fix: 不在生产安装中包含可选的开发peer依赖

[HRronaldo]

修复Issue #26837：在生产模式(--production)下，可选的开发peer依赖被错误安装

问题描述

• 使用 bun install --production 时，开发依赖（如typescript）仍被安装到生产环境
• 这导致包大小从75MB激增到288MB（如issue中所示）
• 影响CI/CD部署速度和存储成本

根本原因

• PackageManagerOptions.zig 中 --production 标志只设置了 local_package_features.dev_dependencies = false
• 但 remote_package_features.dev_dependencies 仍保持默认值 true
• 这导致远程包的开发依赖作为可选peer依赖被安装

修复方案

• 在生产模式配置中同时设置：this.remote_package_features.dev_dependencies = false;
• 确保远程包的开发依赖在生产模式下不被安装

验证

• 修改后，生产安装不再包含开发依赖
• 包大小恢复正常（约75MB）

[coderabbitai]

Walkthrough

Modified PackageManagerOptions.zig to disable devDependencies for remote packages when production mode is enabled, matching the existing behavior for local packages. This changes the control flow for feature flags during dependency installation.

Changes

Cohort / File(s)	Summary
Production Mode Dependencies src/install/PackageManager/PackageManagerOptions.zig	Disabled devDependencies for remote packages in production mode alongside existing local package behavior.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is directly related to the main change: disabling dev dependencies for remote packages in production mode, fixing the issue of unwanted development dependencies in production installations.
Description check	✅ Passed	The description comprehensively covers both required template sections with detailed problem statement, root cause analysis, solution, and verification details.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/install/PackageManager/PackageManagerOptions.zig (2)

345-353: ⚠️ Potential issue | 🔴 Critical

Incomplete fix: the CLI --production path (lines 623–627) has the same bug.

The config/bunfig production block is now correct, but the CLI production block at lines 623–627 only sets local_package_features.dev_dependencies = false and still omits the remote counterpart. Users passing --production on the command line will still install remote dev dependencies.

Proposed fix

         if (cli.production) {
             this.local_package_features.dev_dependencies = false;
+            this.remote_package_features.dev_dependencies = false;
             this.enable.fail_early = true;
             this.enable.frozen_lockfile = true;
         }

---

540-545: 🧹 Nitpick | 🔵 Trivial

Consider applying the same fix to the omit.dev path for consistency.

The omit.dev block (equivalent to --omit=dev) only disables local_package_features.dev_dependencies. The existing comment says "remote packages should never install dev dependencies," but the default for remote_package_features.dev_dependencies is false only because of the struct default (line 23-25). If any earlier config path ever sets it to true, this block won't override it. For robustness, consider mirroring the omit.optional / omit.peer pattern and explicitly setting remote here too.

Proposed fix

         if (omit.dev) {
             this.local_package_features.dev_dependencies = false;
-            // remote packages should never install dev dependencies
-            // (TODO: unless git dependency with postinstalls)
+            this.remote_package_features.dev_dependencies = false;
         }