mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-02 15:08:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: scanner on update, install, remove, uninstall and add, and introduce the pm scan command (#22193)

Browse Source 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Dylan Conway <dylan.conway567@gmail.com>
This commit is contained in:
Alistair Smith
2025-09-09 21:42:01 -07:00
committed by GitHub
parent 25834afe9a
commit 3ee477fc5b
39 changed files with 11287 additions and 507 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cmake/Sources.json
View File

@@ -13,7 +13,10 @@
},
{
"output": "JavaScriptSources.txt",
"paths": ["src/js/**/*.{js,ts}"]
"paths": [
"src/js/**/*.{js,ts}",
"src/install/PackageManager/scanner-entry.ts"
]
},
{
"output": "JavaScriptCodegenSources.txt",

1
cmake/targets/BuildBun.cmake
View File

@@ -636,6 +636,7 @@ register_command(
SOURCES
${BUN_ZIG_SOURCES}
${BUN_ZIG_GENERATED_SOURCES}
${CWD}/src/install/PackageManager/scanner-entry.ts # Is there a better way to do this?
)
set_property(TARGET bun-zig PROPERTY JOB_POOL compile_pool)

4
packages/bun-types/shell.d.ts vendored
View File

@@ -58,7 +58,7 @@ declare module "bun" {
* // "bun"
* ```
*/
function env(newEnv?: Record<string, string | undefined>): $;
function env(newEnv?: Record<string, string | undefined> | NodeJS.Dict<string> | undefined): $;
/**
*
@@ -106,7 +106,7 @@ declare module "bun" {
* expect(stdout.toString()).toBe("LOL!");
* ```
*/
env(newEnv: Record<string, string> | undefined): this;
env(newEnv: Record<string, string | undefined> | NodeJS.Dict<string> | undefined): this;
/**
* By default, the shell will write to the current process's stdout and stderr, as well as buffering that output.

7
src/cli/package_manager_command.zig
View File

@@ -1,5 +1,6 @@
const NodeModulesFolder = Lockfile.Tree.Iterator(.node_modules).Next;
pub const PackCommand = @import("./pack_command.zig").PackCommand;
pub const ScanCommand = @import("./scan_command.zig").ScanCommand;
const ByName = struct {
dependencies: []const Dependency,
@@ -92,6 +93,7 @@ pub const PackageManagerCommand = struct {
\\
\\<b>Commands:<r>
\\
\\ <b><green>bun pm<r> <blue>scan<r> scan all packages in lockfile for security vulnerabilities
\\ <b><green>bun pm<r> <blue>pack<r> create a tarball of the current workspace
\\ <d>├<r> <cyan>--dry-run<r> do everything except for writing the tarball to disk
\\ <d>├<r> <cyan>--destination<r> the directory the tarball will be saved in
@@ -157,7 +159,10 @@ pub const PackageManagerCommand = struct {
try pm.setupGlobalDir(ctx);
}
if (strings.eqlComptime(subcommand, "pack")) {
if (strings.eqlComptime(subcommand, "scan")) {
try ScanCommand.execWithManager(ctx, pm, cwd);
Global.exit(0);
} else if (strings.eqlComptime(subcommand, "pack")) {
try PackCommand.execWithManager(ctx, pm);
Global.exit(0);
} else if (strings.eqlComptime(subcommand, "whoami")) {

76
src/cli/scan_command.zig Normal file
View File

@@ -0,0 +1,76 @@
pub const ScanCommand = struct {
pub fn exec(ctx: Command.Context) !void {
const cli = try PackageManager.CommandLineArguments.parse(ctx.allocator, .scan);
const manager, const cwd = PackageManager.init(ctx, cli, .scan) catch |err| {
if (err == error.MissingPackageJSON) {
Output.errGeneric("No package.json found. 'bun pm scan' requires a lockfile to analyze dependencies.", .{});
Output.note("Run \"bun install\" first to generate a lockfile", .{});
Global.exit(1);
}
return err;
};
defer ctx.allocator.free(cwd);
try execWithManager(ctx, manager, cwd);
}
pub fn execWithManager(ctx: Command.Context, manager: *PackageManager, original_cwd: []const u8) !void {
if (manager.options.security_scanner == null) {
Output.prettyErrorln("<r><red>error<r>: no security scanner configured", .{});
Output.pretty(
\\
\\To use 'bun pm scan', configure a security scanner in bunfig.toml:
\\ [install.security]
\\ scanner = "<cyan>package_name<r>"
\\
\\Security scanners can be npm packages that export a scanner object.
\\
, .{});
Global.exit(1);
}
Output.prettyError(comptime Output.prettyFmt("<r><b>bun pm scan <r><d>v" ++ Global.package_json_version_with_sha ++ "<r>\n", true), .{});
Output.flush();
const load_lockfile = manager.lockfile.loadFromCwd(manager, ctx.allocator, ctx.log, true);
if (load_lockfile == .not_found) {
Output.errGeneric("Lockfile not found. Run 'bun install' first to generate a lockfile.", .{});
Global.exit(1);
}
if (load_lockfile == .err) {
Output.errGeneric("Error loading lockfile: {s}", .{@errorName(load_lockfile.err.value)});
Global.exit(1);
}
const security_scan_results = security_scanner.performSecurityScanForAll(manager, ctx, original_cwd) catch |err| {
Output.errGeneric("Could not perform security scan (<d>{s}<r>)", .{@errorName(err)});
Global.exit(1);
};
if (security_scan_results) |results| {
defer {
var results_mut = results;
results_mut.deinit();
}
security_scanner.printSecurityAdvisories(manager, &results);
if (results.hasAdvisories()) {
Global.exit(1);
} else {
Output.pretty("<green>No advisories found<r>\n", .{});
}
}
Global.exit(0);
}
};
const security_scanner = @import("../install/PackageManager/security_scanner.zig");
const Command = @import("../cli.zig").Command;
const PackageManager = @import("../install/install.zig").PackageManager;
const bun = @import("bun");
const Global = bun.Global;
const Output = bun.Output;

7
src/install/PackageManager.zig
View File

@@ -1,5 +1,4 @@
cache_directory_: ?std.fs.Dir = null,
cache_directory_path: stringZ = "",
temp_dir_: ?std.fs.Dir = null,
temp_dir_path: stringZ = "",
@@ -155,6 +154,7 @@ pub const Subcommand = enum {
audit,
info,
why,
scan,
// bin,
// hash,
@@ -580,7 +580,10 @@ pub fn init(
if (comptime Environment.isWindows) {
_ = Path.pathToPosixBuf(u8, top_level_dir_no_trailing_slash, &cwd_buf);
} else {
@memcpy(cwd_buf[0..top_level_dir_no_trailing_slash.len], top_level_dir_no_trailing_slash);
// Avoid memcpy alias when source and dest are the same
if (cwd_buf[0..].ptr != top_level_dir_no_trailing_slash.ptr) {
bun.copy(u8, cwd_buf[0..top_level_dir_no_trailing_slash.len], top_level_dir_no_trailing_slash);
}
}
var original_package_json_path_buf = bun.handleOom(std.ArrayListUnmanaged(u8).initCapacity(ctx.allocator, top_level_dir_no_trailing_slash.len + "/package.json".len + 1));

30
src/install/PackageManager/CommandLineArguments.zig
View File

@@ -702,6 +702,35 @@ pub fn printHelp(subcommand: Subcommand) void {
Output.pretty(outro_text, .{});
Output.flush();
},
.scan => {
const intro_text =
\\
\\<b>Usage<r>: <b><green>bun pm scan<r> <cyan>[flags]<r>
\\
\\ Scan all packages in lockfile for security vulnerabilities.
\\
\\<b>Flags:<r>
;
const outro_text =
\\
\\
\\<b>Examples:<r>
\\ <d>Scan all packages for vulnerabilities<r>
\\ <b><green>bun pm scan<r>
\\
\\ <d>Output results as JSON<r>
\\ <b><green>bun pm scan<r> <cyan>--json<r>
\\
\\Full documentation is available at <magenta>https://bun.com/docs/cli/pm#scan<r>.
\\
;
Output.pretty(intro_text, .{});
clap.simpleHelp(pm_params);
Output.pretty(outro_text, .{});
Output.flush();
},
}
}
@@ -727,6 +756,7 @@ pub fn parse(allocator: std.mem.Allocator, comptime subcommand: Subcommand) !Com
// are not included in the help text
.audit => shared_params ++ audit_params,
.info => info_params,
.scan => pm_params, // scan uses the same params as pm command
};
var diag = clap.Diagnostic{};

3
src/install/PackageManager/PackageManagerEnqueue.zig
View File

@@ -253,9 +253,6 @@ pub fn enqueuePackageForDownload(
if (task_queue.found_existing) return;
// Skip tarball download when prefetch_resolved_tarballs is disabled (e.g., --lockfile-only)
if (!this.options.do.prefetch_resolved_tarballs) return;
const is_required = this.lockfile.buffers.dependencies.items[dependency_id].behavior.isRequired();
if (try this.generateNetworkTaskForTarball(

144
src/install/PackageManager/install_with_manager.zig
View File

@@ -566,8 +566,37 @@ pub fn installWithManager(
manager.verifyResolutions(log_level);
if (manager.subcommand == .add and manager.options.security_scanner != null) {
try security_scanner.performSecurityScanAfterResolution(manager);
if (manager.options.security_scanner != null) {
const is_subcommand_to_run_scanner = manager.subcommand == .add or manager.subcommand == .update or manager.subcommand == .install or manager.subcommand == .remove;
if (is_subcommand_to_run_scanner) {
if (security_scanner.performSecurityScanAfterResolution(manager, ctx, original_cwd) catch |err| {
switch (err) {
error.SecurityScannerInWorkspace => {
Output.pretty("<red>Security scanner cannot be a dependency of a workspace package. It must be a direct dependency of the root package.<r>\n", .{});
},
else => {},
}
Global.exit(1);
}) |results| {
defer {
var results_mut = results;
results_mut.deinit();
}
security_scanner.printSecurityAdvisories(manager, &results);
if (results.hasFatalAdvisories()) {
Output.pretty("<red>Installation aborted due to fatal security advisories<r>\n", .{});
Global.exit(1);
} else if (results.hasWarnings()) {
if (!security_scanner.promptForWarnings()) {
Global.exit(1);
}
}
}
}
}
}
@@ -691,53 +720,8 @@ pub fn installWithManager(
return;
}
var path_buf: bun.PathBuffer = undefined;
var workspace_filters: std.ArrayListUnmanaged(WorkspaceFilter) = .{};
// only populated when subcommand is `.install`
if (manager.subcommand == .install and manager.options.filter_patterns.len > 0) {
try workspace_filters.ensureUnusedCapacity(manager.allocator, manager.options.filter_patterns.len);
for (manager.options.filter_patterns) |pattern| {
try workspace_filters.append(manager.allocator, try WorkspaceFilter.init(manager.allocator, pattern, original_cwd, &path_buf));
}
}
defer workspace_filters.deinit(manager.allocator);
var install_root_dependencies = workspace_filters.items.len == 0;
if (!install_root_dependencies) {
const pkg_names = manager.lockfile.packages.items(.name);
const abs_root_path = abs_root_path: {
if (comptime !Environment.isWindows) {
break :abs_root_path strings.withoutTrailingSlash(FileSystem.instance.top_level_dir);
}
var abs_path = Path.pathToPosixBuf(u8, FileSystem.instance.top_level_dir, &path_buf);
break :abs_root_path strings.withoutTrailingSlash(abs_path[Path.windowsVolumeNameLen(abs_path)[0]..]);
};
for (workspace_filters.items) |filter| {
const pattern, const path_or_name = switch (filter) {
.name => |pattern| .{ pattern, pkg_names[0].slice(manager.lockfile.buffers.string_bytes.items) },
.path => |pattern| .{ pattern, abs_root_path },
.all => {
install_root_dependencies = true;
continue;
},
};
switch (bun.glob.walk.matchImpl(manager.allocator, pattern, path_or_name)) {
.match, .negate_match => install_root_dependencies = true,
.negate_no_match => {
// always skip if a pattern specifically says "!<name>"
install_root_dependencies = false;
break;
},
.no_match => {},
}
}
}
const workspace_filters, const install_root_dependencies = (try getWorkspaceFilters(manager, original_cwd));
defer manager.allocator.free(workspace_filters);
const install_summary: PackageInstall.Summary = install_summary: {
if (!manager.options.do.install_packages) {
@@ -751,16 +735,18 @@ pub fn installWithManager(
=> break :install_summary try installHoistedPackages(
manager,
ctx,
workspace_filters.items,
workspace_filters,
install_root_dependencies,
log_level,
null,
),
.isolated => break :install_summary installIsolatedPackages(
manager,
ctx,
install_root_dependencies,
workspace_filters.items,
workspace_filters,
null,
) catch |err| switch (err) {
error.OutOfMemory => bun.outOfMemory(),
},
@@ -992,6 +978,62 @@ fn printBlockedPackagesInfo(summary: *const PackageInstall.Summary, global: bool
}
}
pub fn getWorkspaceFilters(manager: *PackageManager, original_cwd: []const u8) !struct {
[]const WorkspaceFilter,
bool,
} {
const path_buf = bun.path_buffer_pool.get();
defer bun.path_buffer_pool.put(path_buf);
var workspace_filters: std.ArrayListUnmanaged(WorkspaceFilter) = .{};
// only populated when subcommand is `.install`
if (manager.subcommand == .install and manager.options.filter_patterns.len > 0) {
try workspace_filters.ensureUnusedCapacity(manager.allocator, manager.options.filter_patterns.len);
for (manager.options.filter_patterns) |pattern| {
try workspace_filters.append(manager.allocator, try WorkspaceFilter.init(manager.allocator, pattern, original_cwd, path_buf[0..]));
}
}
var install_root_dependencies = workspace_filters.items.len == 0;
if (!install_root_dependencies) {
const pkg_names = manager.lockfile.packages.items(.name);
const abs_root_path = abs_root_path: {
if (comptime !Environment.isWindows) {
break :abs_root_path strings.withoutTrailingSlash(FileSystem.instance.top_level_dir);
}
var abs_path = Path.pathToPosixBuf(u8, FileSystem.instance.top_level_dir, path_buf);
break :abs_root_path strings.withoutTrailingSlash(abs_path[Path.windowsVolumeNameLen(abs_path)[0]..]);
};
for (workspace_filters.items) |filter| {
const pattern, const path_or_name = switch (filter) {
.name => |pattern| .{ pattern, pkg_names[0].slice(manager.lockfile.buffers.string_bytes.items) },
.path => |pattern| .{ pattern, abs_root_path },
.all => {
install_root_dependencies = true;
continue;
},
};
switch (bun.glob.walk.matchImpl(manager.allocator, pattern, path_or_name)) {
.match, .negate_match => install_root_dependencies = true,
.negate_no_match => {
// always skip if a pattern specifically says "!<name>"
install_root_dependencies = false;
break;
},
.no_match => {},
}
}
}
return .{ workspace_filters.items, install_root_dependencies };
}
const security_scanner = @import("./security_scanner.zig");
const std = @import("std");
const installHoistedPackages = @import("../hoisted_install.zig").installHoistedPackages;

2
src/install/PackageManager/scanner-entry-globals.d.ts vendored Normal file
View File

@@ -0,0 +1,2 @@
declare const __PACKAGES_JSON__: Bun.Security.Package[];
declare const __SUPPRESS_ERROR__: boolean;

92
src/install/PackageManager/scanner-entry.ts Normal file
View File

@@ -0,0 +1,92 @@
import fs from "node:fs";
const scannerModuleName = "__SCANNER_MODULE__";
const packages = __PACKAGES_JSON__;
const suppressError = __SUPPRESS_ERROR__;
type IPCMessage =
| { type: "result"; advisories: Bun.Security.Advisory[] }
| { type: "error"; code: "MODULE_NOT_FOUND"; module: string }
| { type: "error"; code: "INVALID_VERSION"; message: string }
| { type: "error"; code: "SCAN_FAILED"; message: string };
const IPC_PIPE_FD = 3;
function writeAndExit(message: IPCMessage): never {
const data = JSON.stringify(message);
for (let remaining = data; remaining.length > 0; ) {
const written = fs.writeSync(IPC_PIPE_FD, remaining);
if (written === 0) {
console.error("Failed to write to IPC pipe");
process.exit(1);
}
remaining = remaining.slice(written);
}
fs.closeSync(IPC_PIPE_FD);
process.exit(message.type === "error" ? 1 : 0);
}
let scanner: Bun.Security.Scanner;
try {
scanner = (await import(scannerModuleName)).scanner;
} catch (error) {
if (typeof error === "object" && error !== null && "code" in error && error.code === "ERR_MODULE_NOT_FOUND") {
if (!suppressError) {
const msg = `\x1b[31merror: \x1b[0mFailed to import security scanner: \x1b[1m'${scannerModuleName}'`;
console.error(msg);
}
writeAndExit({
type: "error",
code: "MODULE_NOT_FOUND",
module: scannerModuleName,
});
} else {
writeAndExit({
type: "error",
code: "SCAN_FAILED",
message: error instanceof Error ? error.message : String(error),
});
}
}
try {
if (typeof scanner !== "object" || scanner === null || typeof scanner.version !== "string") {
throw new Error("Security scanner must export a 'scanner' object with a version property");
}
if (scanner.version !== "1") {
writeAndExit({
type: "error",
code: "INVALID_VERSION",
message: `Security scanner must be version 1, got version ${scanner.version}`,
});
}
if (typeof scanner.scan !== "function") {
throw new Error(`scanner.scan is not a function, got ${typeof scanner.scan}`);
}
const result = await scanner.scan({ packages });
if (!Array.isArray(result)) {
throw new Error("Security scanner must return an array of advisories");
}
writeAndExit({ type: "result", advisories: result });
} catch (error) {
if (!suppressError) {
console.error(error);
}
writeAndExit({
type: "error",
code: "SCAN_FAILED",
message: error instanceof Error ? error.message : "Unknown error occurred",
});
}

1224
src/install/PackageManager/security_scanner.zig
View File

File diff suppressed because it is too large Load Diff

3
src/install/hoisted_install.zig
View File

@@ -4,13 +4,14 @@ pub fn installHoistedPackages(
workspace_filters: []const WorkspaceFilter,
install_root_dependencies: bool,
log_level: PackageManager.Options.LogLevel,
packages_to_install: ?[]const PackageID,
) !PackageInstall.Summary {
bun.analytics.Features.hoisted_bun_install += 1;
const original_trees = this.lockfile.buffers.trees;
const original_tree_dep_ids = this.lockfile.buffers.hoisted_dependencies;
try this.lockfile.filter(this.log, this, install_root_dependencies, workspace_filters);
try this.lockfile.filter(this.log, this, install_root_dependencies, workspace_filters, packages_to_install);
defer {
this.lockfile.buffers.trees = original_trees;

84
src/install/isolated_install.zig
View File

@@ -6,6 +6,7 @@ pub fn installIsolatedPackages(
command_ctx: Command.Context,
install_root_dependencies: bool,
workspace_filters: []const WorkspaceFilter,
packages_to_install: ?[]const PackageID,
) OOM!PackageInstall.Summary {
bun.analytics.Features.isolated_bun_install += 1;
@@ -168,38 +169,65 @@ pub fn installIsolatedPackages(
);
peer_dep_ids.clearRetainingCapacity();
for (dep_ids_sort_buf.items) |dep_id| {
if (Tree.isFilteredDependencyOrWorkspace(
dep_id,
entry.pkg_id,
workspace_filters,
install_root_dependencies,
manager,
lockfile,
)) {
continue;
queue_deps: {
if (packages_to_install) |packages| {
if (node_id == .root) { // TODO: print an error when scanner is actually a dependency of a workspace (we should not support this)
for (dep_ids_sort_buf.items) |dep_id| {
const pkg_id = resolutions[dep_id];
if (pkg_id == invalid_package_id) {
continue;
}
for (packages) |package_to_install| {
if (package_to_install == pkg_id) {
node_dependencies[node_id.get()].appendAssumeCapacity(.{ .dep_id = dep_id, .pkg_id = pkg_id });
try node_queue.writeItem(.{
.parent_id = node_id,
.dep_id = dep_id,
.pkg_id = pkg_id,
});
break;
}
}
}
break :queue_deps;
}
}
const pkg_id = resolutions[dep_id];
const dep = dependencies[dep_id];
for (dep_ids_sort_buf.items) |dep_id| {
if (Tree.isFilteredDependencyOrWorkspace(
dep_id,
entry.pkg_id,
workspace_filters,
install_root_dependencies,
manager,
lockfile,
)) {
continue;
}
// TODO: handle duplicate dependencies. should be similar logic
// like we have for dev dependencies in `hoistDependency`
const pkg_id = resolutions[dep_id];
const dep = dependencies[dep_id];
if (!dep.behavior.isPeer()) {
// simple case:
// - add it as a dependency
// - queue it
node_dependencies[node_id.get()].appendAssumeCapacity(.{ .dep_id = dep_id, .pkg_id = pkg_id });
try node_queue.writeItem(.{
.parent_id = node_id,
.dep_id = dep_id,
.pkg_id = pkg_id,
});
continue;
// TODO: handle duplicate dependencies. should be similar logic
// like we have for dev dependencies in `hoistDependency`
if (!dep.behavior.isPeer()) {
// simple case:
// - add it as a dependency
// - queue it
node_dependencies[node_id.get()].appendAssumeCapacity(.{ .dep_id = dep_id, .pkg_id = pkg_id });
try node_queue.writeItem(.{
.parent_id = node_id,
.dep_id = dep_id,
.pkg_id = pkg_id,
});
continue;
}
try peer_dep_ids.append(dep_id);
}
try peer_dep_ids.append(dep_id);
}
next_peer: for (peer_dep_ids.items) |peer_dep_id| {
@@ -652,7 +680,6 @@ pub fn installIsolatedPackages(
// add the pending task count upfront
manager.incrementPendingTasks(@intCast(store.entries.len));
for (0..store.entries.len) |_entry_id| {
const entry_id: Store.Entry.Id = .from(@intCast(_entry_id));
@@ -805,6 +832,7 @@ pub fn installIsolatedPackages(
const dep_id = node_dep_ids[node_id.get()];
const dep = lockfile.buffers.dependencies.items[dep_id];
switch (pkg_res_tag) {
.npm => {
manager.enqueuePackageForDownload(

7
src/install/lockfile.zig
View File

@@ -865,7 +865,7 @@ pub fn resolve(
lockfile: *Lockfile,
log: *logger.Log,
) Tree.SubtreeError!void {
return lockfile.hoist(log, .resolvable, {}, {}, {});
return lockfile.hoist(log, .resolvable, {}, {}, {}, {});
}
pub fn filter(
@@ -874,8 +874,9 @@ pub fn filter(
manager: *PackageManager,
install_root_dependencies: bool,
workspace_filters: []const WorkspaceFilter,
packages_to_install: ?[]const PackageID,
) Tree.SubtreeError!void {
return lockfile.hoist(log, .filter, manager, install_root_dependencies, workspace_filters);
return lockfile.hoist(log, .filter, manager, install_root_dependencies, workspace_filters, packages_to_install);
}
/// Sets `buffers.trees` and `buffers.hoisted_dependencies`
@@ -886,6 +887,7 @@ pub fn hoist(
manager: if (method == .filter) *PackageManager else void,
install_root_dependencies: if (method == .filter) bool else void,
workspace_filters: if (method == .filter) []const WorkspaceFilter else void,
packages_to_install: if (method == .filter) ?[]const PackageID else void,
) Tree.SubtreeError!void {
const allocator = lockfile.allocator;
var slice = lockfile.packages.slice();
@@ -902,6 +904,7 @@ pub fn hoist(
.manager = manager,
.install_root_dependencies = install_root_dependencies,
.workspace_filters = workspace_filters,
.packages_to_install = packages_to_install,
};
try (Tree{}).processSubtree(

17
src/install/lockfile/Tree.zig
View File

@@ -246,6 +246,7 @@ pub fn Builder(comptime method: BuilderMethod) type {
sort_buf: std.ArrayListUnmanaged(DependencyID) = .{},
workspace_filters: if (method == .filter) []const WorkspaceFilter else void = if (method == .filter) &.{},
install_root_dependencies: if (method == .filter) bool else void,
packages_to_install: if (method == .filter) ?[]const PackageID else void,
pub fn maybeReportError(this: *@This(), comptime fmt: string, args: anytype) void {
this.log.addErrorFmt(null, logger.Loc.Empty, this.allocator, fmt, args) catch {};
@@ -492,6 +493,22 @@ pub fn processSubtree(
)) {
continue;
}
if (builder.packages_to_install) |packages_to_install| {
if (parent_pkg_id == 0) {
var found = false;
for (packages_to_install) |package_to_install| {
if (pkg_id == package_to_install) {
found = true;
break;
}
}
if (!found) {
continue;
}
}
}
}
const hoisted: HoistDependencyResult = hoisted: {

18
src/output.zig
View File

@@ -6,6 +6,10 @@ threadlocal var source_set: bool = false;
var stderr_stream: Source.StreamType = undefined;
var stdout_stream: Source.StreamType = undefined;
var stdout_stream_set = false;
// Track which stdio descriptors are TTYs (0=stdin, 1=stdout, 2=stderr)
pub export var bun_stdio_tty: [3]i32 = .{ 0, 0, 0 };
pub var terminal_size: std.posix.winsize = .{
.row = 0,
.col = 0,
@@ -119,8 +123,6 @@ pub const Source = struct {
return colorDepth() != .none;
}
export var bun_stdio_tty: [3]i32 = .{ 0, 0, 0 };
const WindowsStdio = struct {
const w = bun.windows;
@@ -431,6 +433,18 @@ pub var is_github_action = false;
pub var stderr_descriptor_type = OutputStreamDescriptor.unknown;
pub var stdout_descriptor_type = OutputStreamDescriptor.unknown;
pub inline fn isStdoutTTY() bool {
return bun_stdio_tty[1] != 0;
}
pub inline fn isStderrTTY() bool {
return bun_stdio_tty[2] != 0;
}
pub inline fn isStdinTTY() bool {
return bun_stdio_tty[0] != 0;
}
pub inline fn isEmojiEnabled() bool {
return enable_ansi_colors;
}

3271
test/cli/install/__snapshots__/bun-security-scanner-matrix-with-node-modules.test.ts.snap Normal file
View File

File diff suppressed because it is too large Load Diff

4205
test/cli/install/__snapshots__/bun-security-scanner-matrix-without-node-modules.test.ts.snap Normal file
View File

File diff suppressed because it is too large Load Diff

8
test/cli/install/bun-install-security-provider.test.ts
View File

@@ -71,7 +71,7 @@ function test(
});
if (options.fails) {
expect(out).toContain("bun install aborted due to fatal security advisories");
expect(out).toContain("Installation aborted due to fatal security advisories");
}
await options.expect?.({ out, err });
@@ -139,7 +139,9 @@ describe("Security Scanner Edge Cases", () => {
bunfigScanner: "./non-existent-scanner.ts",
expectedExitCode: 1,
expect: ({ err }) => {
expect(err).toContain("Failed to import security scanner");
expect(err).toContain(
"Security scanner './non-existent-scanner.ts' is configured in bunfig.toml but the file could not be found.\n Please check that the file exists and the path is correct.",
);
},
});
@@ -147,7 +149,7 @@ describe("Security Scanner Edge Cases", () => {
scanner: `throw new Error("Module failed to load");`,
expectedExitCode: 1,
expect: ({ err }) => {
expect(err).toContain("Failed to import security scanner");
expect(err).toContain("Security scanner failed: Module failed to load");
},
});

676
test/cli/install/bun-pm-scan.test.ts Normal file
View File

@@ -0,0 +1,676 @@
import { describe, expect, test } from "bun:test";
import { bunEnv, bunExe, tempDirWithFiles, tmpdirSync } from "harness";
import { join } from "path";
describe("bun pm scan", () => {
describe("configuration", () => {
test("shows error when no security scanner configured", async () => {
const dir = tempDirWithFiles("scan-no-config", {
"package.json": JSON.stringify({ name: "test", dependencies: { "left-pad": "^1.0.0" } }),
"bun.lockb": "",
});
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("error: no security scanner configured");
});
test("shows error when lockfile doesn't exist", async () => {
const dir = tempDirWithFiles("scan-no-lockfile", {
"package.json": JSON.stringify({ name: "test", dependencies: {} }),
"bunfig.toml": `[install.security]\nscanner = "test-scanner"`,
});
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("Lockfile not found");
expect(stderr).toContain("Run 'bun install' first");
});
test("shows error when package.json doesn't exist", async () => {
const dir = tmpdirSync();
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("No package.json was found");
});
});
describe("scanner execution", () => {
test("scanner receives correct package format", async () => {
const dir = tempDirWithFiles("scan-package-format", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
express: "^4.0.0",
},
}),
"bunfig.toml": `[install.security]\nscanner = "./scanner.js"`,
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
// Log the packages we receive
console.error("PACKAGES:", JSON.stringify(payload.packages));
// Verify format
if (!Array.isArray(payload.packages)) {
throw new Error("packages should be an array");
}
for (const pkg of payload.packages) {
if (!pkg.name || !pkg.version || !pkg.requestedRange || !pkg.tarball) {
throw new Error("Invalid package format");
}
}
return [];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(stderr).toContain("PACKAGES:");
expect(exitCode).toBe(0);
expect(stdout).toContain("No advisories found");
});
test("scanner version validation", async () => {
const dir = tempDirWithFiles("scan-version-check", {
"package.json": JSON.stringify({ name: "test", dependencies: { "left-pad": "^1.0.0" } }),
"scanner.js": `
module.exports = {
scanner: {
version: "2", // Wrong version
scan: async () => []
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Add config after install
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("Security scanner must be version 1");
});
});
describe("vulnerability detection", () => {
test("detects fatal vulnerabilities", async () => {
const dir = tempDirWithFiles("scan-fatal", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: { lodash: "^4.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
return [{
package: "lodash",
level: "fatal",
description: "Prototype pollution vulnerability",
url: "https://example.com/CVE-2024-1234"
}];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stdout).toContain("FATAL: lodash");
expect(stdout).toContain("Prototype pollution vulnerability");
expect(stdout).toContain("https://example.com/CVE-2024-1234");
expect(stdout).toMatch(/1 advisory \(.*1 fatal.*\)/);
});
test("detects warning vulnerabilities", async () => {
const dir = tempDirWithFiles("scan-warn", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: { axios: "^0.21.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
return [{
package: "axios",
level: "warn",
description: "Inefficient regular expression",
url: "https://example.com/advisory/123"
}];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1); // Still exits with 1 for warnings
expect(stdout).toContain("WARNING: axios");
expect(stdout).toContain("Inefficient regular expression");
expect(stdout).toMatch(/1 advisory \(.*1 warning.*\)/);
});
test("handles mixed vulnerabilities", async () => {
const dir = tempDirWithFiles("scan-mixed", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
lodash: "^4.0.0",
axios: "^0.21.0",
express: "^4.0.0",
},
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
if (pkg.name === "lodash") {
results.push({
package: "lodash",
level: "fatal",
description: "Critical vulnerability"
});
}
if (pkg.name === "axios") {
results.push({
package: "axios",
level: "warn",
description: "Minor issue"
});
}
if (pkg.name === "express") {
results.push({
package: "express",
level: "warn",
description: "Another minor issue"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stdout).toContain("FATAL: lodash");
expect(stdout).toContain("WARNING: axios");
expect(stdout).toContain("WARNING: express");
expect(stdout).toMatch(/3 advisories \(.*1 fatal.*2 warnings.*\)/);
});
test("no vulnerabilities found", async () => {
const dir = tempDirWithFiles("scan-clean", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: { lodash: "^4.0.0" },
}),
"bunfig.toml": `[install.security]\nscanner = "./scanner.js"`,
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async () => []
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(0);
expect(stdout).toContain("No advisories found");
});
});
describe("dependency paths", () => {
test("shows correct path for direct dependencies", async () => {
const dir = tempDirWithFiles("scan-direct-dep", {
"package.json": JSON.stringify({
name: "my-app",
dependencies: { express: "^4.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
if (pkg.name === "express") {
results.push({
package: "express",
level: "fatal",
description: "Test vulnerability"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(stdout).toContain("FATAL: express");
expect(stdout).toContain("via my-app express");
});
test("shows correct path for transitive dependencies", async () => {
const dir = tempDirWithFiles("scan-transitive-dep", {
"package.json": JSON.stringify({
name: "my-app",
dependencies: { express: "^4.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
// body-parser is a dependency of express
if (pkg.name === "body-parser") {
results.push({
package: "body-parser",
level: "warn",
description: "Transitive vulnerability"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
// body-parser might not actually be a dependency of express
// So we check if we found it in the scan
if (stdout.includes("WARNING: body-parser")) {
expect(stdout).toContain("via my-app express body-parser");
} else {
// If body-parser wasn't found, the test passes since we can't verify transitive deps
expect(exitCode).toBeDefined();
}
});
});
describe("error handling", () => {
test("handles scanner crash", async () => {
const dir = tempDirWithFiles("scan-crash", {
"package.json": JSON.stringify({
name: "test",
dependencies: { "left-pad": "^1.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function() {
process.exit(42); // Crash
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("Security scanner exited with code 42");
});
test("handles invalid JSON from scanner", async () => {
const dir = tempDirWithFiles("scan-bad-json", {
"package.json": JSON.stringify({
name: "test",
dependencies: { "left-pad": "^1.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function() {
// Return something that's not an array
return { not: "an array" };
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("Security scanner must return an array");
});
test("handles missing required fields in advisory", async () => {
const dir = tempDirWithFiles("scan-missing-fields", {
"package.json": JSON.stringify({
name: "test",
dependencies: { lodash: "^4.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function() {
return [{
package: "lodash"
// Missing 'level' field
}];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
expect(exitCode).toBe(1);
expect(stderr).toContain("missing required 'level' field");
});
});
describe("output formatting", () => {
test("singular vs plural in summary", async () => {
const dir = tempDirWithFiles("scan-singular", {
"package.json": JSON.stringify({
name: "test",
dependencies: { "left-pad": "^1.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
if (pkg.name === "left-pad") {
results.push({
package: "left-pad",
level: "fatal",
description: "Test"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const stdout = await proc.stdout.text();
// Should say "1 advisory" not "1 advisories"
expect(stdout).toContain("1 advisory (");
expect(stdout).not.toContain("1 advisories");
});
test("shows timing for slow scans", async () => {
const dir = tempDirWithFiles("scan-slow", {
"package.json": JSON.stringify({
name: "test",
dependencies: { "left-pad": "^1.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function() {
// Simulate slow scan
await new Promise(resolve => setTimeout(resolve, 1200));
return [];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: { ...bunEnv, BUN_DEBUG_QUIET_LOGS: "0" }, // Enable timing output
});
const [stdout, stderr] = await Promise.all([proc.stdout.text(), proc.stderr.text()]);
// Should show timing information for scans > 1 second
expect(stderr).toMatch(/Scanning \d+ package[s]? took \d+ms/);
});
});
describe("differences from bun add/install", () => {
test("does not show 'installation aborted' message", async () => {
const dir = tempDirWithFiles("scan-no-abort-msg", {
"package.json": JSON.stringify({
name: "test",
dependencies: { lodash: "^4.0.0" },
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function() {
return [{
package: "lodash",
level: "fatal",
description: "Critical"
}];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
const proc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr] = await Promise.all([proc.stdout.text(), proc.stderr.text()]);
// Should NOT contain the installation aborted message
expect(stdout).not.toContain("installation aborted");
expect(stdout).not.toContain("Installation aborted");
expect(stderr).not.toContain("installation aborted");
expect(stderr).not.toContain("Installation aborted");
});
});
});

526
test/cli/install/bun-security-scanner-matrix-runner.ts Normal file
View File

@@ -0,0 +1,526 @@
import { bunEnv, bunExe, runBunInstall, tempDirWithFiles } from "harness";
import { rm } from "node:fs/promises";
import { join } from "node:path";
import { isCI } from "../../harness";
import { getRegistry, SimpleRegistry, startRegistry, stopRegistry } from "./simple-dummy-registry";
const CI_SAMPLE_PERCENT = 10; // only 10% of tests will run in CI because this matrix generates so many tests
const redSubprocessPrefix = "\x1b[31m [SUBPROC]\x1b[0m";
const redDebugPrefix = "\x1b[31m [DEBUG]\x1b[0m";
const redShellPrefix = "\x1b[31m [SHELL] $\x1b[0m";
function getTestName(testId: string, hasExistingNodeModules: boolean) {
return `${testId} (${hasExistingNodeModules ? "with modules" : "without modules"})` as const;
}
type TestName = ReturnType<typeof getTestName>;
// prettier-ignore
// These tests are failing for other reasons outside of the security scanner.
// You should leave a comment above pointing to a GitHub issue for reference, so these
// don't get totally lost.
const TESTS_TO_SKIP: Set<string> = new Set<TestName>([
// https://github.com/oven-sh/bun/issues/22255
"0289 (without modules)", "0292 (without modules)", "0295 (without modules)", "0298 (without modules)", "0307 (without modules)", "0310 (without modules)", "0313 (without modules)", "0316 (without modules)", // remove "is-even"
"0325 (without modules)", "0328 (without modules)", "0331 (without modules)", "0334 (without modules)", "0343 (without modules)", "0346 (without modules)", "0349 (without modules)", "0352 (without modules)", // remove "left-pad,is-even"
"0361 (without modules)", "0364 (without modules)", "0367 (without modules)", "0370 (without modules)", "0379 (without modules)", "0382 (without modules)", "0385 (without modules)", "0388 (without modules)", // uninstall "is-even"
"0397 (without modules)", "0400 (without modules)", "0403 (without modules)", "0406 (without modules)", "0415 (without modules)", "0418 (without modules)", "0421 (without modules)", "0424 (without modules)", // uninstall "left-pad,is-even"
]);
interface SecurityScannerTestOptions {
command: "install" | "update" | "add" | "remove" | "uninstall";
args: string[];
hasExistingNodeModules: boolean;
linker: "hoisted" | "isolated";
scannerType: "local" | "npm" | "npm.bunfigonly";
scannerReturns: "none" | "warn" | "fatal";
shouldFail: boolean;
hasLockfile: boolean;
scannerSyncronouslyThrows: boolean;
}
const DO_TEST_DEBUG = process.env.SCANNER_TEST_DEBUG === "true";
async function globEverything(dir: string) {
return await Array.fromAsync(
new Bun.Glob("**/*").scan({ cwd: dir, dot: true, followSymlinks: false, onlyFiles: false }),
);
}
let registryUrl: string;
async function runSecurityScannerTest(options: SecurityScannerTestOptions) {
const registry = getRegistry();
if (!registry) {
throw new Error("Registry not found");
}
registry.clearRequestLog();
registry.setScannerBehavior(options.scannerReturns ?? "none");
const {
command,
args,
hasExistingNodeModules,
hasLockfile,
linker,
scannerType,
scannerReturns,
shouldFail,
scannerSyncronouslyThrows,
} = options;
const expectedExitCode = shouldFail ? 1 : 0;
const scannerCode =
scannerType === "local" || scannerType === "npm"
? `export const scanner = {
version: "1",
scan: async function(payload) {
console.error("SCANNER_RAN: " + payload.packages.length + " packages");
${scannerSyncronouslyThrows ? "throw new Error('Scanner error!');" : ""}
const results = [];
${
scannerReturns === "warn"
? `
if (payload.packages.length > 0) {
results.push({
package: payload.packages[0].name,
level: "warn",
description: "Test warning"
});
}`
: ""
}
${
scannerReturns === "fatal"
? `
if (payload.packages.length > 0) {
results.push({
package: payload.packages[0].name,
level: "fatal",
description: "Test fatal error"
});
}`
: ""
}
return results;
}
}`
: `throw new Error("Should not have been loaded")`;
// Base files for the test directory
const files: Record<string, string> = {
"package.json": JSON.stringify(
{
name: "test-app",
version: "1.0.0",
dependencies: {
"left-pad": "1.3.0",
// For remove/uninstall commands, add the packages we're trying to remove
...(command === "remove" || command === "uninstall"
? {
"is-even": "1.0.0",
"is-odd": "1.0.0",
}
: {}),
// For npm scanner, add it to dependencies so it gets installed
...(scannerType === "npm"
? {
"test-security-scanner": "1.0.0",
}
: {}),
},
},
null,
"\t",
),
};
if (scannerType === "local") {
files["scanner.js"] = scannerCode;
}
const dir = tempDirWithFiles("scanner-matrix", files);
const scannerPath = scannerType === "local" ? "./scanner.js" : "test-security-scanner";
// First write bunfig WITHOUT scanner for pre-install
await Bun.write(
join(dir, "bunfig.toml"),
`[install]
cache.disable = true
linker = "${linker}"
registry = "${registryUrl}/"`,
);
const shouldDoInitialInstall = hasExistingNodeModules || hasLockfile;
if (hasExistingNodeModules || hasLockfile) {
if (DO_TEST_DEBUG) console.log(redShellPrefix, `${bunExe()} install`);
await runBunInstall(bunEnv, dir);
}
if (shouldDoInitialInstall && !hasExistingNodeModules) {
if (DO_TEST_DEBUG) console.log(redShellPrefix, `rm -rf ${dir}/node_modules`);
await rm(join(dir, "node_modules"), { recursive: true });
}
if (shouldDoInitialInstall && !hasLockfile) {
if (DO_TEST_DEBUG) console.log(redShellPrefix, `rm ${dir}/bun.lock`);
await rm(join(dir, "bun.lock"));
}
////////////////////////// POST SETUP DONE //////////////////////////
const cmd = [bunExe(), command, ...args];
if (DO_TEST_DEBUG) {
console.log(redDebugPrefix, "SETUP DONE");
console.log("-------------------------------- THE REAL TEST IS ABOUT TO HAPPEN --------------------------------");
console.log(redShellPrefix, cmd.join(" "));
}
registry.clearRequestLog();
// write the full bunfig WITH scanner configuration
await Bun.write(
join(dir, "bunfig.toml"),
`[install]
cache.disable = true
linker = "${linker}"
registry = "${registryUrl}/"
[install.security]
scanner = "${scannerPath}"`,
);
if (DO_TEST_DEBUG) {
console.log(`[DEBUG] Test directory: ${dir}`);
console.log(`[DEBUG] Command: ${cmd.join(" ")}`);
console.log(`[DEBUG] Scanner type: ${scannerType}`);
console.log(`[DEBUG] Scanner returns: ${scannerReturns}`);
console.log(`[DEBUG] Has existing node_modules: ${hasExistingNodeModules}`);
console.log(`[DEBUG] Linker: ${linker}`);
console.log("");
console.log("Files in test directory:");
const files = await globEverything(dir);
for (const file of files) {
console.log(` ${file}`);
}
console.log("");
console.log("bunfig.toml contents:");
console.log(await Bun.file(join(dir, "bunfig.toml")).text());
console.log("");
console.log("package.json contents:");
console.log(await Bun.file(join(dir, "package.json")).text());
console.log("");
console.log("To run the command manually:");
console.log(`cd ${dir} && ${cmd.join(" ")}`);
}
await using proc = Bun.spawn({
cmd,
cwd: dir,
stdout: "pipe",
stderr: "pipe",
stdin: "pipe",
env: bunEnv,
});
let errAndOut = "";
if (DO_TEST_DEBUG) {
const write = (chunk: Uint8Array<ArrayBuffer>, stream: NodeJS.WriteStream, decoder: TextDecoder) => {
const str = decoder.decode(chunk);
errAndOut += str;
const lines = str.split("\n");
for (const line of lines) {
stream.write(redSubprocessPrefix);
stream.write(" ");
stream.write(line);
stream.write("\n");
}
};
const outDecoder = new TextDecoder();
const stdoutWriter = new WritableStream<Uint8Array<ArrayBuffer>>({
write: chunk => write(chunk, process.stdout, outDecoder),
close: () => void process.stdout.write(outDecoder.decode()),
});
const errDecoder = new TextDecoder();
const stderrWriter = new WritableStream<Uint8Array<ArrayBuffer>>({
write: chunk => write(chunk, process.stderr, errDecoder),
close: () => void process.stderr.write(errDecoder.decode()),
});
await Promise.all([proc.stdout.pipeTo(stdoutWriter), proc.stderr.pipeTo(stderrWriter)]);
} else {
const [stdout, stderr] = await Promise.all([proc.stdout.text(), proc.stderr.text()]);
errAndOut = stdout + stderr;
}
const exitCode = await proc.exited;
if (exitCode !== expectedExitCode) {
console.log("Command:", cmd.join(" "));
console.log("Expected exit code:", expectedExitCode, "Got:", exitCode);
console.log("Test directory:", dir);
console.log("Files in test dir:", await globEverything(dir));
console.log("Registry:", registryUrl);
console.log();
console.log("bunfig:");
console.log(await Bun.file(join(dir, "bunfig.toml")).text());
console.log();
}
expect(exitCode).toBe(expectedExitCode);
// If the scanner is from npm and there are no node modules when the test "starts"
// then we should expect Bun to do the partial install first of all
if (scannerType === "npm" && !hasExistingNodeModules) {
expect(errAndOut).toContain("Attempting to install security scanner from npm");
expect(errAndOut).toContain("Security scanner installed successfully");
}
if (scannerType === "npm.bunfigonly") {
expect(errAndOut).toContain("");
}
if (scannerType !== "npm.bunfigonly" && !scannerSyncronouslyThrows) {
expect(errAndOut).toContain("SCANNER_RAN");
if (scannerReturns === "warn") {
expect(errAndOut).toContain("WARNING:");
expect(errAndOut).toContain("Test warning");
} else if (scannerReturns === "fatal") {
expect(errAndOut).toContain("FATAL:");
expect(errAndOut).toContain("Test fatal error");
}
}
if (scannerType !== "npm.bunfigonly" && !hasExistingNodeModules) {
switch (scannerReturns) {
case "fatal":
case "warn": {
// When there are fatal advisories OR warnings (with no TTY to prompt),
// the installation is cancelled and packages should NOT be installed
expect(await Bun.file(join(dir, "node_modules", "left-pad", "package.json")).exists()).toBe(false);
break;
}
case "none": {
// When there are no security issues, packages should be installed normally
switch (command) {
case "remove":
case "uninstall": {
for (const arg of args) {
switch (linker) {
case "hoisted": {
expect(await Bun.file(join(dir, "node_modules", arg, "package.json")).exists()).toBe(false);
break;
}
case "isolated": {
const versionInRegistry = SimpleRegistry.packages[arg][0];
const path = join(
dir,
"node_modules",
".bun",
`${arg}@${versionInRegistry}`,
"node_modules",
arg,
"package.json",
);
expect(await Bun.file(path).exists()).toBe(false);
break;
}
}
}
break;
}
default: {
for (const arg of args) {
switch (linker) {
case "hoisted": {
expect(await Bun.file(join(dir, "node_modules", arg, "package.json")).exists()).toBe(true);
break;
}
case "isolated": {
const versionInRegistry = SimpleRegistry.packages[arg][0];
const path = join(
dir,
"node_modules",
".bun",
`${arg}@${versionInRegistry}`,
"node_modules",
arg,
"package.json",
);
expect(await Bun.file(path).exists()).toBe(true);
break;
}
}
}
break;
}
}
break;
}
}
}
const requestedPackages = registry.getRequestedPackages();
const requestedTarballs = registry.getRequestedTarballs();
// when we have no node modules and the scanner comes from npm, we must first install the scanner
// but, if we expext the scanner to report failure then we should ONLY see the scanner tarball requested, no others
if (scannerType === "npm" && !hasExistingNodeModules && (scannerReturns === "fatal" || scannerReturns === "warn")) {
const doWeExpectToAlwaysTryToResolve =
// If there is no lockfile, we will resolve packages
!hasLockfile ||
// Unless we are updating
(command === "update" && args.length === 0) ||
// Unless there are arguments, but it's chill because one of the arguments is the security
// scanner, so we would expect to be resolving
args.includes("test-security-scanner");
if (doWeExpectToAlwaysTryToResolve) {
expect(requestedPackages).toContain("test-security-scanner");
} else {
expect(requestedPackages).not.toContain("test-security-scanner");
}
// we should have ONLY requested the security scanner at this point
expect(requestedTarballs).toEqual(["/test-security-scanner-1.0.0.tgz"]);
}
const sortedPackages = [...requestedPackages].sort();
const sortedTarballs = [...requestedTarballs].sort();
if (command === "install") {
expect(sortedPackages).toMatchSnapshot("requested-packages: install");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: install");
} else if (command === "add") {
expect(sortedPackages).toMatchSnapshot("requested-packages: add");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: add");
} else if (command === "update") {
if (args.length > 0) {
expect(sortedPackages).toMatchSnapshot("requested-packages: update with args");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: update with args");
} else {
expect(sortedPackages).toMatchSnapshot("requested-packages: update without args");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: update without args");
}
} else if (command === "remove" || command === "uninstall") {
if (args.length > 0) {
expect(sortedPackages).toMatchSnapshot("requested-packages: remove with args");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: remove with args");
} else {
expect(sortedPackages).toMatchSnapshot("requested-packages: remove without args");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: remove without args");
}
} else {
expect(sortedPackages).toMatchSnapshot("requested-packages: unknown command");
expect(sortedTarballs).toMatchSnapshot("requested-tarballs: unknown command");
}
}
export function runSecurityScannerTests(selfModuleName: string, hasExistingNodeModules: boolean) {
let i = 0;
const bunTest = Bun.jest(selfModuleName);
const { describe, beforeAll, afterAll } = bunTest;
beforeAll(async () => {
registryUrl = await startRegistry(DO_TEST_DEBUG);
});
afterAll(() => {
stopRegistry();
});
describe.each(["install", "update", "add", "remove", "uninstall"] as const)("bun %s", command => {
describe.each([
{ args: [], name: "no args" },
{ args: ["is-even"], name: "is-even" },
{ args: ["left-pad", "is-even"], name: "left-pad,is-even" },
])("$name", ({ args }) => {
describe.each(["hoisted", "isolated"] as const)("--linker=%s", linker => {
describe.each(["local", "npm", "npm.bunfigonly"] as const)("(scanner: %s)", scannerType => {
describe.each([true, false] as const)("(bun.lock exists: %p)", hasLockfile => {
describe.each(["none", "warn", "fatal"] as const)("(advisories: %s)", scannerReturns => {
if ((command === "add" || command === "uninstall" || command === "remove") && args.length === 0) {
// TODO(@alii): Test this case:
// - Exit code 1
// - No changes to disk
// - Scanner does not run
return;
}
const testName = getTestName(String(++i).padStart(4, "0"), hasExistingNodeModules);
if (TESTS_TO_SKIP.has(testName)) {
return test.skip(testName, async () => {
// TODO
});
}
if (isCI) {
if (command === "uninstall") {
return test.skip(testName, async () => {
// Same as `remove`, optimising for CI time here
});
}
const random = Math.random();
if (random < (100 - CI_SAMPLE_PERCENT) / 100) {
return test.skip(testName, async () => {
// skipping this one for CI
});
}
}
// npm.bunfigonly is the case where a scanner is a valid npm package name identifier
// but is not referenced in package.json anywhere and is not in the lockfile, so the only knowledge
// of this package's existence is the fact that it was defined in as the value in bunfig.toml
// Therefore, we should fail because we don't know where to install it from
const shouldFail =
scannerType === "npm.bunfigonly" || scannerReturns === "fatal" || scannerReturns === "warn";
test(testName, async () => {
await runSecurityScannerTest({
command,
args,
hasExistingNodeModules,
linker,
scannerType,
scannerReturns,
shouldFail,
hasLockfile,
// TODO(@alii): Test this case
scannerSyncronouslyThrows: false,
});
});
});
});
});
});
});
});
}

8
test/cli/install/bun-security-scanner-matrix-with-node-modules.test.ts Normal file
View File

@@ -0,0 +1,8 @@
import { runSecurityScannerTests } from "./bun-security-scanner-matrix-runner";
// CI Time maxes out at 3 minutes per test file. This test takes a little while
// but is useful enough justifying keeping it. This test file runs all the tests
// with an existing node modules folder. See
// ./bun-security-scanner-matrix-without-node-modules.test.ts for tests that run
// without
runSecurityScannerTests(import.meta.path, true);

5
test/cli/install/bun-security-scanner-matrix-without-node-modules.test.ts Normal file
View File

@@ -0,0 +1,5 @@
import { runSecurityScannerTests } from "./bun-security-scanner-matrix-runner";
// See ./bun-security-scanner-matrix-with-node-modules.test.ts
// for notes on what this is and why it exists
runSecurityScannerTests(import.meta.path, false);

456
test/cli/install/bun-update-security-edge-cases.test.ts Normal file
View File

@@ -0,0 +1,456 @@
import { describe, expect, test } from "bun:test";
import { bunEnv, bunExe, tempDirWithFiles } from "harness";
import { join } from "path";
describe("bun update security edge cases", () => {
test("bun update detects vulnerability in updated version that was safe before", async () => {
// Start with an exact version that's "safe"
const dir = tempDirWithFiles("update-new-vuln", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "4.17.20", // Exact version that's safe
},
}),
});
// First install - should be safe (no scanner yet)
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Now add scanner and update package.json to allow updates
await Bun.write(
join(dir, "package.json"),
JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "^4.17.0", // Now allow updates
},
}),
);
await Bun.write(
join(dir, "bunfig.toml"),
`
[install.security]
scanner = "./scanner.js"
`,
);
await Bun.write(
join(dir, "scanner.js"),
`
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
// Flag lodash 4.17.21 as vulnerable
if (pkg.name === "lodash" && pkg.version === "4.17.21") {
results.push({
package: "lodash",
level: "fatal",
description: "CVE-2024-XXXX: Prototype pollution in lodash 4.17.21",
url: "https://example.com/CVE-2024-XXXX"
});
}
}
return results;
}
}
};
`,
);
// Simulate that a newer version (4.17.21) is now available with a vulnerability
// Run update which would get the newer, vulnerable version
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// The scanner should detect the vulnerability in the updated version
if (stdout.includes("FATAL: lodash")) {
expect(stdout).toContain("FATAL: lodash");
expect(stdout).toContain("CVE-2024-XXXX");
expect(stdout).toContain("Installation aborted due to fatal security advisories");
expect(exitCode).toBe(1);
} else {
// If the version didn't update to 4.17.21+, it should be safe
expect(exitCode).toBe(0);
}
});
test("bun update <pkg> detects vulnerability in the specific updated package", async () => {
const dir = tempDirWithFiles("update-specific-vuln", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"axios": "0.21.0", // Old version
"lodash": "4.17.20",
},
}),
"bunfig.toml": `
[install.security]
scanner = "./scanner.js"
`,
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
// axios >=0.21.2 has a vulnerability
if (pkg.name === "axios" && Bun.semver.satisfies(pkg.version, ">=0.21.2")) {
results.push({
package: "axios",
level: "fatal",
description: "CVE-2023-45857: Axios vulnerable to SSRF in >=0.21.2",
url: "https://nvd.nist.gov/vuln/detail/CVE-2023-45857"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Update only axios - newer version has vulnerability
const updateProc = Bun.spawn({
cmd: [bunExe(), "update", "axios"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should detect vulnerability in the updated axios
if (stdout.includes("FATAL: axios")) {
expect(stdout).toContain("FATAL: axios");
expect(stdout).toContain("CVE-2023-45857");
expect(stdout).toContain("Installation aborted");
expect(exitCode).toBe(1);
} else {
// If axios didn't update to vulnerable version
expect(exitCode).toBe(0);
}
});
test("bun update detects newly discovered vulnerability in existing package", async () => {
// Scenario: A package in lockfile was safe when installed,
// but a vulnerability was discovered later (without version change)
const dir = tempDirWithFiles("update-newly-discovered", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"express": "4.18.2", // This version exists in lockfile
"lodash": "4.17.21",
},
}),
// Initially no scanner in bunfig
});
// First install without security scanner (simulating before vulnerability was known)
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Now add scanner configuration
await Bun.write(
join(dir, "bunfig.toml"),
`
[install.security]
scanner = "./scanner.js"
`,
);
// Now add scanner that knows about the vulnerability
await Bun.write(
join(dir, "scanner.js"),
`
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
console.error("SCANNING_PACKAGES:", payload.packages.map(p => p.name + "@" + p.version).join(", "));
const results = [];
for (const pkg of payload.packages) {
// Express 4.18.2 now has a known vulnerability
if (pkg.name === "express" && pkg.version === "4.18.2") {
results.push({
package: "express",
level: "fatal",
description: "CVE-2024-NEW: Newly discovered vulnerability in express 4.18.2",
url: "https://example.com/CVE-2024-NEW"
});
}
}
return results;
}
}
};
`,
);
// Run update - should detect the vulnerability in the already-installed package
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should scan and find the vulnerability
expect(stderr).toContain("SCANNING_PACKAGES:");
expect(stdout).toContain("FATAL: express");
expect(stdout).toContain("CVE-2024-NEW");
expect(stdout).toContain("Newly discovered vulnerability");
expect(exitCode).toBe(1);
});
test("bun pm scan detects vulnerability in existing transitive dependency after adding package", async () => {
// Scenario: After adding a new package, running pm scan finds vulnerabilities
// in existing transitive dependencies
const dir = tempDirWithFiles("scan-after-add", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"express": "^4.0.0", // Has body-parser as transitive dep
},
}),
"bunfig.toml": `
[install.security]
scanner = "./scanner.js"
`,
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
// body-parser (transitive dep of express) has vulnerability
if (pkg.name === "body-parser") {
results.push({
package: "body-parser",
level: "fatal",
description: "Previously unknown vulnerability in body-parser",
url: "https://example.com/body-parser-vuln"
});
}
}
return results;
}
}
};
`,
});
// Install without scanner first
const tempBunfig = join(dir, "bunfig.toml");
const fs = await import("node:fs/promises");
await fs.rename(tempBunfig, `${tempBunfig}.bak`);
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await fs.rename(`${tempBunfig}.bak`, tempBunfig);
// Add a new package without scanner
await Bun.$`${bunExe()} add lodash`.cwd(dir).env(bunEnv).quiet();
// Now run pm scan with scanner to detect vulnerabilities
const scanProc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
scanProc.stdout.text(),
scanProc.stderr.text(),
scanProc.exited,
]);
// Should detect vulnerability in existing transitive dependency
expect(stdout).toContain("FATAL: body-parser");
expect(stdout).toContain("via test-app express body-parser");
expect(stdout).toContain("Previously unknown vulnerability");
expect(exitCode).toBe(1);
});
test("bun update with version range change exposes vulnerability", async () => {
// Scenario: package.json is updated to allow newer versions that have vulnerabilities
const dir = tempDirWithFiles("update-range-vuln", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"minimist": "1.2.5", // Exact version, safe
},
}),
"bunfig.toml": `
[install.security]
scanner = "./scanner.js"
`,
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
// minimist >=1.2.6 has vulnerability
if (pkg.name === "minimist" && Bun.semver.satisfies(pkg.version, ">=1.2.6")) {
results.push({
package: "minimist",
level: "fatal",
description: "CVE-2021-44906: Prototype pollution in minimist >=1.2.6",
url: "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Update package.json to use caret range
await Bun.write(
join(dir, "package.json"),
JSON.stringify({
name: "test-app",
dependencies: {
"minimist": "^1.2.5", // Now allows 1.2.6+
},
}),
);
// Run update - should detect vulnerability in newer allowed version
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// If it updated to vulnerable version
if (stdout.includes("FATAL: minimist")) {
expect(stdout).toContain("FATAL: minimist");
expect(stdout).toContain("CVE-2021-44906");
expect(stdout).toContain("Prototype pollution");
expect(exitCode).toBe(1);
} else {
expect(exitCode).toBe(0);
}
});
test("bun pm scan detects newly discovered vulnerabilities in existing lockfile", async () => {
// Scenario: Running pm scan with updated vulnerability database finds new issues
const dir = tempDirWithFiles("scan-new-vuln-db", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "4.17.21",
"express": "4.18.2",
},
}),
// Initially no scanner
});
// First install without scanner
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Add scanner with updated vulnerability database
await Bun.write(join(dir, "bunfig.toml"), `[install.security]\nscanner = "./scanner.js"`);
await Bun.write(
join(dir, "scanner.js"),
`
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
// Simulate updated vulnerability database
const results = [];
for (const pkg of payload.packages) {
if (pkg.name === "lodash" && pkg.version === "4.17.21") {
results.push({
package: "lodash",
level: "warn",
description: "New vulnerability discovered in lodash 4.17.21",
url: "https://example.com/new-lodash-vuln"
});
}
if (pkg.name === "express" && pkg.version === "4.18.2") {
results.push({
package: "express",
level: "fatal",
description: "Critical vulnerability found in express 4.18.2",
url: "https://example.com/new-express-vuln"
});
}
}
return results;
}
}
};
`,
);
// Run pm scan - should detect newly discovered vulnerabilities
const scanProc = Bun.spawn({
cmd: [bunExe(), "pm", "scan"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
scanProc.stdout.text(),
scanProc.stderr.text(),
scanProc.exited,
]);
// Should detect the newly discovered vulnerabilities
expect(stdout).toContain("FATAL: express");
expect(stdout).toContain("WARNING: lodash");
expect(stdout).toContain("2 advisories");
expect(exitCode).toBe(1);
});
});

150
test/cli/install/bun-update-security-provider.test.ts Normal file
View File

@@ -0,0 +1,150 @@
import { afterAll, afterEach, beforeAll, beforeEach, expect, test } from "bun:test";
import { bunEnv, bunExe } from "harness";
import {
dummyAfterAll,
dummyAfterEach,
dummyBeforeAll,
dummyBeforeEach,
dummyRegistry,
package_dir,
setHandler,
write,
} from "./dummy.registry.js";
beforeAll(dummyBeforeAll);
afterAll(dummyAfterAll);
beforeEach(dummyBeforeEach);
afterEach(dummyAfterEach);
test("security scanner blocks bun update on fatal advisory", async () => {
const urls: string[] = [];
setHandler(
dummyRegistry(urls, {
"0.1.0": {},
"0.2.0": {},
}),
);
const scannerCode = `
export const scanner = {
version: "1",
scan: async ({ packages }) => {
if (packages.length === 0) return [];
return [
{
package: "moo",
description: "Fatal security issue detected",
level: "fatal",
url: "https://example.com/critical",
},
];
},
};
`;
await write("./scanner.ts", scannerCode);
await write("package.json", {
name: "my-app",
version: "1.0.0",
dependencies: {
moo: "0.1.0",
},
});
// First install without security scanning (to have something to update)
await using installProc = Bun.spawn({
cmd: [bunExe(), "install", "--no-summary"],
env: bunEnv,
cwd: package_dir,
stdout: "pipe",
stderr: "pipe",
});
await installProc.stdout.text();
await installProc.stderr.text();
await installProc.exited;
await write(
"./bunfig.toml",
`
[install]
saveTextLockfile = false
[install.security]
scanner = "./scanner.ts"
`,
);
await using updateProc = Bun.spawn({
cmd: [bunExe(), "update", "moo"],
env: bunEnv,
cwd: package_dir,
stdout: "pipe",
stderr: "pipe",
});
const [updateOut, updateErr, updateExitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
expect(updateOut).toContain("FATAL: moo");
expect(updateOut).toContain("Fatal security issue detected");
expect(updateOut).toContain("Installation aborted due to fatal security advisories");
expect(updateExitCode).toBe(1);
});
test("security scanner does not run on bun update when disabled", async () => {
const urls: string[] = [];
setHandler(
dummyRegistry(urls, {
"0.1.0": {},
"0.2.0": {},
}),
);
await write("package.json", {
name: "my-app",
version: "1.0.0",
dependencies: {
moo: "0.1.0",
},
});
// Remove bunfig.toml to ensure no security scanner
await write("bunfig.toml", "");
await using installProc = Bun.spawn({
cmd: [bunExe(), "install", "--no-summary"],
env: bunEnv,
cwd: package_dir,
stdout: "pipe",
stderr: "pipe",
});
await installProc.stdout.text();
await installProc.stderr.text();
await installProc.exited;
await using updateProc = Bun.spawn({
cmd: [bunExe(), "update", "moo"],
env: bunEnv,
cwd: package_dir,
stdout: "pipe",
stderr: "pipe",
});
const [updateOut, updateErr, updateExitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
expect(updateOut).not.toContain("Security scanner");
expect(updateOut).not.toContain("WARN:");
expect(updateOut).not.toContain("FATAL:");
expect(updateExitCode).toBe(0);
});

392
test/cli/install/bun-update-security-scan-all.test.ts Normal file
View File

@@ -0,0 +1,392 @@
import { describe, expect, test } from "bun:test";
import { bunEnv, bunExe, tempDirWithFiles } from "harness";
import { join } from "node:path";
describe("bun update security scanning", () => {
test("bun update without arguments scans all packages", async () => {
const dir = tempDirWithFiles("update-scan-all", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "^4.0.0",
"express": "^4.0.0",
},
}),
"bunfig.toml": `
[install.security]
scanner = "./scanner.js"
`,
"scanner.js": `
let callCount = 0;
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
callCount++;
// Log what packages we're scanning
const packageNames = payload.packages.map(p => p.name).sort();
console.error("SCAN_CALL_" + callCount + ":", JSON.stringify(packageNames));
const results = [];
for (const pkg of payload.packages) {
if (pkg.name === "lodash") {
results.push({
package: "lodash",
level: "warn",
description: "Test warning in lodash",
url: "https://example.com/lodash-advisory"
});
}
if (pkg.name === "express") {
results.push({
package: "express",
level: "warn",
description: "Test warning in express",
url: "https://example.com/express-advisory"
});
}
}
return results;
}
}
};
`,
});
// First install to create lockfile (temporarily disable scanner)
const bunfigPath = join(dir, "bunfig.toml");
const bunfigContent = await Bun.file(bunfigPath).text();
await Bun.write(bunfigPath, ""); // Remove scanner config
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(bunfigPath, bunfigContent); // Restore scanner config
// Now run update without arguments - should scan ALL packages
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should have scanned packages
expect(stderr).toContain("SCAN_CALL_");
// Should show vulnerabilities
expect(stdout).toContain("WARNING: lodash");
expect(stdout).toContain("WARNING: express");
// Should exit with code 1 due to warnings requiring confirmation (no TTY)
expect(exitCode).toBe(1);
// Should show the summary
expect(stdout).toMatch(/2 advisories \(.*2 warning.*\)/);
});
test("bun update with specific packages only scans those packages", async () => {
const dir = tempDirWithFiles("update-scan-specific", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "4.17.20",
"express": "4.17.0",
"axios": "0.21.0",
},
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
// Log which packages are being scanned
const packageNames = payload.packages.map(p => p.name);
console.error("SCANNED_PACKAGES:", JSON.stringify(packageNames));
const results = [];
for (const pkg of payload.packages) {
if (pkg.name === "lodash") {
results.push({
package: "lodash",
level: "warn",
description: "Test warning"
});
}
if (pkg.name === "express") {
results.push({
package: "express",
level: "fatal",
description: "Should not see this"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(
join(dir, "bunfig.toml"),
`
[install.security]
scanner = "./scanner.js"
`,
);
// Update only lodash - should only scan lodash and its dependencies
const updateProc = Bun.spawn({
cmd: [bunExe(), "update", "lodash"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should have scanned packages
expect(stderr).toContain("SCANNED_PACKAGES:");
// Should show warning for lodash
expect(stdout).toMatch(/WARN(ING)?.*lodash/);
// Should NOT show fatal for express (wasn't updated)
expect(stdout).not.toContain("FATAL: express");
// Should exit with 1 for warnings (user needs to confirm)
expect(exitCode).toBe(1);
});
test("bun update respects security scanner configuration", async () => {
const dir = tempDirWithFiles("update-no-scanner", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "^4.0.0",
},
}),
// No bunfig.toml with scanner configuration
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Run update - should succeed without scanning
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should succeed
expect(exitCode).toBe(0);
// Should not have any security warnings
expect(stdout).not.toContain("WARNING:");
expect(stdout).not.toContain("FATAL:");
});
test("bun update aborts on fatal vulnerabilities", async () => {
const dir = tempDirWithFiles("update-abort-fatal", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "^4.0.0",
},
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
return [{
package: "lodash",
level: "fatal",
description: "Critical security vulnerability",
url: "https://example.com/CVE-1234"
}];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(
join(dir, "bunfig.toml"),
`
[install.security]
scanner = "./scanner.js"
`,
);
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
env: bunEnv,
});
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should show the fatal vulnerability
expect(stdout).toContain("FATAL: lodash");
expect(stdout).toContain("Critical security vulnerability");
// Should abort installation
expect(stdout).toContain("Installation aborted due to fatal security advisories");
// Should exit with error code
expect(exitCode).toBe(1);
});
test.todo("bun update prompts for warnings when TTY available - requires TTY for interactive prompt", async () => {
const dir = tempDirWithFiles("update-prompt-warnings", {
"package.json": JSON.stringify({
name: "test-app",
dependencies: {
"lodash": "^4.0.0",
},
}),
"bunfig.toml": `
[install.security]
scanner = "./scanner.js"
`,
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
return [{
package: "lodash",
level: "warn",
description: "Minor security issue"
}];
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
// Run update with stdin to simulate TTY
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
stdin: "pipe",
env: { ...bunEnv, FORCE_COLOR: "1" }, // Force color to simulate TTY
});
// Send 'y' to continue
updateProc.stdin.write("y\n");
updateProc.stdin.end();
const [stdout, stderr, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
// Should show warning (with or without ANSI codes)
expect(stdout).toMatch(/WARN(ING)?.*lodash/);
// Should prompt for confirmation
expect(stdout).toContain("Security warnings found");
expect(stdout).toContain("Continue anyway?");
// Should continue after user confirmation
expect(stdout).toContain("Continuing with installation");
expect(exitCode).toBe(0);
});
test("bun update shows dependency paths correctly", async () => {
const dir = tempDirWithFiles("update-dep-paths", {
"package.json": JSON.stringify({
name: "my-app",
dependencies: {
"express": "^4.0.0",
},
}),
"scanner.js": `
module.exports = {
scanner: {
version: "1",
scan: async function(payload) {
const results = [];
for (const pkg of payload.packages) {
// Flag a transitive dependency
if (pkg.name === "body-parser") {
results.push({
package: "body-parser",
level: "warn",
description: "Transitive vulnerability"
});
}
}
return results;
}
}
};
`,
});
await Bun.$`${bunExe()} install`.cwd(dir).env(bunEnv).quiet();
await Bun.write(
join(dir, "bunfig.toml"),
`
[install.security]
scanner = "./scanner.js"
`,
);
const updateProc = Bun.spawn({
cmd: [bunExe(), "update"],
cwd: dir,
stdout: "pipe",
stderr: "pipe",
stdin: "pipe",
env: bunEnv,
});
// Send 'n' to not continue
updateProc.stdin.write("n\n");
updateProc.stdin.end();
const [stdout] = await Promise.all([updateProc.stdout.text(), updateProc.stderr.text(), updateProc.exited]);
// Should show the full dependency path
expect(stdout).toContain("WARNING: body-parser");
expect(stdout).toContain("via my-app express body-parser");
});
});

109
test/cli/install/bun-update-security-simple.test.ts Normal file
View File

@@ -0,0 +1,109 @@
import { expect, test } from "bun:test";
import { bunEnv, bunExe, tempDirWithFiles } from "harness";
test("security scanner blocks bun update with fatal advisory", async () => {
const dir = tempDirWithFiles("bun-update-security", {
"package.json": JSON.stringify({
name: "test-app",
version: "1.0.0",
dependencies: {
"left-pad": "1.3.0", // There is a real update to 1.3.1
},
}),
"scanner.ts": `
export const scanner = {
version: "1",
scan: async ({ packages }) => {
console.log("Security scanner received " + packages.length + " packages");
if (packages.length === 0) return [];
return [
{
package: packages[0].name,
description: "Security warning for update test",
level: "fatal",
url: "https://example.com/advisory",
},
];
},
};
`,
});
// First install without scanner
await using installProc = Bun.spawn({
cmd: [bunExe(), "install"],
env: bunEnv,
cwd: dir,
stdout: "pipe",
stderr: "pipe",
});
await installProc.stdout.text();
await installProc.stderr.text();
const installCode = await installProc.exited;
expect(installCode).toBe(0);
// Now add scanner for update
await Bun.write(Bun.pathToFileURL(`${dir}/bunfig.toml`), `[install.security]\nscanner = "./scanner.ts"`);
await using updateProc = Bun.spawn({
cmd: [bunExe(), "update", "left-pad", "--latest"],
env: bunEnv,
cwd: dir,
stdout: "pipe",
stderr: "pipe",
stdin: "pipe",
});
const [out, exitCode] = await Promise.all([updateProc.stdout.text(), updateProc.exited]);
expect(out).toContain("Security scanner received");
expect(out).toContain("FATAL: left-pad");
expect(out).toContain("Security warning for update test");
expect(out).toContain("Installation aborted due to fatal security advisories");
expect(exitCode).toBe(1);
});
test("security scanner does not run on bun update when not configured", async () => {
const dir = tempDirWithFiles("bun-update-no-security", {
"package.json": JSON.stringify({
name: "test-app",
version: "1.0.0",
dependencies: {
"left-pad": "1.3.0",
},
}),
});
await using installProc = Bun.spawn({
cmd: [bunExe(), "install"],
env: bunEnv,
cwd: dir,
stdout: "pipe",
stderr: "pipe",
});
const installCode = await installProc.exited;
expect(installCode).toBe(0);
await using updateProc = Bun.spawn({
cmd: [bunExe(), "update", "left-pad", "--latest"],
env: bunEnv,
cwd: dir,
stdout: "pipe",
stderr: "pipe",
});
const [out, err, exitCode] = await Promise.all([
updateProc.stdout.text(),
updateProc.stderr.text(),
updateProc.exited,
]);
const combined = out + err;
expect(combined).not.toContain("Security scanner");
expect(combined).not.toContain("FATAL:");
expect(combined).not.toContain("WARN:");
expect(exitCode).toBe(0);
});

1
test/cli/install/dummy.registry.ts
View File

@@ -165,6 +165,5 @@ if (Bun.main === import.meta.path) {
setHandler(dummyRegistry([]));
console.log("Running dummy registry!\n\n URL: ", root_url!, "\n", "DIR: ", package_dir!);
} else {
// @ts-expect-error
({ expect } = Bun.jest(import.meta.path));
}

72
test/cli/install/generate-scanner-tarballs.ts Normal file
View File

@@ -0,0 +1,72 @@
#!/usr/bin/env bun
import { mkdir, mkdtemp } from "node:fs/promises";
import { tmpdir } from "node:os";
import { dirname, join } from "node:path";
const __dirname = dirname(Bun.fileURLToPath(import.meta.url));
async function createScannerTarball(behavior: "clean" | "warn" | "fatal") {
const tmpDir = await mkdtemp(join(tmpdir(), `test-security-scanner-${behavior}-`));
const outputPath = join(__dirname, `test-security-scanner-1.0.0-${behavior}.tgz`);
try {
await mkdir(`${tmpDir}/package`, { recursive: true });
await Bun.write(
`${tmpDir}/package/package.json`,
JSON.stringify({
name: "test-security-scanner",
version: "1.0.0",
main: "index.js",
type: "module",
}),
);
const scannerCode = `export const scanner = {
version: "1",
scan: async function(payload) {
console.error("SCANNER_RAN: " + payload.packages.length + " packages");
const results = [];
${
behavior === "warn"
? `if (payload.packages.length > 0) {
results.push({
package: payload.packages[0].name,
level: "warn",
description: "Test warning"
});
}`
: ""
}
${
behavior === "fatal"
? `if (payload.packages.length > 0) {
results.push({
package: payload.packages[0].name,
level: "fatal",
description: "Test fatal error"
});
}`
: ""
}
return results;
}
};`;
await Bun.write(`${tmpDir}/package/index.js`, scannerCode);
await Bun.$`tar czf ${outputPath} -C ${tmpDir} package`;
await Bun.$`rm -rf ${tmpDir}`;
console.log(`Created ${outputPath}`);
} catch (error) {
console.error(`Failed to create scanner tarball for ${behavior}:`, error);
throw error;
}
}
console.log("Generating scanner tarballs...");
await Promise.all([createScannerTarball("clean"), createScannerTarball("warn"), createScannerTarball("fatal")]);
console.log("All scanner tarballs generated successfully!");

BIN
test/cli/install/is-even-1.0.0.tgz Normal file
View File

Binary file not shown.

BIN
test/cli/install/is-odd-1.0.0.tgz Normal file
View File

Binary file not shown.

BIN
test/cli/install/left-pad-1.3.0.tgz Normal file
View File

Binary file not shown.

175
test/cli/install/simple-dummy-registry.ts Normal file
View File

@@ -0,0 +1,175 @@
import { Server, file } from "bun";
import { dirname, join } from "node:path";
const __dirname = dirname(Bun.fileURLToPath(import.meta.url));
export class SimpleRegistry {
private debugLogs: boolean;
private server: Server | null = null;
private port: number = 0;
public requestedUrls: string[] = [];
private scannerBehavior: "clean" | "warn" | "fatal" = "clean";
public static readonly packages: Record<string, [version: string]> = {
"left-pad": ["1.3.0"],
"is-even": ["1.0.0"],
"is-odd": ["1.0.0"],
"test-security-scanner": ["1.0.0"],
};
setScannerBehavior(behavior: "none" | "warn" | "fatal") {
// ternary because it was originally called "clean" but I renamed it "none" and didnt want to update the .tgz files. easier this way
this.scannerBehavior = behavior === "none" ? "clean" : behavior;
}
constructor(debugLogs: boolean) {
this.debugLogs = debugLogs;
}
async start(): Promise<number> {
const self = this;
this.server = Bun.serve({
port: 0,
async fetch(req) {
const url = new URL(req.url);
const pathname = url.pathname;
self.requestedUrls.push(pathname);
if (self.debugLogs) console.error(`[REGISTRY] ${req.method} ${pathname}`);
if (pathname.startsWith("/") && !pathname.includes(".tgz")) {
const packageName = decodeURIComponent(pathname.slice(1));
return self.handleMetadata(packageName);
}
if (pathname.endsWith(".tgz")) {
const match = pathname.match(/\/(.+)-(\d+\.\d+\.\d+)\.tgz$/);
if (match) {
const [, name, version] = match;
return self.handleTarball(name, version);
}
}
return new Response("Not found", { status: 404 });
},
});
this.port = this.server.port!;
return this.port;
}
stop() {
if (this.server) {
this.server.stop();
this.server = null;
}
}
private handleMetadata(packageName: string): Response {
const versions = SimpleRegistry.packages[packageName];
if (!versions) {
return new Response("Package not found", { status: 404 });
}
const metadata = {
name: packageName,
versions: {},
"dist-tags": {
latest: versions[versions.length - 1],
},
};
for (const version of versions) {
metadata.versions[version] = {
name: packageName,
version: version,
dist: {
tarball: `http://localhost:${this.port}/${packageName}-${version}.tgz`,
},
dependencies: this.getDependencies(packageName, version),
};
}
return new Response(JSON.stringify(metadata), {
headers: { "Content-Type": "application/json" },
});
}
private getDependencies(packageName: string, _version: string) {
if (packageName === "is-even") {
return { "is-odd": "^1.0.0" };
}
if (packageName === "is-odd") {
return { "is-even": "^1.0.0" };
}
return {};
}
private async handleTarball(name: string, version: string): Promise<Response> {
const versions = SimpleRegistry.packages[name];
if (!versions || !versions.includes(version)) {
return new Response("Version not found", { status: 404 });
}
let tarballPath: string;
if (name === "test-security-scanner") {
tarballPath = join(__dirname, `${name}-${version}-${this.scannerBehavior}.tgz`);
} else {
tarballPath = join(__dirname, `${name}-${version}.tgz`);
}
try {
const tarballFile = file(tarballPath);
if (!tarballFile.size) {
return new Response("Tarball not found", { status: 404 });
}
return new Response(tarballFile, {
headers: {
"Content-Type": "application/octet-stream",
},
});
} catch (error) {
if (this.debugLogs) console.error(`Failed to serve tarball ${tarballPath}:`, error);
return new Response("Tarball not found", { status: 404 });
}
}
getUrl(): string {
return `http://localhost:${this.port}`;
}
clearRequestLog() {
this.requestedUrls = [];
}
getRequestedPackages(): string[] {
return this.requestedUrls
.filter(url => !url.includes(".tgz") && url !== "/")
.map(url => decodeURIComponent(url.slice(1)));
}
getRequestedTarballs(): string[] {
return this.requestedUrls.filter(url => url.endsWith(".tgz"));
}
}
let registry: SimpleRegistry | null = null;
export async function startRegistry(debugLogs: boolean): Promise<string> {
registry = new SimpleRegistry(debugLogs);
const port = await registry.start();
return `http://localhost:${port}`;
}
export function stopRegistry() {
if (registry) {
registry.stop();
registry = null;
}
}
export function getRegistry(): SimpleRegistry | null {
return registry;
}

BIN
test/cli/install/test-security-scanner-1.0.0-clean.tgz Normal file
View File

Binary file not shown.

BIN
test/cli/install/test-security-scanner-1.0.0-fatal.tgz Normal file
View File

Binary file not shown.

BIN
test/cli/install/test-security-scanner-1.0.0-warn.tgz Normal file
View File

Binary file not shown.

14
test/js/bun/test/jest.d.ts vendored
View File

@@ -1 +1,13 @@
/// <reference path="../../../../packages/bun-types/test-globals.d.ts"" />
/// <reference path="../../../../packages/bun-types/test-globals.d.ts" />
// Eventually move these to @types/bun somehow
interface ReadableStream {
text(): Promise<string>;
json(): Promise<unknown>;
blob(): Promise<Blob>;
bytes(): Promise<Uint8Array<ArrayBuffer>>;
}
declare module "bun" {
function jest(path: string): typeof import("bun:test");
}

2
test/js/web/fetch/utf8-bom.test.ts
View File

@@ -138,7 +138,7 @@ describe("UTF-8 BOM should be ignored", () => {
controller.close();
},
});
expect(await stream.json()).toEqual({ "hello": "World" } as any);
expect(await stream.json()).toEqual({ "hello": "World" });
});
it("in Bun.readableStreamToFormData()", async () => {