Changelog

oven-sh/bun · · 40 commits

Security, TLS, and install fixes land

Several high-impact fixes: TLS cert handling, path overflow hardening, WebSocket handshake validation, zlib bounds checks, and install/CLI correctness.

robobun Jarred-Sumner dylan-conway

TLS getPeerCertificate() now matches Node and avoids handshake crashes (robobun2cae6c3)

TLSSocket.prototype.getPeerCertificate() now returns {} when a TLS handle exists but no peer cert is available, and null only when there is no handle. The TLS handshake paths also gained a null guard before checkServerIdentity(), fixing a crash during certificate verification.

Path resolution no longer overflows fixed-size buffers (robobun04eaa6c)

path.resolve, path.relative, and path.toNamespacedPath now size their work buffers with the current CWD and worst-case expansion in mind. This closes a heap overflow that could lead to nondeterministic segfaults on long relative paths.

WebSocket clients now validate Sec-WebSocket-Accept (robobun3101b80)

The upgrade handshake now checks the server’s Sec-WebSocket-Accept against the expected RFC 6455 value, instead of only checking that the header exists. That prevents stale or mismatched 101 responses from being accepted as valid upgrades.

Native zlib bindings now enforce bounds and argument validation (robobun8501392)

The native write()/writeSync() paths replace bun.assert() checks with real runtime errors for invalid flush values, buffer types, and slice bounds. That turns a release-build OOB risk into ordinary JS exceptions.

writeEarlyHints() is hardened against header injection (robobun9f88b3f)

ServerResponse.prototype.writeEarlyHints now validates both header names and values before serializing the 103 response. This closes a CRLF injection path that could smuggle arbitrary headers.

Shell interpolation and object-reference handling are stricter (robobun977506c)

Shell lexing and redirection now bound-check JS object references against the actual jsobjs array length, and the sentinel character is treated as special input. This tightens defense-in-depth around shell interpolation with user-controlled references.

Transpiler tsconfig lifetime bugs are fixed (robobundc31aa1)

Async transform tasks no longer free tsconfig ownership prematurely, and JSTranspiler now cleans it up centrally. This fixes a use-after-free/double-free class of crashes when reusing a transpiler across multiple async and sync transforms.

Install, HTTP, S3, and CLI correctness fixes (robobune5ac0ee, robobun553a5e0, robobun9245860, robobun5479251, dylan-conway68d8bb5, robobun61f3bcb, robobun106a953, robobun0e98e44, robobuna393039, dylan-conwaycda1e97, robobuncd3f036, robobunf56700f, robobun668d960, robobunf06119a, robobunea212ca, robobunc5f0e4a, robobun3e1e287, robobunbf5025b, robobun6cb9d5e, robobun915749f, robobun488ef6d, robobunf931515, robobundff7191, robobun7ef4b1b, Jarred-Sumner1034fc9, Jarred-Sumner4de50d2, Jarred-Sumner226d26f)

Other misc changes

  • Reverted two previously landed fixes: bun default import bytecode handling and direct ReadableStream cancel behavior.
  • Dependency bump: lolhtml to v2.7.2.
  • CI/test harness tweak: use dots reporter in CI to reduce log volume.
  • Docs/type cleanup: bcrypt rounds wording, S3 contentEncoding type, dead feature flag removal, and a no-validate leak snapshot update.
  • Additional bug fixes across install, HTTP/2, dgram, S3 streaming, shell rm, crypto key parsing, CSS, fs path length validation, bundle output URLs, and transpiler decorator parsing.