Bun is being rewritten from Zig to Rust to kill memory-safety bugs
Bun, the JavaScript runtime now downloaded over 22 million times a month and used as the engine behind tools like Claude Code and OpenCode, is moving off Zig and onto Rust. Its creator originally built Bun in a single year in Zig, porting esbuild’s transpiler line-for-line and then expanding into a bundler, npm-compatible package manager, test runner, and Node.js API layer. Zig’s low-level control made that ambitious scope achievable solo and pre-LLM, but the same breadth turned memory management into a persistent liability.
The root problem is the collision between JavaScript’s garbage collector and Zig’s fully manual memory model. Because Zig has no destructors or implicit cleanup and relies on explicit defer at each call site, tracking when GC-managed and hand-managed values can be safely freed produced a steady stream of use-after-free crashes and leaks — a representative v1.3.14 changelog lists more than a dozen in zlib, http2, TLS, UDP sockets, and the CSS parser. The team already runs Address Sanitizer on every commit, ships safety-checked builds, and fuzzes the runtime around the clock with Fuzzilli, but those catch bugs after the fact rather than preventing the class outright. Style-guide enforcement and a move to C++ were both weighed and rejected as still leaning on code review to hold the line.
Rust is the answer because ownership and lifetimes live in the type system and cleanup runs automatically via Drop, encoding the discipline that Zig left to human vigilance. Notably, the effort is tied to Bun’s December 2025 acquisition by Anthropic: the author says a pre-release Claude Fable 5 handled much of the rewrite, framing large-scale language migrations — historically a one-way, near-irreversible bet — as newly practical in the LLM era.
Read the full article
Continue reading at Hacker News →This is an AI-generated summary. Read the original for the full story.