TLS hostname verification now runs for tls.connect({host, port}) (
75e94b0)
tls.connect was skipping checkServerIdentity entirely when servername was omitted, which could mark attacker-controlled CA-signed certs as trusted. The fix derives a hostname from servername or the connection host, rejects IP literals as SNI, and updates tests to cover the verification path.
StringDecoder no longer segfaults on oversized output (
ad909ae)
StringDecoder.write() could crash when decoding produced a string larger than JSC's max string length and the internal encoder returned an exception instead of a value. This change propagates failures safely instead of treating them like an empty result, closing a memory-safety bug in a common Node API.
WebSocket proxy close re-entrancy double-free fixed (
8e65e47)
Closing a wss:// socket mid-handshake through an HTTP CONNECT proxy could re-enter cleanup and free proxy state twice. Bun now detaches the tunnel's back-reference before shutdown and adds a regression test that stresses the race.
Runtime transpiler job dispatch stops touching freed state (d81b0ca)
The transpiler job now snapshots VM/store references before queueing work to the main thread, avoiding use-after-free after publication. This is a targeted concurrency fix for a cross-thread lifecycle hazard.
uSockets snapshot prevents loop dereference after unref (
775a368)
us_connecting_socket_free() now saves the loop pointer before unlinking the context, so cleanup no longer dereferences a possibly-freed context. It's a small hardening fix for a crashy socket teardown path.
