Monday, October 13, 2025

Why We're Excited About Bun 1.3

Gianni Crivello
Bun Mascot

TLDR: View the Bun 1.3 Blog here.

As a small engineering team working directly with our customers, toolchain complexity creates significant friction in reaching production and our time to market. Most of the applications Sylow works on are greenfield. This represents risk. New code introduces complexity into organizations. Furthermore, the code we write isn’t always the code we manage. The job of our engineers is to manage some of this complexity by choosing the right tech stack and building modular, maintainable, and secure applications. When a project positions itself as "Rails for JavaScript," we pay attention. Last week, Jarred Sumner and the Bun team released Bun 1.3, describing it as a unified full-stack toolchain. While the project is still maturing, the progress is encouraging.

Bun 1.3 introduces built-in database clients for PostgreSQL, MySQL, SQLite, and Redis with a single API. The implementation eliminates external dependencies while providing native-speed performance. Bun.SQL runs queries directly through the runtime rather than through npm packages. Their Redis client supports 66 standard commands with automatic reconnection and message queuing. For integration work, having consistent interfaces across different database systems reduces implementation complexity, particularly when building adapters or working with heterogeneous data sources.

The security additions address practical concerns in production deployments. Bun.secrets integrates with OS-native credential stores (Keychain, libsecret, Windows Credential Manager) for encrypted storage separate from environment variables. When implementing key bound tokens for AI system security, this creates a very nice API. The Security Scanner API allows vulnerability scanning during package installation, with Socket's scanner available as a reference implementation. The minimumReleaseAge configuration provides a time-delay defense against supply chain attacks by preventing installation of newly-published packages. These features complement rather than replace existing security practices, but they're implemented at the runtime level where they're harder to bypass accidentally. Crypto operations show significant performance gains: DiffieHellman is approximately 400x faster, Cipheriv/Decipheriv approximately 400x faster, and scrypt approximately 6x faster.

Bun now runs 800 additional tests from the Node.js test suite on each commit (wow!), with new support for the VM module, node:test, and performance monitoring APIs. Furthermore, idle memory usage is reduced by 40% and idle CPU usage reduced by 100% across common frameworks due to improved GC scheduling. The combination of better compatibility and performance characteristics makes Bun increasingly viable for production use cases where Node.js is currently deployed. We can’t wait to start hacking on Bun. Good things coming out of that oven. Keep going, Bun team!