Skip to content

[master] Michijs Dependabot changes #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost wants to merge 1 commit into from
Closed

[master] Michijs Dependabot changes #225

ghost wants to merge 1 commit into from

Conversation

@ghost
Copy link

@ghost ghost commented Oct 27, 2025

@ghost
Copy link
Author

ghost commented Oct 27, 2025

Bump vscode-html-languageservice from 5.5.2 to 5.6.0

Commit history:
  • 6d8c8c doc[README.md]: add notes about syntax highlighting and web-data source near API section ([master] Michijs Dependabot changes #220)
  • 28e96e Add setting to disable end tag suggestions ([master] Michijs Dependabot changes #219)
    • Add setting to disable end tag suggestions

    Fixes [master] Michijs Dependabot changes #216

    This change introduces a new hideEndTagSuggestions configuration option
    in the CompletionConfiguration interface that allows users to disable
    closing tag suggestions in HTML completions.

    Previously, the html.suggest.html5 setting controlled whether HTML5
    tags, properties, and values were suggested, but it did not affect
    closing tag suggestions (e.g., </div>). Users who wanted to disable
    the extension's suggestions entirely had no way to turn off these
    end tag completions without disabling the entire extension.

    Changes:

    • Added hideEndTagSuggestions?: boolean to the CompletionConfiguration
      interface in htmlLanguageTypes.ts
    • Updated the collectCloseTagSuggestions function in htmlCompletion.ts
      to check this setting and return early if end tag suggestions are
      disabled
    • Added comprehensive tests to verify the setting works correctly in
      various scenarios

    The setting defaults to false (showing end tag suggestions) to
    maintain backward compatibility with existing behavior.

    Signed-off-by: Giovanni Magliocchetti <giovimag123@​gmail.com>

    • add 5.6.0 entry for CompletionConfiguration.hideEndTagSuggestions

    Signed-off-by: Giovanni Magliocchetti <giovimag123@​gmail.com>
    Co-authored-by: Martin Aeschlimann <martinae@​microsoft.com>

  • 144f3b release 5.6.0 (HTMLDetailsAttributes is missing name attribute #221)

@ghost
Copy link
Author

ghost commented Oct 27, 2025

Bump bun-types from 1.2.20 to 1.3.1

Changelog:
Sourced from releases. 
        ### bun-v1.3.1To install Bun v1.3.1

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.1:

bun upgrade

Read Bun v1.3.1's release notes on Bun's blog

Thanks to 15 contributors!

Special thanks to Martin Schwarzl of Cloudflare for fuzzing & reporting several bugs!!

        ### bun-v1.3.0

Read the blog post

Group 77

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3:

bun upgrade
        ### bun-v1.2.23To install Bun v1.2.23

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.2.23:

bun upgrade

Read Bun v1.2.23's release notes on Bun's blog

Thanks to 16 contributors!

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.2.22:

bun upgrade

Read Bun v1.2.22's release notes on Bun's blog

Thanks to 14 contributors!

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.2.21:

bun upgrade

Read Bun v1.2.21's release notes on Bun's blog

Thanks to 23 contributors!

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.2.20:

bun upgrade

Read Bun v1.2.20's release notes on Bun's blog

Thanks to 19 contributors!

Commit history:
  • b7ae21 Mark flaky test as TODO
  • a75cef Add comprehensive documentation for JSRef (#24095)

    Summary

    • Adds detailed documentation explaining JSRef's intended usage
    • Includes a complete example showing common patterns
    • Explains the three states (weak, strong, finalized)
    • Provides guidelines on when to use strong vs weak references
    • References real examples from the codebase (ServerWebSocket,
      UDPSocket, MySQLConnection, ValkeyClient)

    Motivation

    JSRef is a critical type for managing JavaScript object references from
    native code, but it lacked comprehensive documentation explaining its
    usage patterns and lifecycle management. This makes it clearer how to
    properly use JSRef to:

    • Safely maintain references to JS objects from native code
    • Control whether references prevent garbage collection
    • Manage the upgrade/downgrade pattern based on object activity

    Test plan

    Documentation-only change, no functional changes.

    🤖 Generated with Claude Code

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>

  • 4c00d8 deps: update elysia to 1.4.13 (#24085)

    What does this PR do?

    Updates elysia to version 1.4.13

    Compare: https://redirect.github.com/elysiajs/elysia/compare/1.4.12...1.4.13

    Auto-updated by this
    workflow

    Co-authored-by: Jarred-Sumner <709451+Jarred-Sumner@​users.noreply.redirect.github.com>

  • f58a06 Update CLAUDE.md
  • 3367fa Refactor: Extract ModuleLoader components into separate files (#24083)

    Summary

    Split ModuleLoader.zig into smaller, more focused modules for better
    code organization and maintainability:

    • AsyncModulesrc/bun.js/AsyncModule.zig (lines 69-806)
    • RuntimeTranspilerStoresrc/bun.js/RuntimeTranspilerStore.zig
      (lines 2028-2606)
    • HardcodedModulesrc/bun.js/HardcodedModule.zig (lines 2618-3040)

    Changes

    • Extracted three large components from ModuleLoader.zig into separate
      files
    • Updated imports in all affected files
    • Made necessary functions/constants public (dumpSource,
      dumpSourceString, setBreakPointOnFirstLine, bun_aliases)
    • Updated ModuleLoader.zig to import the new modules

    Testing

    • Build passes successfully (bun bd)
    • Basic module loading verified with smoke tests
    • Existing resolve tests continue to pass

    🤖 Generated with Claude Code

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>
    Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@​users.noreply.redirect.github.com>

  • a2b262 ci: update bun version to 1.3.1 (#24053) [publish images]
  • fb1fbe ci: update alpine linux to 3.22 (#24052) [publish images]
  • d2c284 Autoformat
  • 0fba69 Add some internal deprecation @​compileError messages
  • f4b639 Fix unhandled exception in JSC__JSPromise__wrap when resolving promise (#23961)

    What does this PR do?

    Previously, JSC__JSPromise__wrap would call
    JSC::JSPromise::resolvedPromise(globalObject, result) without checking
    if an exception was thrown during promise resolution. This
    could happen in certain edge cases, such as when the result value is a
    thenable that triggers stack overflow, or when the promise resolution
    mechanism itself encounters an error.
    When such exceptions occurred, they would escape back to the Zig code,
    causing the CatchScope assertion to fail with "ASSERTION FAILED:
    Unexpected exception observed on thread"
    instead of being properly handled.

    This PR adds an exception check immediately after calling
    JSC::JSPromise::resolvedPromise() and before the RELEASE_AND_RETURN
    macro. If an exception is detected, the function
    now clears it and returns a rejected promise with the exception value,
    ensuring consistent error handling behavior. This matches the pattern
    already used earlier in the function
    for the initial function call exception handling.

    How did you verify your code works?

    new and existing tests

    Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@​users.noreply.redirect.github.com>

  • cfe561 fix: allow lifecycle hooks to accept options as second parameter (#24039)

    Summary

    Fixes #23133

    This PR fixes a bug where lifecycle hooks (beforeAll, beforeEach,
    afterAll, afterEach) would throw an error when called with a
    function and options object:

    beforeAll(() => {
  console.log("beforeAll")
}, { timeout: 10_000 })

    Previously, this would throw: error: beforeAll() expects a function as the second argument

    Root Cause

    The issue was in ScopeFunctions.parseArguments() at
    src/bun.js/test/ScopeFunctions.zig:342. When parsing two arguments, it
    always treated them as (description, callback) instead of checking if
    they could be (callback, options).

    Solution

    Updated the two-argument parsing logic to check if the first argument is
    a function and the second is not a function. In that case, treat them as
    (callback, options) instead of (description, callback).

    Changes

    • Modified src/bun.js/test/ScopeFunctions.zig to handle (callback, options) case
    • Added regression test at test/regression/issue/23133.test.ts

    Testing

    ✅ Verified the fix works with the reproduction case from the issue
    ✅ Added comprehensive regression test covering all lifecycle hooks with
    both object and numeric timeout options
    ✅ All existing jest-hooks tests still pass
    ✅ Test fails with USE_SYSTEM_BUN=1 and passes with the fixed build

    🤖 Generated with Claude Code

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>
    Co-authored-by: pfg <pfg@​pfg.pw>

  • 5a7b82 fix(css): process color-scheme rules inside @​layer blocks (#24034)

    Summary

    Fixes #20689

    Previously, @&ZeroWidthSpace;layer blocks were not being processed through the CSS
    minifier, which meant that color-scheme properties inside @&ZeroWidthSpace;layer
    blocks would not get the required --buncss-light/--buncss-dark
    variable injections needed for browsers that don't support the
    light-dark() function.

    Changes

    • Implemented proper minification for LayerBlockRule in
      src/css/rules/rules.zig:218-221
    • Added recursive call to minify() on nested rules, matching the
      behavior of other at-rules like @&ZeroWidthSpace;media and @&ZeroWidthSpace;supports
    • Added comprehensive tests for color-scheme inside @&ZeroWidthSpace;layer blocks

    Test Plan

    Added three new test cases in test/js/bun/css/css.test.ts:

    1. Simple @&ZeroWidthSpace;layer with color-scheme: dark
    2. Named layers (@&ZeroWidthSpace;layer shm.colors) with multiple rules
    3. Anonymous @&ZeroWidthSpace;layer with color-scheme: light dark (generates media
      query)

    All tests pass:

    bun bd test test/js/bun/css/css.test.ts -t "color-scheme"

    Before

    /* Input */
@&ZeroWidthSpace;layer shm.colors {
  body.theme-dark {
    color-scheme: dark;
  }
}

/* Output (broken - no variables) */
@&ZeroWidthSpace;layer shm.colors {
  body.theme-dark {
    color-scheme: dark;
  }
}

    After

    /* Input */
@&ZeroWidthSpace;layer shm.colors {
  body.theme-dark {
    color-scheme: dark;
  }
}

/* Output (fixed - variables injected) */
@&ZeroWidthSpace;layer shm.colors {
  body.theme-dark {
    --buncss-light: ;
    --buncss-dark: initial;
    color-scheme: dark;
  }
}

    🤖 Generated with Claude Code

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>
    Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@​users.noreply.redirect.github.com>

  • a3f18b feat(test): implement onTestFinished hook for bun:test (#24038)

    Summary

    Implements onTestFinished() for bun:test, which runs after all
    afterEach hooks have completed.

    Implementation

    • Added onTestFinished export to the test module in jest.zig
    • Modified genericHook in bun_test.zig to handle onTestFinished as
      a special case that:
      • Can only be called inside a test (not in describe blocks or preload)
      • Appends hooks at the very end of the execution sequence
    • Added comprehensive tests covering basic ordering, multiple callbacks,
      async callbacks, and interaction with other hooks

    Execution Order

    When called inside a test:

    1. Test body executes
    2. afterAll hooks (if added inside the test)
    3. afterEach hooks
    4. onTestFinished hooks ✨

    Test Plan

    • ✅ All new tests pass with bun bd test
    • ✅ Tests correctly fail with USE_SYSTEM_BUN=1 (feature not in
      released version)
    • ✅ Verifies correct ordering with afterEach, afterAll, and multiple
      onTestFinished calls
    • ✅ Tests async onTestFinished callbacks

    🤖 Generated with Claude Code

    Co-Authored-By: Claude <noreply@​anthropic.com>

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>
    Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@​users.noreply.redirect.github.com>
    Co-authored-by: pfg <pfg@​pfg.pw>

  • afd125 docs(env_var): document silent error handling behavior (#24043)

    What does this PR do?

    This PR adds documentation comments to src/env_var.zig that explain
    the silent error handling behavior for environment variable
    deserialization, based on the documentation from the closed PR #24036.

    The comments clarify:

    1. Module-level documentation: Environment variables may fail to
      parse silently. When they do, the default behavior is to show a debug
      warning and treat them as not set. This is intentional to avoid panics
      from environment variable pollution.

    2. Inline documentation: Deserialization errors cannot panic. Users
      needing more robust configuration mechanisms should consider
      alternatives to environment variables.

    This documentation complements the behavior change introduced in commit
    0dd6aa47ea which replaced panic with debug_warn.

    How did you verify your code works?

    Ran bun bd successfully - the build completed without errors.

    🤖 Generated with Claude Code

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>

  • 0dd6aa Replace panic with debug warn

    Closes https://redirect.github.com/oven-sh/bun/pull/24025

  • ab1395 zig: env_var: fix output port (#24026)
  • e76570 feat(ENG-21362): Environment Variables Store (#23930)
  • d64854 Fix segv when process.nextTick is overwritten (#23971)

    What does this PR do?

    When process.nextTick is overwritten, segv will be occured via
    internal processTick call.
    This patch fixes it.

    How did you verify your code works?

    Tests.

    Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@​users.noreply.redirect.github.com>

  • 787a46 Write more data faster (#23989)

    What does this PR do?

    How did you verify your code works?

  • 29028b docs(watch): rename filename to relativePath in recursive example (#23990)

    When using fs.watch() with recursive: true, the callback receives a
    relative path from the watched directory (e.g., 'subdir/file.txt'),
    not just a filename.

    Renaming the parameter from filename to relativePath makes this
    behavior immediately clear to developers.

    Before:

    (event, filename) => {
  console.log(`Detected ${event} in ${filename}`);
}

    After:

    (event, relativePath) => {
  console.log(`Detected ${event} in ${relativePath}`);
}

    This is a documentation-only change that improves clarity without
    altering any functionality.

    Co-authored-by: Braden Wong <git@​bradenwong.com>

  • 5a82e8 Fix integer overflow when reading MySQL OK packets (#23993)

    Description

    This PR fixes a crash caused by integer underflow in
    OKPacket.decodeInternal.
    Previously, when read_size exceeded packet_size, the subtraction
    packet_size - read_size wrapped around, producing a huge count value
    passed into reader.read(). This led to an integer overflow panic at
    runtime.

    What does this PR do

    • Added a safe subtraction guard in decodeInternal to clamp
      remaining to 0
      when read_size >= packet_size.
    • Ensures empty or truncated OK packets no longer cause crashes.
    • Behavior for valid packets remains unchanged.

    Impact

    Prevents integer overflow panics in MySQL OK packet parsing, improving
    stability when handling short or empty responses (e.g., queries that
    return no rows or minimal metadata).

    How did you verify your code works?

    Tested with proof of concept:
    https://redirect.github.com/Lillious/Bun-MySql-Integer-Overflow-PoC

    Co-authored-by: Ciro Spaciari <ciro.spaciari@​gmail.com>

  • 7bf67e Fix incorrect/suspicious uses of ZigString.Slice.cloneIfNeeded (#23937)

    ZigString.Slice.cloneIfNeeded does not guarantee that the returned
    slice will have been allocated by the provided allocator, which makes it
    very easy to use this method incorrectly.

    (For internal tracking: fixes ENG-21284)

  • fb75e0 Add missing empty JSValue checking for Bun.cookieMap#delete (#23951)

    What does this PR do?

    Adds missing null checking for Bun.CookieMap#delete.

    How did you verify your code works?

    Tests

    Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@​users.noreply.redirect.github.com>

  • 24d9d6 ProxyTunnel: close-delimited responses via proxy cause ECONNRESET (#23719)

    fixes: HTTPS over HTTP Proxy: close-delimited response triggers ECONNRESET oven-sh/bun#23717

    What does this PR do?

    • Align ProxyTunnel.onClose with
      HTTPClient.onClose:
      when a tunneled HTTPS response is in-progress and either
      • parsing chunked trailers (trailer-line states), or
    • transfer-encoding is identity with content_length == null while in
      .body,
      treat EOF as end-of-message and complete the request, rather than
      ECONNRESET.
    • Schedule proxy deref instead of deref inside callbacks to avoid
      lifetime hazards.

    How did you verify your code works?

    • test/js/bun/http/proxy.test.ts: raw TLS origin returns
      close-delimited 200 OK; verified no ECONNRESET and body delivered.
    • Test suite passes under bun bd test.

    Risk/compat

    • Only affects CONNECT/TLS path. Direct HTTP/HTTPS unchanged. Behavior
      mirrors existing
      HTTPClient.onClose.

    Repro (minimal)

    See issue; core condition is no Content-Length and no Transfer-Encoding
    (close-delimited).

    Co-authored-by: Ciro Spaciari <ciro.spaciari@​gmail.com>

  • b278c8 Refactor NapiEnv to use ExternalShared for safer reference counting (#23982)

    Summary

    This PR refactors NapiEnv to use bun.ptr.ExternalShared instead of
    manual ref()/deref() calls, fixing a use-after-free bug in the NAPI
    implementation.

    Bug Fixed

    The original issue was in ThreadSafeFunction.deinit():

    1. maybeQueueFinalizer() schedules a task that holds a pointer to
      this (which includes this.env)
    2. The task will eventually call onDispatch()deinit()
    3. But deinit() immediately calls this.env.deref() before the task
      completes
    4. This could cause the NapiEnv reference count to go to 0 while the
      pointer is still in use

    Changes

    Core Changes

    • Added NapiEnv.external_shared_descriptor and NapiEnv.EnvRef type
      alias
    • Changed struct fields from *NapiEnv to NapiEnv.EnvRef where
      ownership is required:
      • ThreadSafeFunction.env
      • napi_async_work.env
      • Finalizer.env (now NapiEnv.EnvRef.Optional)

    API Changes

    • Use .get() to access the raw *NapiEnv pointer from EnvRef
    • Use .cloneFromRaw(env) when storing env in long-lived structs
    • Use EnvRef.deinit() instead of manual env.deref()
    • Removed manual env.ref() calls (now handled automatically by
      cloneFromRaw)

    Safety Improvements

    • Reference counting is now managed by the ExternalShared wrapper
    • Prevents manual ref/deref mistakes
    • Ensures proper cleanup even when operations are cancelled or fail
    • No more use-after-free risks from premature deref

    Testing

    Built successfully with bun bd. NAPI tests pass (66/83 tests, with 17
    timeouts that appear to be pre-existing issues).

    Implementation Notes

    Following the pattern from Blob.zig and array_buffer.zig, structs
    that own a reference use NapiEnv.EnvRef, while functions that only
    borrow temporarily continue to use *NapiEnv parameters.

    The ExternalShared interface ensures:

    • .clone() increments the ref count
    • .deinit() decrements the ref count
    • No direct access to the internal ref/deref functions

    This makes the ownership semantics explicit and type-safe.

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: taylor.fish <contact@​taylor.fish>

  • 066f70 Fix CSS view-transition pseudo-elements with class selectors (#23957)
  • 0ad4e6 Fix Buffer.isEncoding('') to return false (#23968)

    Summary

    Fixes Buffer.isEncoding('') to return false instead of true,
    matching Node.js behavior.

    Description

    Previously, Buffer.isEncoding('') incorrectly returned true in Bun,
    while Node.js correctly returns false. This was caused by
    parseEnumerationFromView in JSBufferEncodingType.cpp treating empty
    strings (length 0) as valid utf8 encoding.

    The fix modifies the switch statement to return std::nullopt for empty
    strings, along with other invalid short strings.

    Changes

    • Modified src/bun.js/bindings/JSBufferEncodingType.cpp to return
      std::nullopt for empty strings
    • Added regression test test/regression/issue23966.test.ts

    Test Plan

    • Test fails with USE_SYSTEM_BUN=1 bun test test/regression/issue23966.test.ts (confirms bug exists)
    • Test passes with bun bd test test/regression/issue23966.test.ts
      (confirms fix works)
    • Verified behavior matches Node.js v24.3.0
    • All test cases for valid/invalid encodings pass

    Fixes #23966

    🤖 Generated with Claude Code

    Co-authored-by: Claude Bot <claude-bot@​bun.sh>
    Co-authored-by: Claude <noreply@​anthropic.com>

  • b90abd BUmp
  • 89fa0f Refactor napi_env to use Ref-counted NapiEnv (#23940)

    What does this PR do?

    Replaces raw napi_env pointers with WTF::Ref for improved
    memory management and safety. Updates related classes, function
    signatures, and finalizer handling to use reference counting. Adds
    ref/deref methods to NapiEnv and integrates them in Zig and C++ code
    paths, ensuring proper lifecycle management for N-API environments.

    How did you verify your code works?

  • 72f1ff Silence non-actionable worker_threads.Worker option warnings (#23941)

    What does this PR do?

    How did you verify your code works?

@michijs michijs bot closed this Nov 18, 2025
@michijs michijs bot mentioned this pull request Dec 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants