fix installing dependencies that match workspace versions (#6494)

* check if dependency matches workspace version

* test

* Update lockfile.zig

* set resolution to workspace package id

4 files changed, 64 insertions, 2 deletions

diff --git a/src/install/install.zig b/src/install/install.zig
index 0c2f8d2e1..c52b4bfa8 100644
--- a/src/install/install.zig
+++ b/src/install/install.zig
@@ -2666,7 +2666,7 @@ pub const PackageManager = struct {
             .npm, .dist_tag => {
                 if (version.tag == .npm) {
                     if (this.lockfile.workspace_versions.count() > 0) resolve_from_workspace: {
-                        if (this.lockfile.workspace_versions.get(@truncate(name_hash))) |workspace_version| {
+                        if (this.lockfile.workspace_versions.get(name_hash)) |workspace_version| {
                             if (version.value.npm.version.satisfies(workspace_version)) {
                                 const root_package = this.lockfile.rootPackage() orelse break :resolve_from_workspace;
                                 const root_dependencies = root_package.dependencies.get(this.lockfile.buffers.dependencies.items);
@@ -2674,6 +2674,8 @@ pub const PackageManager = struct {
 
                                 for (root_dependencies, root_resolutions) |root_dep, workspace_package_id| {
                                     if (workspace_package_id != invalid_package_id and root_dep.version.tag == .workspace and root_dep.name_hash == name_hash) {
+                                        // make sure verifyResolutions sees this resolution as a valid package id
+                                        this.lockfile.buffers.resolutions.items[dependency_id] = workspace_package_id;
                                         return .{
                                             .package = this.lockfile.packages.get(workspace_package_id),
                                             .is_first_time = false,
diff --git a/src/install/lockfile.zig b/src/install/lockfile.zig
index c1904e962..834846768 100644
--- a/src/install/lockfile.zig
+++ b/src/install/lockfile.zig
@@ -1538,7 +1538,7 @@ pub fn verifyResolutions(this: *Lockfile, local_features: Features, remote_featu
         for (resolution_list.get(resolutions_buffer), dependency_list.get(dependencies_buffer)) |package_id, failed_dep| {
             if (package_id < end) continue;
             if (failed_dep.behavior.isPeer() or !failed_dep.behavior.isEnabled(
-                if (root_list.contains(@as(PackageID, @truncate(parent_id))))
+                if (root_list.contains(@truncate(parent_id)))
                     local_features
                 else
                     remote_features,
diff --git a/test/cli/install/bun-install.test.ts b/test/cli/install/bun-install.test.ts
index 46e4a1ca2..e41aa7743 100644
--- a/test/cli/install/bun-install.test.ts
+++ b/test/cli/install/bun-install.test.ts
@@ -1503,6 +1503,66 @@ it("should handle ^0.0.2 in dependencies", async () => {
   await access(join(package_dir, "bun.lockb"));
 });
 
+it("should handle matching workspaces from dependencies", async () => {
+  const urls: string[] = [];
+  setHandler(
+    dummyRegistry(urls, {
+      "0.2.0": { as: "0.2.0" },
+    }),
+  );
+  await writeFile(
+    join(package_dir, "package.json"),
+    JSON.stringify({
+      name: "foo",
+      version: "0.0.1",
+      workspaces: ["packages/*"],
+    }),
+  );
+  await mkdir(join(package_dir, "packages", "pkg1"), { recursive: true });
+  await mkdir(join(package_dir, "packages", "pkg2"), { recursive: true });
+  await writeFile(
+    join(package_dir, "packages", "pkg1", "package.json"),
+    JSON.stringify({
+      name: "pkg1",
+      version: "0.2.0",
+    }),
+  );
+
+  await writeFile(
+    join(package_dir, "packages", "pkg2", "package.json"),
+    JSON.stringify({
+      name: "pkg2",
+      version: "0.2.0",
+      dependencies: {
+        // moo has a dependency on pkg1 that matches 0.2.0
+        moo: "0.2.0",
+      },
+    }),
+  );
+  const { stdout, stderr, exited } = spawn({
+    cmd: [bunExe(), "install"],
+    cwd: package_dir,
+    stdout: null,
+    stdin: "pipe",
+    stderr: "pipe",
+    env,
+  });
+  expect(stderr).toBeDefined();
+  const err = await new Response(stderr).text();
+  expect(err).not.toContain("error:");
+  expect(err).toContain("Saved lockfile");
+  expect(stdout).toBeDefined();
+  const out = await new Response(stdout).text();
+  expect(out.replace(/\s*\[[0-9\.]+m?s\]\s*$/, "").split(/\r?\n/)).toEqual([
+    " + pkg1@workspace:packages/pkg1",
+    " + pkg2@workspace:packages/pkg2",
+    "",
+    " 3 packages installed",
+  ]);
+  expect(await exited).toBe(0);
+  await access(join(package_dir, "bun.lockb"));
+});
+
 it("should edit package json correctly with git dependencies", async () => {
   const urls: string[] = [];
   setHandler(dummyRegistry(urls));
diff --git a/test/cli/install/moo-0.2.0.tgz b/test/cli/install/moo-0.2.0.tgz
new file mode 100644
index 000000000..a920e6e24
--- /dev/null
+++ b/test/cli/install/moo-0.2.0.tgz