need it. The bun documentation you linked to also has steps explaining how to configure your local git to properly show diffs for it.

As to whether it is a good idea to version a binary file is another topic. The diff would not display on GitHub and versioning a binary file that changes often might lead to a big increase in the repository size, depending on how stable the changes to the file are and how efficiently it can be compressed - a topic which is not mentioned at all in the bun docs.

To stay on the safe side until you're sure that bun.lockd won't bloat your repository you could opt out of the bun binary lock and use the yarn text lock, but I haven't tried it.

Edit: I did a quick test with bun lockfile vs pnpm lockfile on a project with around 900 packages installed (basically a modern javascript hello world). These are the sizes it generated.

100866 bun-both.7z
100620 bun-old.7z
 84577 pnpm-both.7z
 82288 pnpm-old.7z

The -old file is the initial compressed lock file. The -both file contains the initial lock + a new lock generated when I update one of the big dependencies in the project (Vite). The initial bun binary is larger, but when compressed it adds less to the overall size. So it seems to not be as bad as I initially thought