oven-sh · Advikkhandelwal · Dec 3, 2025 · Dec 3, 2025 · coderabbitai · Dec 3, 2025
diff --git a/src/install/npm.zig b/src/install/npm.zig
@@ -872,13 +872,16 @@ pub const PackageVersion = extern struct {
     /// Unix timestamp when this version was published (0 if unknown)
     publish_timestamp_ms: f64 = 0,
 
+    /// Whether this version is marked as deprecated in the npm registry
+    deprecated: bool = false,
+
     pub fn allDependenciesBundled(this: *const PackageVersion) bool {
         return this.bundled_dependencies.isInvalid();
     }
 };
 
 comptime {
-    if (@sizeOf(Npm.PackageVersion) != 240) {
+    if (@sizeOf(Npm.PackageVersion) != 248) {
         @compileError(std.fmt.comptimePrint("Npm.PackageVersion has unexpected size {d}", .{@sizeOf(Npm.PackageVersion)}));
     }
 }
@@ -935,7 +938,8 @@ pub const PackageManifest = struct {
         // - v0.0.5: added bundled dependencies
         // - v0.0.6: changed semver major/minor/patch to each use u64 instead of u32
         // - v0.0.7: added version publish times and extended manifest flag for minimum release age
-        pub const version = "bun-npm-manifest-cache-v0.0.7\n";
+        // - v0.0.8: added deprecated field for filtering out deprecated package versions
+        pub const version = "bun-npm-manifest-cache-v0.0.8\n";
         const header_bytes: string = "#!/usr/bin/env bun\n" ++ version;
 
         pub const sizes = blk: {
@@ -1498,6 +1502,7 @@ pub const PackageManifest = struct {
     ) ?FindVersionResult {
         var prev_package_blocked_from_age: ?*const PackageVersion = null;
         var best_version: ?FindResult = null;
+        var fallback_deprecated: ?FindResult = null;
 
         const current_timestamp_ms: f64 = @floatFromInt(@divTrunc(bun.start_time, std.time.ns_per_ms));
         const seven_days_ms: f64 = 7 * std.time.ms_per_day;
@@ -1509,6 +1514,18 @@ pub const PackageManifest = struct {
             const version = versions[i];
             if (group.satisfies(version, group_buf, this.string_buf)) {
                 const package = &packages[i];
+
+                // Skip deprecated versions, but keep track as fallback
+                if (package.deprecated) {
+                    if (fallback_deprecated == null) {
+                        fallback_deprecated = .{
+                            .version = version,
+                            .package = package,
+                        };
+                    }
+                    continue;
+                }
+
                 if (isPackageVersionTooRecent(package, minimum_release_age_ms)) {
                     if (newest_filtered.* == null) newest_filtered.* = version;
                     prev_package_blocked_from_age = package;
@@ -1564,6 +1581,19 @@ pub const PackageManifest = struct {
                 return .{ .found = result };
             }
         }
+
+        // If we only found deprecated versions, return the best deprecated one
+        if (fallback_deprecated) |result| {
+            if (newest_filtered.*) |nf| {
+                return .{ .found_with_filter = .{
+                    .result = result,
+                    .newest_filtered = nf,
+                } };
+            } else {
+                return .{ .found = result };
+            }
+        }
+
         return null;
     }
 
@@ -1647,6 +1677,9 @@ pub const PackageManifest = struct {
                 if (!strings.eql(actual_tag, expected_tag)) continue;
             }
 
+            // Skip deprecated versions
+            if (package.deprecated) continue;
+
             if (isPackageVersionTooRecent(package, min_age_ms)) {
                 prev_package_blocked_from_age = package;
                 continue;
@@ -1780,17 +1813,22 @@ pub const PackageManifest = struct {
 
         if (this.findByDistTag("latest")) |result| {
             if (group.satisfies(result.version, group_buf, this.string_buf)) {
-                if (group.flags.isSet(Semver.Query.Group.Flags.pre)) {
-                    if (left.version.order(result.version, group_buf, this.string_buf) == .eq) {
-                        // if prerelease, use latest if semver+tag match range exactly
+                // Skip deprecated latest version if possible
+                if (!result.package.deprecated) {
+                    if (group.flags.isSet(Semver.Query.Group.Flags.pre)) {
+                        if (left.version.order(result.version, group_buf, this.string_buf) == .eq) {
+                            // if prerelease, use latest if semver+tag match range exactly
+                            return result;
+                        }
+                    } else {
                         return result;
                     }
-                } else {
-                    return result;
                 }
             }
         }
 
+        var fallback_deprecated: ?FindResult = null;
+
         {
             // This list is sorted at serialization time.
             const releases = this.pkg.releases.keys.get(this.versions);
@@ -1800,9 +1838,22 @@ pub const PackageManifest = struct {
                 const version = releases[i - 1];
 
                 if (group.satisfies(version, group_buf, this.string_buf)) {
+                    const package = &this.pkg.releases.values.get(this.package_versions)[i - 1];
+
+                    // Skip deprecated versions, but keep track of the first one as fallback
+                    if (package.deprecated) {
+                        if (fallback_deprecated == null) {
+                            fallback_deprecated = .{
+                                .version = version,
+                                .package = package,
+                            };
+                        }
+                        continue;
+                    }
+
                     return .{
                         .version = version,
-                        .package = &this.pkg.releases.values.get(this.package_versions)[i - 1],
+                        .package = package,
                     };
                 }
             }
@@ -1817,15 +1868,29 @@ pub const PackageManifest = struct {
                 // This list is sorted at serialization time.
                 if (group.satisfies(version, group_buf, this.string_buf)) {
                     const packages = this.pkg.prereleases.values.get(this.package_versions);
+                    const package = &packages[i - 1];
+
+                    // Skip deprecated versions, but keep track of the first one as fallback
+                    if (package.deprecated) {
+                        if (fallback_deprecated == null) {
+                            fallback_deprecated = .{
+                                .version = version,
+                                .package = package,
+                            };
+                        }
+                        continue;
+                    }
+
                     return .{
                         .version = version,
-                        .package = &packages[i - 1],
+                        .package = package,
                     };
                 }
             }
         }
 
-        return null;
+        // If we only found deprecated versions, return the best deprecated one
+        return fallback_deprecated;
     }
 
     const ExternalStringMapDeduper = std.HashMap(u64, ExternalStringList, IdentityContext(u64), 80);
@@ -2549,6 +2614,13 @@ pub const PackageManifest = struct {
                         }
                     }
 
+                    // Parse deprecated field
+                    if (prop.value.?.asProperty("deprecated")) |_| {
+                        // If the deprecated field exists (regardless of its value), mark as deprecated
+                        // npm marks packages as deprecated with either a string message or boolean true
+                        package_version.deprecated = true;
+                    }
+
                     if (!parsed_version.version.tag.hasPre()) {
                         release_versions[0] = parsed_version.version.min();
                         versioned_package_releases[0] = package_version;

diff --git a/test/cli/install/bun-install-deprecated.test.ts b/test/cli/install/bun-install-deprecated.test.ts
@@ -0,0 +1,46 @@
+import { test, expect } from "bun:test";
+import { bunExe, bunEnv } from "harness";
+import { join } from "path";
+import { mkdir, writeFile, rm } from "fs/promises";
+
+test("bun install respects deprecated field", async () => {
+  const cwd = join(import.meta.dir, "bun-install-deprecated-" + Date.now());
+  await mkdir(cwd, { recursive: true });
+
+  await writeFile(
+    join(cwd, "package.json"),
+    JSON.stringify({
+      dependencies: {
+        // Use semver range to mirror the original issue:
+        // Stable releases 1.0.0-1.0.3 are deprecated, but prerelease 1.0.0-beta.5 is not
+        // ^1.0.0 should select the non-deprecated prerelease over deprecated stable releases
+        "@mastra/deployer": "^1.0.0",
+      },
+    })
+  );
+
+  const { stdout, stderr, exitCode } = Bun.spawnSync({
+    cmd: [bunExe(), "install"],
+    cwd,
+    env: bunEnv,
+  });
+
+  expect(exitCode).toBe(0);
+
+  // Check installed version of @mastra/server
+  const serverPkgJsonPath = join(cwd, "node_modules", "@mastra", "server", "package.json");
+  const serverPkgJson = await Bun.file(serverPkgJsonPath).json();
+
+  console.log("Installed @mastra/server version:", serverPkgJson.version);
+
+  // Should NOT be 1.0.3 (which is deprecated)
+  expect(serverPkgJson.version).not.toBe("1.0.3");
+
+  // Should be 1.0.0-beta.5 or similar non-deprecated version
+  // We can't strictly assert 1.0.0-beta.5 because newer versions might be released,
+  // but we know 1.0.3 is the problematic deprecated one.
+  // However, based on the issue, 1.0.0-beta.5 is the expected one for that specific deployer version.
+  expect(serverPkgJson.version).toBe("1.0.0-beta.5");
+
+  await rm(cwd, { recursive: true, force: true });
+}, 60000); // Increase timeout for network operations