Changelog

oven-sh/bun · · 16 commits

Bun hardens sockets, resolver, and Windows paths

Security fixes, crash fixes, resolver correctness, and a Windows binary-size optimization landed alongside a major src reorganization.

robobun Jarred-Sumner

Fix heap overflows in Windows path normalization (robobunc18740d)

normalizePathWindows now checks buffer capacity before UTF-8/UTF-16 conversion and before every pooled-buffer copy/join path. This closes multiple out-of-bounds write sites on Windows and returns ENAMETOOLONG instead of overrunning fixed-size path buffers.

Retarget N-API globals during test isolation (robobunf8fee8d)

bun test --isolate now moves surviving NapiEnvs onto the new JSGlobalObject before the old one is unprotected, and also updates the test VM’s event-loop/global bookkeeping. This fixes crashes from deferred finalizers writing through stale global pointers during the next test file.

Fix accessor-indexed array crashes in process APIs (robobun7f22584)

process.setgroups() and process.hrtime() now handle sparse/accessor-backed arrays without segfaulting. The fix avoids assuming array elements are plain data slots, closing a crash class exposed by Object.defineProperty on array indices.

Resolver now accepts @ inside wildcard export subpaths (robobunf58cd4b)

Package specifier parsing no longer treats every @ in the full specifier as a version delimiter; it only scans the package-name portion. That restores resolution for wildcard exports targets whose matched subpath starts with or contains @, matching Node behavior.

Socket lifecycle fixes for client handlers and reconnects (robobunbab007c, robobuna47ccff, robobun31c4946)

Several socket bugs were fixed together: Windows named-pipe Bun.connect() now marks standalone handlers as client-mode, closed client handlers are nulled after being freed, and synchronous connect failures now balance the earlier ref() even for reused sockets. These changes prevent use-after-free, heap overflows, and refcount leaks in net/socket teardown paths.

MySQL query strings are no longer double-ref’d (robobunf116fbf)

MySQLQuery.init() now takes ownership of an already-ref’d string instead of ref’ing again. That fixes a query-string leak that showed up with dynamically generated SQL and is covered by a new stress test using a mock MySQL server.

WebP now preserves ICC profiles end-to-end (robobun191edc0)

Bun’s image pipeline now carries ICC profiles through both WebP decode and encode, matching the earlier JPEG/PNG behavior. This prevents color shifts when converting images that rely on embedded color profiles.

bun -p returns the module completion value with top-level await (robobun4f13b9c)

bun -p now reports the final module completion value instead of the first yielded value from a top-level-await module. That fixes prints like (await 1) + 1 evaluating to the wrong result.

Windows binaries get smaller with safer ICF/tail merging (robobunb34c775)

The Windows link flags now use safe identical-code folding plus string tail merging, and the thread-local path buffers were moved to lazy heap-backed storage. This trims the .tls bloat that was making bun.exe much larger than the Linux/macOS builds.

Build/repo restructuring and path fixups (Jarred-Sumnerc8b4c36, Jarred-Sumnere643d7b, 0a7bed5)

A large source-tree rename moved ~2,050 files into subject-area directories, followed by path/import/build-script fixups to keep the build green. This is mostly mechanical, but it’s a major internal layout change that improves long-term code organization and dependency boundaries.

Other misc changes

  • Build tooling and size-reporting scripts updated.
  • Additional tests and fixture updates for the fixes above.
  • Minor linker/build autofix and internal path cleanup.