Bun
Bun v1.2.15
bun audit scans dependencies for security vulnerabilities, bun pm view shows package metadata from npm. bun init adds a Cursor rule to use Bun i...
Bun v1.2.14
Adds support for catalogs in bun install, --react flag for bun init, improved HTTP routing with method-specific routes, better TypeScript defaul...
Bun v1.2.13
Improved --hot stability and Node.js compatibility. Better `node:worker_threads` support, environment data, reduced memory usage for child_proce...
Bun v1.2.12
Stream browser console logs to your terminal, dev server uses less memory. Node.js compatibility improvements for timers, vm, net, http, and bug...
Bun v1.2.11
`process.ref` and `process.unref`, `util.parseArgs` negative options, `BUN_INSPECT_PRELOAD`, Highway SIMD, Node.js compatibility improvements fo...
Bun v1.2.10
setImmediate gets faster. Reliability improvements for filesystem operations. Fixes test.failing with done callbacks. Fixes default idle timeout...

Bun v1.2.15

Jarred Sumner · May 28, 2025

This release fixes 11 issues (addressing 261 👍). bun audit scans dependencies for security vulnerabilities, bun pm view shows package metadata from npm, bun init adds a Cursor rule to use Bun instead of Node.js/Vite/npm/pnpm, node:vm SourceTextModule and node:perf_hooks createHistogram are now implemented.

To install Bun

curl
npm
powershell
scoop
brew
docker
curl
curl -fsSL https://bun.sh/install | bash
npm
npm install -g bun
powershell
powershell -c "irm bun.sh/install.ps1|iex"
scoop
scoop install bun
brew
brew tap oven-sh/bun
brew install bun
docker
docker pull oven/bun
docker run --rm --init --ulimit memlock=-1:-1 oven/bun

To upgrade Bun

bun upgrade

bun audit

bun audit performs security audits of your project's dependencies defined in bun.lock. It's like npm audit but for Bun.

esbuild  <=0.24.2
  (direct dependency)
  moderate: esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99

1 vulnerabilities (1 moderate)

To update all dependencies to the latest compatible versions:
  bun update

To update all dependencies to the latest versions (including breaking changes):
  bun update --latest

This uses the same API endpoint that npm audit uses.

Thanks to @alii for the contribution!

bun pm view

bun pm view <pkg> fetches and pretty-prints detailed information about a specified package, including its latest version, description, dependencies, and more.

bun pm view react
bun pm view express@4.18.2
bun pm view next property.path
bun pm view bun --json

Like npm view, you can pass it properties from the JSON response.

bun init Cursor rule

BUN_OPTIONS prepends command-line arguments

Bun now supports the BUN_OPTIONS environment variable, allowing you to pass command-line arguments and flags to Bun for any command execution. This is analogous to Node.js's NODE_OPTIONS and is particularly useful for persistent configurations, CI/CD environments, or when you need to apply global flags without modifying individual scripts and without ~/.bunfig.toml.

# Always use Bun
BUN_OPTIONS="--bun" bun next dev

The BUN_OPTIONS variable is parsed with shell-like rules, supporting quoted strings and spaces. Arguments specified via BUN_OPTIONS are inserted at the beginning of Bun's argument list, before any arguments specified directly on the command line.

# Pass multiple options, including those with spaces or quotes, and use a config file
BUN_OPTIONS="--config='./my config.toml' --silent" bun run dev.ts

Edit files in the browser

Bun's frontend dev server now supports "automatic workspace folders" in Chrome DevTools.

Node.js compatibility improvements

SourceTextModule in node:vm

Bun v1.2.15 adds support for vm.SourceTextModule in node:vm, enabling evaluation of ECMAScript modules within different contexts. This update significantly improves compatibility with the node:vm module, including handling of module linking, caching mechanisms, and error propagation.

import vm from "node:vm";

const context = vm.createContext({
  initialValue: 10,
});

const source = `
  import { multiply } from './operations.js';
  export const finalResult = multiply(initialValue, 5);
`;

// Create a SourceTextModule instance
const module = new vm.SourceTextModule(source, {
  identifier: "my-entry-module.js",
  context: context,
});

// Define the linker function to resolve imports
await module.link(async (specifier, referencingModule) => {
  if (specifier === "./operations.js") {
    const libSource = `export function multiply(a, b) { return a * b; }`;
    return new vm.SourceTextModule(libSource, { context });
  }
  throw new Error(`Failed to resolve module: ${specifier}`);
});

// Evaluate the module within the sandboxed context
await module.evaluate();

// Access the exported namespace
console.log(module.namespace.finalResult); // Expected output: 50

Thanks to @heimskr for the contribution!

Worker.getHeapSnapshot in node:worker_threads

Bun now supports Worker.getHeapSnapshot in node:worker_threads, which lets you track heap usage for a Worker with a V8 Heap Snapshot. Read more about V8 heap snapshots in Bun.

Thanks to @190n for the contribution!

createHistogram in node:perf_hooks

Bun now implements perf_hooks.createHistogram(), enabling precise tracking of statistical distributions for sampled values. This gets Bun closer to unblocking the popular thread pool library piscina from working.

import { createHistogram } from "perf_hooks";

// Create a histogram that can record values between 1 and 1,000,000,
// maintaining 3 significant figures of precision.
const histogram = createHistogram({
  lowest: 1,
  highest: 1_000_000,
  figures: 3,
});

histogram.record(100);
histogram.record(200);
histogram.record(1000);
histogram.record(100); // Record a duplicate

console.log("Min:", histogram.min);
console.log("Max:", histogram.max);
console.log("Mean:", histogram.mean);
console.log("Standard Deviation:", histogram.stddev);
console.log("Total Count:", histogram.totalCount);
console.log("Percentile 50 (Median):", histogram.percentile(50));

Thanks to @alii for the contribution!

JavaScriptCore upgrade

This release upgrades JavaScriptCore, which:

  • Fixes a crash that can occur with await in very rare cases
  • Improves NaN constant folding
  • Fixes a spec edgecase in eval
  • Fixes a spec edgecase with bitshifting to the right on an object that implements a toString method

Bugfixes

JavaScript parser bugfixes:

  • Fixed: await using in browser bundles using Symbol.dispose instead of Symbol.asyncDispose
  • Fixed: parsing JSX namespaced attributes with numeric identifiers
  • Fixed: regression from Bun v1.2.14 with node:assert module when bundled in the browser
  • Fixed: cache invalidation issue causing the "browser" field in package.json to be ignored when bundling for the browser after importing the file on the server. For example, when importing axios in both the server and browser, it would lead to errors that would not happen if you only imported it in the browser. This has been fixed.

Runtime bugfixes:

  • Fixed: stability issue with Bun.plugin module resolution plugins that sometimes could lead to crashes
  • Fixed: BunRequest.clone() now preserves cookies and params
  • Fixed: bun run --filter ignoring NO_COLOR on Windows
  • Fixed: new Bun.CookieMap(object) incorrectly validated the object passed to it as a valid HTTP header, causing errors that should not have happened.

Node.js compatibility bugfixes:

  • Fixed: memory leak in error handling for DNS resolution from c-ares (node:dns)
  • Fixed: ERR_SSL_NO_CIPHER_MATCH when attempting to establish a TLS connection or create a TLS server with an unsupported or invalid cipher suite.
  • Fixed: net.Socket constructor validation for fd option

TypeScript type fixes:

  • Fixed: spyOn Type Inference for Optional Methods
  • Fixed: CryptoKeyPair global type

Thanks to 15 contributors!

Bun v1.2.14