fix(publish): prevent use-after-free in tarball URL generation

The tarball URL string was being freed via `defer tarball_url_slice.deinit()` before it was actually used in the dist properties. This caused a use-after-free bug that manifested as assertion failures, particularly on Windows in debug builds. The fix duplicates the string using the allocator so it persists beyond the defer. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-11 19:38:58 +00:00 · 2025-10-08 00:57:24 +00:00
parent 268d4f3045
commit 09ce0190b4
1 changed files with 4 additions and 1 deletions
--- a/src/cli/publish_command.zig
+++ b/src/cli/publish_command.zig
@@ -998,6 +998,9 @@ pub const PublishCommand = struct {
        const tarball_url_slice = tarball_url.toSlice(bun.default_allocator);
        defer tarball_url_slice.deinit();

+        // Duplicate the tarball URL string so it persists beyond the defer
+        const tarball_url_str_duped = try allocator.dupe(u8, tarball_url_slice.slice());
+
        dist_props[2] = .{
            .key = Expr.init(
                E.String,
@@ -1007,7 +1010,7 @@ pub const PublishCommand = struct {
            .value = Expr.init(
                E.String,
                .{
-                    .data = tarball_url_slice.slice(),
+                    .data = tarball_url_str_duped,
                },
                logger.Loc.Empty,
            ),