mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-15 13:22:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,230 Commits 2,487 Branches 252 Tags
aef0b5b4a678d56fefcf8954f1e1cbf760884d7e
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Ciro Spaciari aef0b5b4a6 fix(usockets): safely handle socket reallocation during context adoption (#25361) 
## Summary
- Fix use-after-free vulnerability during socket adoption by properly
tracking reallocated sockets
- Add safety checks to prevent linking closed sockets to context lists
- Properly track socket state with new `is_closed`, `adopted`, and
`is_tls` flags

## What does this PR do?

This PR improves event loop stability by addressing potential
use-after-free issues that can occur when sockets are reallocated during
adoption (e.g., when upgrading a TCP socket to TLS).

### Key Changes

**Socket State Tracking
([internal.h](packages/bun-usockets/src/internal/internal.h))**
- Added `is_closed` flag to explicitly track when a socket has been
closed
- Added `adopted` flag to mark sockets that were reallocated during
context adoption
- Added `is_tls` flag to track TLS socket state for proper low-priority
queue handling

**Safe Socket Adoption
([context.c](packages/bun-usockets/src/context.c))**
- When `us_poll_resize()` returns a new pointer (reallocation occurred),
the old socket is now:
  - Marked as closed (`is_closed = 1`)
  - Added to the closed socket cleanup list
  - Marked as adopted (`adopted = 1`)
  - Has its `prev` pointer set to the new socket for event redirection
- Added guards to
`us_internal_socket_context_link_socket/listen_socket/connecting_socket`
to prevent linking already-closed sockets

**Event Loop Handling ([loop.c](packages/bun-usockets/src/loop.c))**
- After callbacks that can trigger socket adoption (`on_open`,
`on_writable`, `on_data`), the event loop now checks if the socket was
reallocated and redirects to the new socket
- Low-priority socket handling now properly checks `is_closed` state and
uses `is_tls` flag for correct SSL handling

**Poll Resize Safety
([epoll_kqueue.c](packages/bun-usockets/src/eventing/epoll_kqueue.c))**
- Changed `us_poll_resize()` to always allocate new memory with
`us_calloc()` instead of `us_realloc()` to ensure the old pointer
remains valid for cleanup
- Now takes `old_ext_size` parameter to correctly calculate memory sizes
- Re-enabled `us_internal_loop_update_pending_ready_polls()` call in
`us_poll_change()` to ensure pending events are properly redirected

### How did you verify your code works?
Run existing CI and existing socket upgrade tests under asan build
2025-12-15 18:43:51 -08:00
.buildkite
ci: remove ubuntu 24 (#25288)
2025-12-01 17:01:14 -08:00
.claude
Add GitHub issue deduplication automation (#23926)
2025-10-21 14:57:22 -07:00
.cursor
Fix outdated doc
2025-10-07 20:08:57 -07:00
.github
Delete claude.yml workflow (#25157)
2025-11-27 12:26:50 -08:00
.vscode
run fmt (#25148)
2025-11-28 17:51:45 +11:00
bench
Improve Bun.stringWidth accuracy and robustness (#25447)
2025-12-10 16:17:57 -08:00
cmake
deps: update c-ares to v1.34.6 (#25509)
2025-12-15 11:36:18 -08:00
completions
Improve --reporter flag help and error messages (#22900)
2025-09-24 18:26:37 -07:00
dockerhub
test: add regression tests for building docker containers (#25210)
2025-12-01 20:20:06 -08:00
docs
docs(bundler): add comprehensive Bun.build compile API documentation (#25536)
2025-12-15 16:20:50 -08:00
misctools
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
packages
fix(usockets): safely handle socket reallocation during context adoption (#25361)
2025-12-15 18:43:51 -08:00
patches
Upgrade libarchive to v3.8.1 (#21250)
2025-07-21 20:08:00 -07:00
scripts
fix: use LLVM unstable repo for Debian trixie/forky [publish images] (#25470)
2025-12-15 12:45:45 -08:00
src
fix(usockets): safely handle socket reallocation during context adoption (#25361)
2025-12-15 18:43:51 -08:00
test
fix(usockets): safely handle socket reallocation during context adoption (#25361)
2025-12-15 18:43:51 -08:00
.aikido
Add new package paths to .aikido configuration
2025-11-20 17:35:16 -08:00
.clang-tidy
Reapply "Convert build scripts to CMake (#13427)"
2024-09-11 08:24:50 -07:00
.clangd
meta: fix disabling of clangd auto header insertion (#17172)
2025-02-10 02:04:21 -08:00
.coderabbit.yaml
Disable CodeRabbit issue enrichment (#25520)
2025-12-14 14:56:58 -08:00
.cursorignore
Update .cursorignore
2024-12-26 11:48:30 -08:00
.dockerignore
bump webkit (#15328)
2024-12-12 03:21:56 -08:00
.editorconfig
Bring uSockets & uWebSockets forks into Bun's repository (#4372)
2023-08-28 08:38:30 -07:00
.git-blame-ignore-revs
Update .git-blame-ignore-revs
2025-06-13 16:16:14 -07:00
.gitattributes
add .mdx to .gitattributes (#24525)
2025-11-08 20:56:38 -08:00
.gitignore
Update .gitignore
2025-10-05 04:28:25 -07:00
.lldbinit
Move LLDB initialization commands to make attach configuration work (#20085)
2025-05-30 19:33:03 -07:00
.mailmap
do not print duplicate code (#16231)
2025-01-07 20:19:12 -08:00
.prettierignore
docs: revert minifier doc's format (#24639)
2025-11-12 11:01:25 -08:00
.prettierrc
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
.typos.toml
ci: check for typos in documentation (#16235)
2025-01-08 07:23:54 +00:00
AGENTS.md
Make AGENTS.md a symlink to CLAUDE.md
2025-06-27 21:13:21 -07:00
build.zig
remove CMakeCache before building (#24860)
2025-12-01 22:02:46 -08:00
bun.lock
@types/bun: Update to @types/node@25, fallback to PropertyKey in test expect matchers when keyof unknown is used (#25460)
2025-12-10 18:15:55 -08:00
bunfig.node-test.toml
node:module compatibility pt 1 (#18106)
2025-03-12 15:47:41 -07:00
bunfig.toml
update minimumReleaseAge (#25057)
2025-11-25 11:06:24 -08:00
CLAUDE.md
[publish images]
2025-12-15 15:34:04 -08:00
CMakeLists.txt
build(ENG-21491): Improve sccache behavior on developer machines (#24568)
2025-11-12 09:11:33 -08:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md
docs: re-apply many recent changes that somehow aren't present (#24719)
2025-11-16 19:23:01 +11:00
entitlements.debug.plist
Faster debug builds (#16354)
2025-01-12 20:03:24 -08:00
entitlements.plist
flake.lock
Add Nix flake for development environment (#23406)
2025-10-10 02:13:28 -07:00
flake.nix
build(ENG-21330): Replace ccache with sccache (#24200)
2025-11-05 14:30:56 -08:00
LATEST
Bump
2025-12-07 15:42:23 -08:00
LICENSE.md
libdeflate (#12741)
2024-07-24 01:30:31 -07:00
oxlint.json
fix(lint): resolve no-unused-expressions errors (#23127)
2025-09-30 04:45:34 -07:00
package.json
@types/bun: Update to @types/node@25, fallback to PropertyKey in test expect matchers when keyof unknown is used (#25460)
2025-12-10 18:15:55 -08:00
README.md
docs: more consistency + minor updates (#24764)
2025-11-21 14:06:19 -08:00
SECURITY.md
bun.sh -> bun.com (#20909)
2025-07-10 00:10:43 -07:00
shell.nix
build(ENG-21330): Replace ccache with sccache (#24200)
2025-11-05 14:30:56 -08:00
tsconfig.base.json
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
tsconfig.json
types: Rewrite to avoid conflicts and allow for doc generation (#18024)
2025-03-25 14:33:30 -07:00
workspace.code-workspace

README.md

Logo

Bun

stars Bun speed

Documentation   •   Discord   •   Issues   •   Roadmap

Read the docs →

What is Bun?

Bun is an all-in-one toolkit for JavaScript and TypeScript apps. It ships as a single executable called bun.

At its core is the Bun runtime, a fast JavaScript runtime designed as a drop-in replacement for Node.js. It's written in Zig and powered by JavaScriptCore under the hood, dramatically reducing startup times and memory usage.

bun run index.tsx             # TS and JSX supported out-of-the-box

The bun command-line tool also implements a test runner, script runner, and Node.js-compatible package manager. Instead of 1,000 node_modules for development, you only need bun. Bun's built-in tools are significantly faster than existing options and usable in existing Node.js projects with little to no changes.

bun test                      # run tests
bun run start                 # run the `start` script in `package.json`
bun install <pkg>             # install a package
bunx cowsay 'Hello, world!'   # execute a package

Install

Bun supports Linux (x64 & arm64), macOS (x64 & Apple Silicon) and Windows (x64).

Linux users — Kernel version 5.6 or higher is strongly recommended, but the minimum is 5.1.

x64 users — if you see "illegal instruction" or similar errors, check our CPU requirements

# with install script (recommended)
curl -fsSL https://bun.com/install | bash

# on windows
powershell -c "irm bun.sh/install.ps1 | iex"

# with npm
npm install -g bun

# with Homebrew
brew tap oven-sh/bun
brew install bun

# with Docker
docker pull oven/bun
docker run --rm --init --ulimit memlock=-1:-1 oven/bun

Upgrade

To upgrade to the latest version of Bun, run:

bun upgrade

Bun automatically releases a canary build on every commit to main. To upgrade to the latest canary build, run:

bun upgrade --canary

View canary build

Quick links

Guides

Contributing

Refer to the Project > Contributing guide to start contributing to Bun.

License

Refer to the Project > License page for information about Bun's licensing.

Reference in New Issue View Git Blame Copy Permalink
Description
Bun is a fast, incrementally adoptable all-in-one JavaScript, TypeScript & JSX toolkit. Use individual tools like bun test or bun install in Node.js projects, or adopt the complete stack with a fast JavaScript runtime, bundler, test runner, and package manager built in. Bun aims for 100% Node.js compatibility.
Readme 820 MiB
Languages
Zig 60.6%
C++ 24.8%
TypeScript 8.3%
C 3.3%
JavaScript 1.4%
Other 1.1%