From 09ce0190b4e679ab571e84891b858bcce12db006 Mon Sep 17 00:00:00 2001
From: Claude Bot <claude-bot@bun.sh>
Date: Wed, 8 Oct 2025 00:57:24 +0000
Subject: [PATCH] fix(publish): prevent use-after-free in tarball URL
 generation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The tarball URL string was being freed via `defer tarball_url_slice.deinit()`
before it was actually used in the dist properties. This caused a use-after-free
bug that manifested as assertion failures, particularly on Windows in debug builds.

The fix duplicates the string using the allocator so it persists beyond the defer.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/cli/publish_command.zig | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/cli/publish_command.zig b/src/cli/publish_command.zig
index 898a95dea4..19320a36e2 100644
--- a/src/cli/publish_command.zig
+++ b/src/cli/publish_command.zig
@@ -998,6 +998,9 @@ pub const PublishCommand = struct {
         const tarball_url_slice = tarball_url.toSlice(bun.default_allocator);
         defer tarball_url_slice.deinit();
 
+        // Duplicate the tarball URL string so it persists beyond the defer
+        const tarball_url_str_duped = try allocator.dupe(u8, tarball_url_slice.slice());
+
         dist_props[2] = .{
             .key = Expr.init(
                 E.String,
@@ -1007,7 +1010,7 @@ pub const PublishCommand = struct {
             .value = Expr.init(
                 E.String,
                 .{
-                    .data = tarball_url_slice.slice(),
+                    .data = tarball_url_str_duped,
                 },
                 logger.Loc.Empty,
             ),