Changelog

oven-sh/bun · · 40 commits

Bun lands HTTP/2, WebSocket, and TLS fixes

A feature-heavy day with security hardening, leak/UAF fixes, and new execve/die-with-parent process controls.

robobun Jarred-Sumner sosukesuzuki

Process execve and die-with-parent land (robobun6c21a7e, Jarred-Sumner1c7d60e)

Bun now implements process.execve() for Node compatibility, and adds an opt-in dieWithParent watchdog that exits when the parent dies and kills descendants on shutdown. Together these expand process-management capabilities and improve cleanup behavior in supervisor-style deployments.

HTTP/2 padding parser now rejects malformed frames safely (robobun837552f)

The HTTP/2 frame parser now validates PADDED DATA and HEADERS frames before subtracting padding, avoiding integer underflow and out-of-bounds reads on malformed peer input. This is a real security hardening fix for network-facing code.

Valkey Redis client finally verifies TLS hostnames (robobun2dc22fc, robobunaa3f980)

TLS connections now enforce hostname verification when rejectUnauthorized is true, instead of accepting any CA-signed cert. The client recovery path also clears sticky failed/reconnecting state so connect() can recover after a failure instead of staying permanently broken.

Bun RedisClient recovers after entering failed state (robobunaa3f980)

Fixes the long-standing bug where a failed Bun.RedisClient would reject every later command until process restart. Successful reconnects now reset the connection state correctly, restoring normal operation after retry exhaustion or a manual close.

WebSocket close/terminate now completes CONNECTING sockets (robobun8d2674a, robobun6c58f4e)

Closing or terminating a socket during CONNECTING now cancels the upgrade cleanly, fires the expected events, and releases pending-activity refs so the object can be collected. A separate tunnel-mode fix also releases a leaked upgrade client on successful proxy upgrades.

Multiple memory leaks and UAFs were fixed across core subsystems (robobunaa90c28, robobun0f42aed, robobun0d072e1, robobun827d4d6, robobun1e9599d, robobun85e866c, robobuna2ef6a8, robobun09203dd, robobun5b0baa5, robobun82b617c, robobun9079d5b, robobun00ef5a2, robobunf62e43d, robobun34ad4e4, robobun7f58d4d, robobun842bf95, robobun8dead63, Jarred-Sumner306b381, robobun9a693f3, robobuna97e868)

This batch cleans up a wide spread of native leaks and lifetime bugs: TLS certificate/session handling, fetch redirect URLs, SQL/MySQL/Postgres result ownership, blob/content-type aliasing, password hashing buffers, UDP wrapper cleanup, filesystem watchers, transform streams, HTMLRewriter handlers, and more. It also includes a notable Bake dev-server UAF fix when client-component boundaries are demoted.

Other misc changes

  • Deflake and concurrency tweaks in fetch HTTP/2 tests
  • Guard FSEventStreamCreate NULL and reduce watch stress iterations
  • Parser micro-optimization: pass ASTMemoryAllocator by pointer
  • Install path resolution moved off worker-thread shared state
  • Minor CI/test adjustments and mimalloc dependency bump