mirror of https://github.com/oven-sh/bun synced 2026-02-15 05:12:29 +00:00

Files

Claude Bot 0dbe6a3eb9 feat(install): implement minimumReleaseAge security feature (#22679 )

Adds minimumReleaseAge configuration to prevent installation of recently published packages, protecting against supply chain attacks where malicious versions are quickly published and removed.

## Security Features
- Filters packages at resolution time based on npm publish timestamps
- NEVER allows packages violating the policy, even with exact versions (e.g., "pkg@1.2.3")
- Treats invalid/missing timestamps as brand new packages (fail-safe)
- Strict ISO8601 timestamp validation (exactly 24 chars: YYYY-MM-DDTHH:MM:SS.sssZ)

## Configuration
In bunfig.toml:
```toml
[install]
minimumReleaseAge = 1440  # minutes (24 hours)
minimumReleaseAgeExclude = ["trusted-package", "internal-pkg"]
```

## Implementation Details
- Works with: install, add, update, update --interactive, outdated
- Shows warnings when newer versions exist but are blocked
- Clear error messages mentioning minimumReleaseAge when packages are blocked
- Backwards compatible: existing lockfiles continue to work
- Zero performance impact when not configured

## Comparison with pnpm
- Stricter timestamp validation than pnpm (which uses loose Date parsing)
- Fail-safe design: invalid data = maximum restriction
- Explicit blocking of exact versions for maximum security
- Equal or better security in all aspects

Note: Like pnpm, frozen lockfiles created before the policy cannot enforce it since timestamps aren't stored in lockfiles (backwards compatibility constraint).

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-09-16 15:41:46 +00:00

bake

Refactor BabyList (#22502 )

2025-09-09 20:41:10 -07:00

bundler

Make the bundler tests use the API by default in most cases (#22646 )

2025-09-14 02:27:53 -07:00

cli

feat(install): implement minimumReleaseAge security feature (#22679 )

2025-09-16 15:41:46 +00:00

config/bunfig

Add --import as alias to --preload for nodejs compat (#20523 )

2025-06-20 19:58:54 -07:00

exports

js: no longer provide our own 'detect-libc' (#18138 )

2025-03-13 12:40:37 -07:00

fixtures/glob

better test for #17516 (#17530 )

2025-02-22 00:24:21 -08:00

integration

fix: AbortController instance is empty with @types/node>=24.3.1 (#22588 )

2025-09-11 21:52:58 -07:00

internal

refactor(MySQL) (#22619 )

2025-09-13 14:52:19 -07:00

refactor(MySQL) (#22619 )

2025-09-13 14:52:19 -07:00

napi

Update napi.test.ts

2025-09-12 23:16:13 -07:00

regression

Fix Windows shell crash with && operator and external commands (#22651 )

2025-09-14 04:14:48 -07:00

runners

ci: misc fixes and test runner changes (#15024 )

2024-11-06 18:15:55 -07:00

scripts

meta: update bun.locks with bun 1.2 (#16867 )

2025-01-29 01:47:43 -08:00

snapshots

…

snippets

fix: parse JSX namespace identifiers that have numbers in them (#19912 )

2025-05-27 15:45:11 -07:00

Use ReadableStream.prototype.* in tests instead of new Response(...).* (#20937 )

2025-07-14 00:47:53 -07:00

.prettierignore

…

AGENTS.md

Make AGENTS.md a symlink to CLAUDE.md

2025-06-27 21:13:21 -07:00

bun.lock

Revert "Fix RSA JWK import validation bug causing Jose library failures" (#22307 )

2025-09-01 02:45:01 -07:00

bunfig.toml

fix(install): isolated install aliased dependency name fix (#21138 )

2025-07-19 01:59:52 -07:00

CLAUDE.md

update CLAUDE.md

2025-09-03 03:39:31 -07:00

expectations.txt

Unskip some tests (#22116 )

2025-08-27 06:39:11 -07:00

harness.ts

refactor(MySQL) (#22619 )

2025-09-13 14:52:19 -07:00

http-test-server.ts

feat: new binding generator (#15638 )

2024-12-10 12:43:17 -08:00

mkfifo.ts

musl patches [v4] (#15066 )

2024-11-11 19:23:58 -08:00

no-validate-exceptions.txt

node: fix exception check validator errors in http_parser (#22180 )

2025-08-28 15:06:03 -07:00

package-json-lint.test.ts

feat: support Svelte in bundler and dev server (#17735 )

2025-03-04 14:16:18 -08:00

package.json

Revert "Fix RSA JWK import validation bug causing Jose library failures" (#22307 )

2025-09-01 02:45:01 -07:00

preload.ts

fix: pass homedir test (#15811 )

2024-12-20 00:36:59 -08:00

README.md

…

tsconfig.json

bun install Security Scanner API (#21183 )

2025-08-21 14:53:50 -07:00

vendor.json

ci: misc fixes and test runner changes (#15024 )

2024-11-06 18:15:55 -07:00

README.md

Tests

Finding tests

Tests are located in the test/ directory and are organized using the following structure:

test/
- js/ - tests for JavaScript APIs.
- cli/ - tests for commands, configs, and stdout.
- bundler/ - tests for the transpiler/bundler.
- regression/ - tests that reproduce a specific issue.
- harness.ts - utility functions that can be imported from any test.

The tests in test/js/ directory are further categorized by the type of API.

test/js/
- bun/ - tests for Bun-specific APIs.
- node/ - tests for Node.js APIs.
- web/ - tests for Web APIs, like fetch().
- first_party/ - tests for npm packages that are built-in, like undici.
- third_party/ - tests for npm packages that are not built-in, but are popular, like esbuild.

Running tests

To run a test, use Bun's built-in test command: bun test.

bun test # Run all tests
bun test js/bun # Only run tests in a directory
bun test sqlite.test.ts # Only run a specific test

If you encounter lots of errors, try running bun install, then trying again.

Writing tests

Tests are written in TypeScript (preferred) or JavaScript using Jest's describe(), test(), and expect() APIs.

import { describe, test, expect } from "bun:test";
import { gcTick } from "harness";

describe("TextEncoder", () => {
  test("can encode a string", async () => {
    const encoder = new TextEncoder();
    const actual = encoder.encode("bun");
    await gcTick();
    expect(actual).toBe(new Uint8Array([0x62, 0x75, 0x6E]));
  });
});

If you are fixing a bug that was reported from a GitHub issue, remember to add a test in the test/regression/ directory.

// test/regression/issue/02005.test.ts

import { it, expect } from "bun:test";

it("regex literal should work with non-latin1", () => {
  const text = "这是一段要替换的文字";
  expect(text.replace(new RegExp("要替换"), "")).toBe("这是一段的文字");
  expect(text.replace(/要替换/, "")).toBe("这是一段的文字");
});

In the future, a bot will automatically close or re-open issues when a regression is detected or resolved.

Zig tests

These tests live in various .zig files throughout Bun's codebase, leveraging Zig's builtin test keyword.

Currently, they're not run automatically nor is there a simple way to run all of them. We will make this better soon.

TypeScript

Test files should be written in TypeScript. The types in packages/bun-types should be updated to support all new APIs. Changes to the .d.ts files in packages/bun-types will be immediately reflected in test files; no build step is necessary.

Writing a test will often require using invalid syntax, e.g. when checking for errors when an invalid input is passed to a function. TypeScript provides a number of escape hatches here.

// @ts-expect-error - This should be your first choice. It tells TypeScript that the next line should fail typechecking.
// @ts-ignore - Ignore the next line entirely.
// @ts-nocheck - Put this at the top of the file to disable typechecking on the entire file. Useful for autogenerated test files, or when ignoring/disabling type checks an a per-line basis is too onerous.