Bun 1.1 - Readit News

message = '; cat /etc/passwd' # Whoops, shell injection vulnerability! subprocess.run(f'echo Message: {message}', shell=True) # Correct (assuming sh-compatible shell). subprocess.run(f'echo Message: {shlex.quote(message)}', shell=True) # Correct (without using shell). subprocess.run(['/bin/echo', 'Message:', message])

let message = '; cat /etc/passwd'; // Works correctly. await $`echo Message: ${message}`.text(); // Fails safely by throwing error about incorrect usage. await $('echo Message: ' + message).text();

Seems like a good release. I watched their video, and some charts were a bit unclear, as in, I didn't know if they were comparing with the previous Bun version or Node.js.

My experience with using Bun in side projects has been good. The built-in APIs work well in my experience, and I hope popular runtimes adopt at least a subset of them. The hashing and the SQLite bindings come to mind as APIs that I wish were available in Deno and Node.js as well.

They collect some telemetry by default. I don't think the install script tells you that. The only mention of it that I've found is in the Bunfile documentation: https://bun.sh/docs/runtime/bunfig#telemetry

I'd prefer if it was opt-in, and that users were given instructions for disabling it if they want to during installation.

They offer an option to create a dependency-free executable for your project, which bundles the runtime with your .js entrypoint. That works great if you want a single binary to distribute to users, but at the moment, the file size is still pretty big (above 90MB on GNU/Linux for a small project). Not terrible, but nothing comparable to Go or QuickJS yet. I wonder if in the future, Bun would offer an option to compile itself with certain features disabled, so we'd get a smaller binary.

I have been playing with using Bun as a Haxe target. It works pretty well and IMO it's a choice to consider if you like Haxe more than TypeScript, or if you want to add a web server to an existing Haxe project without adding another programming language. You can also to do things like generating validation code at compile time, which seems hard to do with just TypeScript.

Jarred · 2 years ago

Note that we do not currently send telemetry anywhere. The extent of what we track right now is a bitset of what builtin modules were imported and a count of how many http requests were sent with fetch(), and a few things like that. This is used in the message printed when Bun panics so we can have a better idea of what the code was doing/did when it crashed

gr4vityWall · 2 years ago

Sorry, I didn't understand your post. From the last 2 phrases, it seems to be the case that you do collect some data.

So, when you say

> Note that we do not currently send telemetry anywhere. You mean that Oven do not send that data to someone else, right?

I still see value in having a privacy policy so that users can find out what is collected by Oven in a concise way, and how to opt out of that. As far as I know, the fact that any data is collect at all, and that there's a flag to disable it is only mentioned in a documentation page for Bun's TOML config file.

notelem · 2 years ago

> They collect some telemetry by default

I wondered why every time I upgraded bun macos would pop up a permissions dialog. This explains that.

Anyway, it can be disabled by adding the following to your environment:

    export DO_NOT_TRACK=1

This is the data collected:

https://github.com/oven-sh/bun/blob/801e475c72b3573a91e0fb4c...

This 64 bit machine_id line is concerning:

https://github.com/oven-sh/bun/blob/801e475c72b3573a91e0fb4c...

It may be a unique identifier for your machine.

Jarred · 2 years ago

That is unrelated. This is a code signing / notarization issue because we don’t distribute Bun via the Mac App Store and likely the way it was installed was via npm or something other than .zip file we distribute. Code signing is necessary due to the JIT entitlement in Bun (otherwise Bun would be a whole lot slower)

stefanos82 · 2 years ago

Thank you for letting me know about telemetry; I had no idea.

rnmkr · 2 years ago

Then people go crazy when Golang announced they want to enable informed opt-out telemetry.

moritzwarhier · 2 years ago

> I'd prefer if it was opt-in, and that users were given instructions for disabling it if they want to during installation.

So you mean an informed opt-out, right?

Thank you for the interesting hands-on experiences and insights regarding Bun. I followed the coverage and posts by Jarred here on HN for quite a while, think since the initial alpha release, but haven't used it.

Will keep your examples for helpful added platform APIs in mind for when I hopefully come around to doing sth with Bun!

It sounds like a great platform for JS scripting as well - I also think that could be a good and easy way to test the waters.

Really, kudos to Bun and Jarred Sumner for living up to the promise he made when the first version was announced!

gr4vityWall · 2 years ago

> So you mean an informed opt-out, right? I worded it wrong - I meant I'd prefer if it was opt-in, or at least informed opt-out, like you said. Thanks for pointing it out. :)

> It sounds like a great platform for JS scripting as well - I also think that could be a good and easy way to test the waters.

It is. Some other features you might enjoy are the built-in TypeScript support and test runner. It works well for one-off scripts too, if you'd prefer not using Bash. For me, it was refreshing coming from Node.js. Hope it is an enjoyable experience for you as well.

I feel like such a downer when I ask this about Bun and Deno, but: why should I use them instead of Node?

I don’t mean to take away from the obviously impressive engineering effort here. But VC funding always gives me pause because I don’t know how long the product is going to be around. I was actually more interested in Deno when it promised a reboot of the JS ecosystem but both Bun and Deno seem to have discovered that Node interoperability is a requirement so they’re all in the same (kinda crappy) ecosystem. I’m just not sure what the selling point is that makes it worth the risk.

nikeee · 2 years ago

We could drastically simplify the building and deployment process of our services. By far the greatest advantage is that it runs TS natively. Dropping the compilation stage simplifies everything. From docker imaging to writing DB migrations to getting proper stack traces.

You don't need source maps. You don't have to map printed stack traces to the source. Debugging just works. You don't need to configure directories because src/ is different than dist/ for DB migrations. You don't have to build a `tsc --watch & node --watch` pipeline to get hot reloading. You don't need cross-env. No more issues with cjs/esm interop. Maybe you don't even need a multi-stage Dockerfile.

That's for bun. Deno might have a similar story. We did not opt-in to the Bun-specific APIs, so we can migrate back if Bun fails. Maybe we could even migrate to something like ts-node. Shouldn't be that hard in that case.

IMHO the API of Bun, as well as the package manager, sometimes tries to be _too_ convenient or is too permissive.

ibash · 2 years ago

Kind of. When you do try to run bun in production you'll find out that it has significant differences to node -- like not handling uncaught exceptions: https://github.com/oven-sh/bun/issues/429

Then you'll use bun build and run node in production, only to find that sourcemaps don't actually work at all: https://github.com/oven-sh/bun/issues/7427

So you'll switch to esbuild + node in production :)

Definitely excited for the promise of bun, but it's not quite baked yet.

Waterluvian · 2 years ago

Curious: does it run TS natively or does it just transpile for you? Because the former suggests exciting opportunity for better compiling or JITting if it can actually commit to holding on to the typing.

searchableguy · 2 years ago

You can use tsx as loader with node if you want to directly run typescript.

node --import tsx ./file.ts

leptons · 2 years ago

I'm not sure how difficult it would be for Nodejs to support .ts files natively. But if that's the main reason to use Bun, I'd be worried about its long term viability. Node could announce native .ts support at any time and then Bun might not look so good.

dzonga · 2 years ago

what if I don't like typescript ? and like duck-typing my way through. and adding annotations when necessary via jsdoc ?

not everyone likes typescript or finds it useful. e.g svelte dropping typescript ?

not to take away the amazing work people at bun have done.

__alexs · 2 years ago

ts-node has all of these features too?

paulddraper · 2 years ago

> By far the greatest advantage is that it runs TS natively.

So why doesn't any major runtime run Java natively? Or C++ natively? Or Rust natively?

Why is this such a cool unlock that hasn't been done for any other language?

---

85% of this are people tired/bored of Node.js.

throwitaway1123 · 2 years ago

The most compelling argument for Deno is the permission system in my opinion. Node added a permission system recently, but it's much more coarse grained than Deno's. Being able to limit a script to listening on a specific hostname and port, or only allowing it to read a specific environment variable is pretty cool, and makes me less paranoid about trusting third party dependencies. Both Bun and Deno are also more performant than Node in many cases, and add a bunch of little quality of life improvements.

int_19h · 2 years ago

The real question is how much you can trust this. Those kinds of permission systems have been tried before - e.g. .NET used to have something called "Code Access Security". It was retired largely because the very notion of VM-enforced sandbox was deemed inadequate from experience. IIRC SecurityManager in Java was something similar, also deprecated for similar reasons. I'm afraid that Deno will just be a repeat of that.

silverwind · 2 years ago

Imho those permission systems are still too rudimentary and too non-automated. Instead of CLI flags I would like to see permission enforced at dependency boundaries, e.g.

    import foo from 'foo' with {permissions: ['fs', 'net']}

Osmose · 2 years ago

The speed increases are nothing to sneeze at; I've moved a few Vite projects over to Bun and even without specific optimizations it's still noticeably faster.

A specific use case where Bun beat the pants out of Node for me was making a standalone executable. Node has a very VERY in-development API for this that requires a lot of work and doesn't support much, and all the other options (pkg, NEXE, ncc, nodejs-static) are out-of-date, unmaintained, support a single OS, etc.

`bun build --compile` worked out-of-the-box for me, with the caveat of not supporting native node libraries at the time—this 1.1 release fixes that issue.

llimllib · 2 years ago

I've hit significant failures every time I've tried to use `bun build --compile`; the most recent code I was trying to compile hit this one[1].

I documented how to build a binary from a JS app with node, deno, and bun here [2]. Node SEA is a bad DX, but not that complex once you figure it out.

1: https://github.com/oven-sh/bun/issues/6832

2: https://github.com/llimllib/node-esbuild-executable

throwitaway1123 · 2 years ago

Bun's standalone executables are great, but as far as I'm aware unlike Deno and Node there's no cross compilation support, and Node supports more CPU/OS combinations than either Deno or Bun. Node supports less common platforms like Windows ARM for example (which will become more important once the new Snapdragon X Elite laptops start rearing their heads [1]).

[1] https://www.youtube.com/watch?v=uWH2rHYNj3c

hiccuphippo · 2 years ago

It also helps avoid a node/v8 monoculture, just like with web browsers. I'm sure the ecosystem as a whole will get better because of it, even if you decide not to use it.

mrd3v0 · 2 years ago

Avoiding a monoculture by introducing a VC-backed alternative is just asking for another monoculture.

yolm · 2 years ago

I used both Deno and Bun.

Bun is really nicely compatible with node.

Speed of course is excellent, but the main reason I use Bun and recommend it:

You replace node, npm, tsx, jest, nodemon and esbuild with one single integrated tool that's faster than all of the others.

bducycy · 2 years ago

Nicely compatible, until it's not.

We banned all these forks at work.

The dev onboarding overhead is not worth the benefits.

Having all 1700 repos using the same build tooling is more important than slight increases in build performance.

charrondev · 2 years ago

I can give a bit of perspective here. I'm currently porting our the Vanilla Forums frontend (~500k lines of typescript) from using Node, Yarn (we used it back before npm supported lockfiles) and Webpack, to build with bun and Vite.

There are a few notable differences:

- The out of the box typescript interoperability is actually very nice, and much faster than using `ts-node` as we were before.

- Installations (although rare) are a fair bit faster.

- With bun I don't have to do the frankly crazy song and dance that node now requires for ES modules.

- Using bun is allowing us to drop `jest` and related packages as a dependency entirely and it executes our test suite a lot faster than jest did.

For my personal projects I now reach for bun rather than node because

- It has Typescript support out of the box.

- It has a nice test runner out of the box.

- It has much runtime compatibility with browsers (`fetch` is a good example).

- The built-in web server is sufficient for small projects and avoids the need to pull in various dependencies.

pjmlp · 2 years ago

My old dog experience has proven multiple times that staying with the main reference tool for the platform always pays out long term, as most forks or guest languages eventually fade out after the hype cycle is over.

The existing tools eventually get the features that actually matter, and I avoided rewriting stuff twice, on the meantime I gladly help some of those projects to backport into the reference tooling for the platform.

The only place I really haven't followed this approach was in regards to C++ in UNIX, which at first sight might feel I am contradicting myself, however many tend to forget C++ was born at Bell Labs, on the same building as UNIX folks were on, and CFront tooling was symbiotic with UNIX.

triyambakam · 2 years ago

Bun test is so enjoyably faster than Jest.

I have a file of thousands of string manipulation tests that Jest just crashes on after 3 minutes while Bun runs in in milliseconds.

1123581321 · 2 years ago

How is the Bun test runner’s compatibility with Jest’s methods? Can a mature test suite be easily ported?

We are currently looking at vite and vitest to run 1600 jest tests.

fastball · 2 years ago

FYI if you want to make a list on HN you're gonna need to add an extra line break everywhere.

afavour · 2 years ago

ESM interop is inarguable. But these days Node has a test runner and compatibility with browsers (it implements fetch)… I guess I feel like Node is likely to catch up with most of this stuff over the lifetime of any long running project.

briantakita · 2 years ago

> - The built-in web server is sufficient for small projects and avoids the need to pull in various dependencies.

ElysiaJS is a good library when you do need a bit more with the routing + middleware. It has great benchmarks as well.

nsonha · 2 years ago

Doesnt node have a built-in test runner too these days?

crabmusket · 2 years ago

I really like Deno for small scripts and small side projects - it's just fast to get started with. And it allows me to use web standards, like URL imports to grab packages from CDNs instead of having a config file. There's just less to think about, like oh what was Node's crypto thing? Node is making strides in web compatibility, and building in things like a test runner. And I don't have much interest in migrating company projects away from Node. But Deno feels really fresh and light when I just need to run some JS.

angra_mainyu · 2 years ago

Bun's equivalent of "npm i" is extremely fast, at least an order of magnitude faster on all 3 of my machines.

Since I run "npm i" many times per day, that in itself is a big timesaver, not just for local dev but also in CI pipelines.

arcanemachiner · 2 years ago

Have you tried pnpm?

https://pnpm.io/

rlt · 2 years ago

How does it compare to pnpm

brlewis · 2 years ago

See my answer "what's cool about deno" https://gitlab.com/brlewis/brlewis-aoc/-/blob/main/README.md...

vbezhenar · 2 years ago

Node is safe choice, IMO. I tried deno and I think it's cool, but I'm staying on node for the time being. Things that deno makes easier are not that hard with node and stability matters for me. For example I had to spend few hours rewriting my tiny service with changed deno API. Don't have any experience with bun, though.

mmastrac · 2 years ago

If there are any specific places where Deno didn't support a node API, please file a bug -- we definitely shoot for as close to node.js as possible, and if you have to modify your code that's most often on us.

(I'm a deno core dev)

waynenilsen · 2 years ago

Bun has been great as a package manager, test suite runner and typescript interpreter. We use node in prod

WuxiFingerHold · 2 years ago

I have ask myself the same question a couple of weeks ago and decided to use Node for some side stuff. Simply because of Node being the most mature, boring choice. Still, I like the DX improvements of both Bun and Deno a lot. We'll see how it all plays out in some years.

postepowanieadm · 2 years ago

Cute logo.

And UX is pretty great: integrated fetch, simplified fs api, integrated test runner (I miss good old TAP style assertions though), ESM/CJS modules just work, some async sugar.

I think if they offer me a paid *worker solution, with sqlite, that's something I'm willing to pay for.

solumunus · 2 years ago

I don't know how you're using Node and not thinking "I wish there was a better option than this". I can't wait to jump ship but Bun/Deno aren't quite there yet, for my needs.

eddd-ddde · 2 years ago

Curious what you are missing to make the jump.

CuriouslyC · 2 years ago

I can't speak for deno, but bun is drop in compatible for most things and the test runner speed alone is enough to make it worth using.

dcre · 2 years ago

I haven’t used them yet for full sized apps, but they are both fantastic for scripting and small CLIs. Between the ease of running scripts, nice standard libraries, npm ecosystem, and excellent type system, I now feel TypeScript is a better scripting language than Python or Ruby.

triyambakam · 2 years ago

I used to think so too, but that was because I had never really used Python. I still think Ruby is a mess, but it's so amazing how easy it is to manipulate data in Python, and so much faster.

I recently wrote a Node/Bun/Deno app that parses a 5k line text file into JSON.

The JavaScript on any runtime takes 30-45 seconds.

The Python implementation is sub 1 second.

I would not have been able to finish the tool so quickly if I were stuck relying on JS.

I still love Typescript but I'm not as blind about it now.

Solvency · 2 years ago

The real question is why would I use Bun over Vite? Even the ThreeJS developers determined Vite is the best.

dcre · 2 years ago

Bun and Vite are not analogous. Bun is a runtime with a standard library, bundler, test runner. Vite is a bundler. You can run Vite through Bun.