Changelog

oven-sh/bun · · 13 commits

Crash fixes and protocol conformance

Bun fixed several crashers across async context, fetch, websockets, cloning, and source maps, plus a few HTTP correctness bugs.

Fix top-level await + AsyncLocalStorage segfault (robobun0f9331d)

Bun now preserves AsyncLocalStorage state when a top-level await resumes, including after import()-driven module evaluation. This fixes a deterministic segfault that affected real-world TLA modules and brings Bun in line with Node.

Tighten WebSocket close() validation and frame masking (robobun8706328)

WebSocket close() now rejects invalid status codes and overlong reasons per RFC 6455, and the runtime now refuses incorrectly masked/unmasked frames instead of desynchronizing the parser. This closes a spec-conformance gap and hardens the server/client against malformed or fuzzed traffic.

Stop Bun Shell from asserting on detached pipe callbacks (robobunf336885)

A detached PipeReader can now complete without tripping a debug assertion when syscall faults or similar races cause an extra terminal callback. That removes a regression that could panic Shell under fuzzed failure conditions.

Fix source map columns after non-ASCII characters (robobund4b9d10)

Source-map original columns and inline snapshot updates now agree on the column unit used after non-ASCII text. This corrects off-by-one mappings in bun build --sourcemap and improves stack-trace/snapshot accuracy for international text.

Prevent Bun.serve from killing the process on response body stream errors (robobun8072934)

If a streamed response body errors after the response has started, Bun now handles the rejection and force-closes the response instead of letting it escape as an unhandled rejection or malformed completion. This fixes a server-killing bug for stream-backed responses.

Fix bundled CJS handling for nullish exports and top-level arguments (robobuna1a2c81)

The bundler/runtime now handles module.exports being nullish and top-level arguments more robustly in bundled CommonJS output. This addresses edge cases that could break generated CJS bundles and related HMR/runtime paths.

Harden HTTP abort tracking on socket close (robobun7257f93)

Abort trackers are now swept by socket pointer during Handler::on_close fallthrough, improving cleanup when connections end unexpectedly. This reduces racey abort-state leaks in fetch/socket close scenarios.

Fix streamed request-body wire bugs in fetch() (robobun7c05b11)

Bun now avoids malformed HTTP/1.1 uploads when a streamed request body is being sent, including the empty-chunk case that could accidentally emit the chunked terminator early. This repairs keep-alive upload correctness and prevents stalled or truncated requests.

Keep structuredClone reference pools in sync (robobundf92f8f)

The structured-clone serializer/deserializer reference pools were aligned so pooled terminal objects stay indexed consistently on both sides. This is a low-level correctness fix that prevents corrupted clone payloads for newer cloneable types.

Throw DataCloneError for detached ArrayBuffers (robobunc2b5cef)

Detached ArrayBuffer serialization now raises the standard DataCloneError DOMException instead of a plain TypeError. That matches the HTML spec and the behavior users get in major browsers and Node.

Avoid retrying consumed ReadableStream fetch bodies on reconnect (robobuna2290aa)

Fetch no longer retries idempotent requests with ReadableStream bodies after a keep-alive disconnect, which could previously replay a partially consumed upload and panic. The fix makes reconnect behavior match the actual recoverability of the request body.

Use forward slashes in Windows source map sources (robobunf412daa)

Source-map sources entries on Windows now always use / instead of the host path separator. That makes emitted maps resolve correctly as URLs across tooling.

Bounds-check HTTPClient::header_str to stop slice panics (robobun96a7627)

HTTP header string lookup now returns an empty slice instead of panicking when header metadata gets out of sync with the backing buffer. This removes a crash in request building under concurrent TLS load and allocation churn.

Other misc changes

  • WebKit dependency bump and test updates (1 commit)
  • Minor docs/comments/internal refactors across HTTP and WebSocket code