`: Allows you to ignore specific vulnerabilities by their CVE ID. This flag can be used multiple times.
These flags make it easier to integrate `bun audit` into CI/CD pipelines by allowing you to focus on the most critical security issues relevant to your application.
```sh
# Only report high and critical vulnerabilities
bun audit --audit-level=high
# Audit only production dependencies
bun audit --prod
# Ignore a specific vulnerability
bun audit --ignore CVE-2023-12345
# Ignore multiple vulnerabilities
bun audit --ignore CVE-2023-12345 --ignore CVE-2023-67890
```
Thanks to @RiskyMH for the contribution
## `bun install --lockfile-only` is much faster
The `bun install --lockfile-only` command has been optimized to avoid downloading package tarballs from the npm registry. It now only fetches package manifests, which contain all the necessary information to generate or update `bun.lock`.
This change significantly reduces network bandwidth usage and improves performance, especially in CI environments or for projects with many dependencies. For non-npm dependencies, such as direct tarball URLs or Git repositories, the tarballs are still downloaded to ensure the lockfile's accuracy.
## `bun update --interactive` supports scrolling
The interactive mode for `bun update` (`bun update -i` or `bun update --interactive`) now supports scrolling. When the list of updatable dependencies exceeds the height of your terminal, you can use the up and down arrow keys to navigate the full list.
Additionally, the table display is now responsive to your terminal's width. Long package names will be truncated to ensure the layout remains clean and readable on smaller screens.
Thanks to @RiskyMH for the contribution
## Reduced idle CPU usage
Previously, `Bun.serve` would wake up every second to update a cached `Date` header for HTTP responses. This caused Bun's process to use a small amount of CPU and trigger context switches, even when the server was completely idle or not even used at all.
{% image src="/images/idle-1.2.21.png" caption="setTimeout benchmark" /%}
Now, this timer is only active when there are in-flight requests. When a server is idle, Bun's process will now truly sleep, consuming virtually no CPU resources.
## `Bun.build()` now supports compiling executables
You can now create standalone executables with the `Bun.build()` JavaScript API. This functionality, previously only available via the `bun build --compile` CLI flag, is now accessible programmatically. Bundler plugins are also now fully supported when compiling an executable.
The new `compile` option in `Bun.build` accepts `true` to build for the current platform, a target string like `'bun-linux-x64'`, or a configuration object for more advanced options.
```ts
// Cross-compile an executable for Linux x64 with musl
await Bun.build({
entrypoints: ["./cli.ts"],
// target can be a shorthand string where it uses entrypoint name as executable name
compile: "bun-linux-x64-musl",
});
// Or use an object for more configuration, like setting a custom filename and Windows icon
await Bun.build({
entrypoints: ["./cli.ts"],
compile: {
target: "bun-windows-x64",
outfile: "./my-app-windows",
windows: {
// set the icon for the .exe
icon: "./icon.ico",
},
},
});
```
Thanks to @RiskyMH for the contribution
### Embed runtime flags into standalone executables with `--compile-exec-argv`
The `bun build --compile` command now supports a new `--compile-exec-argv` flag that lets you embed runtime arguments directly into a standalone executable.
When the compiled binary is executed, these arguments are processed by the Bun runtime as if they were passed on the command line. This allows you to create specialized builds with different runtime characteristics, such as enabling the inspector, setting a default user-agent, or optimizing for memory usage. The embedded arguments are also available for inspection via `process.execArgv`.
```ts
// index.ts
console.log(`Bun was launched with: ${process.execArgv.join(" ")}`);
// This --user-agent flag is actually processed by Bun's runtime.
// All fetch requests will use this user-agent.
const res = await fetch("https://api.bunjstest.com/agent");
console.log(`User-Agent header sent: ${await res.text()}`);
```
You can build this file with embedded arguments.
```sh
$ bun build ./index.ts --compile --outfile=my-app \
--compile-exec-argv="--smol --user-agent=MyApp/1.0"
$ ./my-app
Bun was launched with: --smol --user-agent=MyApp/1.0
User-Agent header sent: MyApp/1.0
```
### Set metadata for Windows executables
You can now embed metadata into standalone executables for Windows using `bun build --compile`. This allows you to set the application's title, publisher, version, description, and copyright, which will be visible in the file properties in Windows Explorer.
This is supported via a new set of CLI flags:
- `--windows-title`
- `--windows-publisher`
- `--windows-version`
- `--windows-description`
- `--windows-copyright`
These options are also available in the `Bun.build()` API via the `compile.windows` object.
```js
await Bun.build({
entrypoints: ["./app.js"],
outfile: "./app.exe",
compile: {
windows: {
title: "My Cool App",
publisher: "My Company",
version: "1.2.3.4",
description: "This is a really cool application.",
copyright: "© 2024 My Company",
},
},
});
```
Thanks to @RiskyMH for the contribution
## `Bun.stripANSI()` - SIMD-accelerated ANSI escape removal
`Bun.stripANSI()` lets you strip ANSI escape codes from a string. It serves as a high-performance, built-in alternative to the `strip-ansi` package from npm, running between 6x and 57x faster.
```js
const coloredText = "\u001b[31mHello\u001b[0m \u001b[32mWorld\u001b[0m";
const plainText = Bun.stripANSI(coloredText);
console.log(plainText); // => "Hello World"
// Works with various ANSI codes
const formatted = "\u001b[1m\u001b[4mBold and underlined\u001b[0m";
console.log(Bun.stripANSI(formatted)); // => "Bold and underlined"
```
Thanks to @taylordotfish for the contribution!
## Codesigned `bun.exe` for Windows
`bun.exe` for Windows is now code-signed, which resolves a security warning that could appear when running it for the first time.
Thanks to @connerlphillippi for the contribution!
## `bunx` now supports `--package`
You can now use the `--package` (or `-p`) flag with `bunx` to run a binary from a package where the binary's name differs from the package's name. This is useful for packages that ship multiple binaries or for scoped packages. This brings `bunx`'s functionality in line with `npx` and `yarn dlx`.
For example, the `renovate` package provides a `renovate-config-validator` binary. You can now run it directly:
```sh
# Run the `renovate-config-validator` binary from the `renovate` package
bunx --package renovate renovate-config-validator
```
Similarly, to use the `ng` binary from the `@angular/cli` package:
```sh
# Run the `ng` binary from the `@angular/cli` package
bunx -p @angular/cli ng new my-app
```
Thanks to @RiskyMH for the contribution
## `package.json` `sideEffects` now supports glob patterns
Bun's bundler now supports using glob patterns in the `sideEffects` field of `package.json`. This allows for more precise tree-shaking and can lead to smaller bundle sizes, especially when using component libraries that rely on this feature.
Previously, using a glob pattern would cause Bun to de-optimize the entire package. Now, Bun correctly identifies which files have side effects based on the provided patterns.
Supported patterns include `*`, `?`, `**`, `[]`, and `{}`.
```json
// package.json
{
"name": "my-package",
"sideEffects": ["**/*.css", "./src/setup.js", "./src/components/*.js"]
}
```
In the example above, Bun will correctly preserve all CSS files, `src/setup.js`, and any JavaScript files directly inside `src/components/`, while tree-shaking other modules if they are not used.
Thanks to @RiskyMH for the contribution
## Customize `User-Agent` with the `--user-agent` flag
A new `--user-agent` flag has been added to the Bun CLI. This allows you to override the default `User-Agent` header for all HTTP requests made using `fetch()` within your application. This is useful for identifying your application to external services or for APIs that require a specific `User-Agent`.
```js#agent.js
const response = await fetch("https://httpbin.org/user-agent");
const data = await response.json();
console.log(data["user-agent"]);
```
```sh
# Run with a custom user agent
$ bun --user-agent "MyCustomApp/1.0" agent.js
MyCustomApp/1.0
# Without the flag, it uses the default
$ bun agent.js
Bun/1.2.18
```
## Node.js compatibility improvements
- Fixed: `TypeError` when using `ws` that could occur when a WebSocket upgrade is aborted or fails (server-side)
- Fixed: `process.exit()` in a Worker now correctly notifies N-API callers that the VM is terminating, improving Node.js compatibility.
- Fixed: assertion failure during process exit when using NAPI addons, such as `node-sqlite3`, that trigger garbage collection within their finalizers.
- Fixed: assertion failure that could occur in native addons when `napi_is_exception_pending` is called from an object finalizer.
- Fixed: assertion failure when reading a file with an odd number of bytes using `utf16le` or `ucs2` encoding.
- Fixed: assertion failure when terminating a Worker that called `process.exit`.
- Fixed: assertion failure when using N-API native addons like `lmdb` that attempt to remove a cleanup hook that has already been removed or was never added. Bun's behavior is now aligned with Node.js, which silently ignores this operation.
- Fixed: bug in `child_process` that occurred when stdio streams were destroyed too quickly. Bun now `stream.Readable` and `stream.Writable` instances just like Node.js.
- Fixed: bug when `Error.prepareStackTrace` was called with a `null`, `undefined`, or other non-array value as the second argument.
- Fixed: bug where exceptions thrown from N-API modules were propagated to JavaScript too quickly, which could lead to a crash.
- Fixed: bug where `readline.createInterface()` from `node:readline/promises` did not implement `[Symbol.dispose]`, preventing its use with `using` declarations.
- Fixed: bugs in `structuredClone` where certain non-transferable objects were handled incorrectly.
- Fixed: deadlock in `net.BlockList` that could occur when the same instance was accessed from multiple threads simultaneously.
- Fixed: rare race condition in inter-process communication (IPC) that could lead to a crash when using `node:cluster`.
- Fixed: regression in `node:crypto` where functions like `crypto.sign()` would fail when using lowercase algorithm names, such as `'rsa-sha256'`. This improves compatibility with Node.js and fixes libraries like `mailauth`.
## Bundler & parser bugfixes
- Fixed: assertion failure in the JavaScript lexer when parsing an invalid template string in a JSX element, such as ``.
- Fixed: assertion failure in the CSS parser when bundling stylesheets with large floating-point values, such as those generated by TailwindCSS's `rounded-full` utility.
- Fixed a bug where `String contains an invalid character` would be thrown when rendering multiple frontend errors in Bun's frontend development server.
## Bun.SQL bugfixes
- Fixed: Bun.SQL error classes are all now exported, accessible under `Bun.SQL.PostgresError`, `Bun.SQL.SQLiteError` and `Bun.SQL.MySQLError`. This allows for type-safe error handling like `error instanceof Bun.SQL.PostgresError`. You can also use the superclass they all extend, `Bun.SQL.SQLError`.
- Fixed: Unix domain sockets would fail to connect when using PostgreSQL in certain configurations, often resulting in a `PostgresError: Connection closed`.
- `sql(["a", "b", "c"])` now supports string arrays in `WHERE IN` clauses. Thanks to @zenazn for the contribution.
## bun install bugfixes
- Fixed: A UI flickering issue in `bun update --interactive` has been resolved, providing a smoother experience.
- Fixed: `yarn.lock` migrations for packages with long version strings, such as those that include git commit SHAs
- Fixed: assertion failure in Bun's logger that could occur when processing source locations.
- Fixed: assertion failure in `bun install` when parsing a malformed or oversized integrity hash in a `bun.lockb` file
- Fixed: assertion failure that could occur when parsing a `package.json` with top-level catalog configurations.
- Fixed: bug where `bun init` would list `CLAUDE.md` twice in the summary of created files.
## Runtime bugfixes
- Fixed: typo in the `bun upgrade` error message, which caused an extra closing parenthesis to be printed on verification failure, has been corrected.
- Fixed: `Bun.hash.xxHash64` to correctly handle `BigInt` seeds larger than 32-bits
- Fixed: `Bun.serve()` would incorrectly reject a `tls` array with a single configuration object
- Fixed: bug impacting Windows when using pipelines in `bun shell` (`$`)
- Fixed: bug that could occur when calling `server.stop()` on a `Bun.serve` instance while requests were still being processed
- Fixed: bug where `Bun.serve` would add a `Date` header to an HTTP response even if one was already present, resulting in duplicate `Date` headers
- Fixed: crash in `HTMLRewriter` when an element handler throws an exception. This change also resolves a memory leak when parsing invalid CSS selectors and improves error messages for them.
- Fixed: namespace import objects (`import * as ns from '...'`) incorrectly inherited from `Object.prototype`. Please let us know if this breaks anything
- Improved internal exception handling in `bun:sqlite`
- `expect(...).toBeCloseTo(...)` is now correctly counted in the total number of expect calls reported by `bun test`.
### Thanks to 23 contributors!
- [@alii](https://github.com/alii)
- [@cirospaciari](https://github.com/cirospaciari)
- [@connerlphillippi](https://github.com/connerlphillippi)
- [@creationix](https://github.com/creationix)
- [@dylan-conway](https://github.com/dylan-conway)
- [@heimskr](https://github.com/heimskr)
- [@imranbarbhuiya](https://github.com/imranbarbhuiya)
- [@jarred-sumner](https://github.com/jarred-sumner)
- [@lifefloating](https://github.com/lifefloating)
- [@lydiahallie](https://github.com/lydiahallie)
- [@markovejnovic](https://github.com/markovejnovic)
- [@nektro](https://github.com/nektro)
- [@pfgithub](https://github.com/pfgithub)
- [@riskymh](https://github.com/riskymh)
- [@rmncldyo](https://github.com/rmncldyo)
- [@robobun](https://github.com/robobun)
- [@sanderjo](https://github.com/sanderjo)
- [@someone19204](https://github.com/someone19204)
- [@sosukesuzuki](https://github.com/sosukesuzuki)
- [@taylordotfish](https://github.com/taylordotfish)
- [@zackradisic](https://github.com/zackradisic)
- [@zenazn](https://github.com/zenazn)