mirror of
https://github.com/oven-sh/bun
synced 2026-02-19 23:31:45 +00:00
0bbd4ad560
For security, feature() from bun:bundle can now only be used as the direct
condition of an if statement or ternary expression. This ensures guaranteed
dead-code elimination when features are disabled, preventing accidental
exposure of feature-gated code.
Disallowed patterns that now produce an error:
- Variable assignment: `const FLAG = feature("X")`
- Complex expressions: `feature("X") || isAdmin`
- Function arguments: `someFunc(feature("X"))`
- Re-exporting: `export const FLAG = feature("X")`
Implementation:
- Added `feature_flag_allowed_call` field to parser to track the specific
E.Call that is allowed to be a feature() call
- Modified s_if and e_if visitors to set this field when condition IS
a direct call expression
- Updated maybeReplaceBundlerFeatureCall to verify the call matches
Tests:
- Added 10 new error case tests for disallowed patterns
- Updated existing tests to use allowed patterns
- All tests pass
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Bun Documentation
Official documentation for Bun: the fast, all-in-one JavaScript runtime.
Development
Install the Mintlify CLI to preview the documentation locally:
bun install -g mint
Run the development server:
mint dev
The site will be available at http://localhost:3000.
Contributing
Contributions are welcome! Please open an issue or submit a pull request.