b47d0bf960
## Summary Fixes a panic that occurred when parsing malformed integrity data in lockfiles. The issue was in `integrity.zig` where base64 decoding attempted to write more bytes than the fixed-size digest buffer could hold, causing `panic: index out of bounds: index 64, len 64`. ## Root Cause The `Integrity.parse()` function tried to decode base64 data into a fixed 64-byte buffer without validating that the decoded size wouldn't exceed the buffer capacity. When malformed or oversized base64 integrity strings were encountered in lockfiles, this caused an out-of-bounds write. ## Fix Added proper bounds checking in `src/install/integrity.zig`: - Validates expected digest length before decoding - Checks decoded size against buffer capacity using `calcSizeForSlice()` - Only decodes into appropriately sized buffer slice based on hash algorithm - Returns `unknown` tag for malformed data instead of panicking ## Test Plan - [x] Verified release binary crashes with malformed integrity data - [x] Verified debug build with fix handles malformed data gracefully - [x] Added comprehensive regression tests for all hash types (sha1, sha256, sha384, sha512) - [x] Confirmed normal lockfile parsing continues to work correctly - [x] Tests pass: `bun bd test test/regression/issue/integrity-base64-bounds-check.test.ts` ## Before/After **Before**: `panic: index out of bounds: index 64, len 64` **After**: Graceful handling with warning about malformed integrity data 🤖 Generated with [Claude Code](https://claude.ai/code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Tests
Finding tests
Tests are located in the test/ directory and are organized using the following structure:
test/js/- tests for JavaScript APIs.cli/- tests for commands, configs, and stdout.bundler/- tests for the transpiler/bundler.regression/- tests that reproduce a specific issue.harness.ts- utility functions that can be imported from any test.
The tests in test/js/ directory are further categorized by the type of API.
test/js/bun/- tests forBun-specific APIs.node/- tests for Node.js APIs.web/- tests for Web APIs, likefetch().first_party/- tests for npm packages that are built-in, likeundici.third_party/- tests for npm packages that are not built-in, but are popular, likeesbuild.
Running tests
To run a test, use Bun's built-in test command: bun test.
bun test # Run all tests
bun test js/bun # Only run tests in a directory
bun test sqlite.test.ts # Only run a specific test
If you encounter lots of errors, try running bun install, then trying again.
Writing tests
Tests are written in TypeScript (preferred) or JavaScript using Jest's describe(), test(), and expect() APIs.
import { describe, test, expect } from "bun:test";
import { gcTick } from "harness";
describe("TextEncoder", () => {
test("can encode a string", async () => {
const encoder = new TextEncoder();
const actual = encoder.encode("bun");
await gcTick();
expect(actual).toBe(new Uint8Array([0x62, 0x75, 0x6E]));
});
});
If you are fixing a bug that was reported from a GitHub issue, remember to add a test in the test/regression/ directory.
// test/regression/issue/02005.test.ts
import { it, expect } from "bun:test";
it("regex literal should work with non-latin1", () => {
const text = "这是一段要替换的文字";
expect(text.replace(new RegExp("要替换"), "")).toBe("这是一段的文字");
expect(text.replace(/要替换/, "")).toBe("这是一段的文字");
});
In the future, a bot will automatically close or re-open issues when a regression is detected or resolved.
Zig tests
These tests live in various .zig files throughout Bun's codebase, leveraging Zig's builtin test keyword.
Currently, they're not run automatically nor is there a simple way to run all of them. We will make this better soon.
TypeScript
Test files should be written in TypeScript. The types in packages/bun-types should be updated to support all new APIs. Changes to the .d.ts files in packages/bun-types will be immediately reflected in test files; no build step is necessary.
Writing a test will often require using invalid syntax, e.g. when checking for errors when an invalid input is passed to a function. TypeScript provides a number of escape hatches here.
// @ts-expect-error- This should be your first choice. It tells TypeScript that the next line should fail typechecking.// @ts-ignore- Ignore the next line entirely.// @ts-nocheck- Put this at the top of the file to disable typechecking on the entire file. Useful for autogenerated test files, or when ignoring/disabling type checks an a per-line basis is too onerous.