Bun 最近有什么新动态？

traeai 已收录 11 篇与 Bun 相关的内容。最新一篇是「npm 生态遭大范围投毒：TanStack、Mistral AI、UiPath 等受波及，可窃取云密钥与 GitHub 令牌」，由 AI HOT 精选发布。

产品

Bun

别名：bun.sh

高性能JavaScript运行时，曾获大厂支持作为开源可持续案例。

已跟踪 11 条高相关材料

TraeAI 观察

如果只读 3 篇

npm 生态遭大范围投毒：TanStack、Mistral AI、UiPath 等受波及，可窃取云密钥与 GitHub 令牌

AI HOT 精选 · 9.2 分

npm 生态遭大规模供应链攻击，TanStack、Mistral AI、UiPath 等超 160 个包受影响，攻击者通过 GitHub Actions 漏洞利用 OIDC 令牌实现合法发布，植入可窃取云密钥与 GitHub 令牌的恶意代码，已导致近 373 个恶意版本传播。

Claude 4.8炸场！部分能力超过Mythos，支持数百子智能体并行

量子位 · 8.7 分

Claude Opus 4.8发布，代码缺陷漏报率降至4.7版的1/4，硬编答案概率降为1/10；新增动态工作流支持数百子智能体并行执行任务，Bun项目实测产出75万行Rust代码、99.8%测试通过。

Not so locked in any more

Simon Willison's Weblog · 8.5 分

文章讨论了编程语言和开发工具的锁定效应正在减弱，React Native因功能提升成为可逆选择。

npm Ecosystem Hit by Large-Scale Poisoning: TanStack, Mistral AI, UiPath Affected, Can Steal Cloud Keys and GitHub Tokens

AI HOT 精选5月12日3997 字 (约 16 分钟)

A large-scale supply chain attack hit the npm ecosystem, affecting over 160 packages including TanStack, Mistral AI, and UiPath; attackers used GitHub Actions vulnerabilities and OIDC tokens to publish malicious code under trusted identities.

入选理由：攻击者利用 GitHub Actions 的 pull_request_target 漏洞与跨 fork 缓存投毒，绕过双重验证完成恶意发布。

FeaturedArticle#npm#supply chain attack#GitHub Actions#security vulnerability#open source ecosystem中文

Claude 4.8 Explodes! Surpasses Mythos in Some Capabilities, Supports Hundreds of Sub-Agents in Parallel

量子位5月29日1299 字 (约 6 分钟)

Claude Opus 4.8 launched: code defect omission rate reduced to 25% of Opus 4.7’s, hallucination probability dropped to 10%; new Dynamic Workflows enable hundreds of sub-agents in parallel—Bun migration case produced 750K lines of Rust with 99.8% test pass rate.

入选理由：Opus 4.8代码缺陷漏报率仅为Opus 4.7的25%，硬编答案行为概率下降至1/10

FeaturedArticle#Claude#LLM#Agent Collaboration#Code Generation#Anthropic中文

Not so locked in any more

Simon Willison's Weblog5月15日319 字 (约 2 分钟)

The article discusses the weakening of lock-in effects for programming languages and development tools, with React Native becoming a reversible choice due to its improved functionality.

入选理由：React Native功能已覆盖企业应用需求

FeaturedArticle#React#Frontend#AI Engineering中文

The Zig project's rationale for their firm anti-AI contribution policy

Simon Willison's Weblog4月30日679 字 (约 3 分钟)

Zig项目坚持严格的反AI贡献政策，旨在培养长期可靠的贡献者而非追求短期代码质量提升。

入选理由：Zig项目禁止使用LLM进行问题、拉取请求及评论的提交。

FeaturedArticle#Zig#开源#AI伦理英文

[AINews] Anthropic raises $965B Series H, releases Opus 4.8 and Dynamic Workflows/ultracode

[AINews] Anthropic Raises $65B Series H, Releases Opus 4.8 and Dynamic Workflows/ultracode

Latent Space5月29日2463 字 (约 10 分钟)

Anthropic raised $65B in Series H at a $965B post-money valuation, with $47B annualized revenue; simultaneously launched Claude Opus 4.8 (fixing 4.7 issues, SOTA on economic benchmarks) and Dynamic Workflows (ultracode), enabling hundreds of parallel subagents for coding—demonstrated by rewriting 750k LOC of Bun in 6 days.

入选理由：Anthropic Series H融资650亿美元，投后估值9650亿美元，营收年化470亿美元（2025年12月为90亿美元）

FeaturedArticle#Anthropic#Claude#LLM Funding#AI Programming#Dynamic Workflows英文

A quote from Mitchell Hashimoto

Simon Willison's Weblog5月15日224 字 (约 1 分钟)

Mitchell Hashimoto points out that the replaceability of programming languages is increasing, with Bun migrating from Zig to Rust in one or two weeks.

入选理由：Bun项目在1-2周内完成从Zig到Rust的迁移

FeaturedArticle#Programming Languages#Rust#Technology Trends中文

知名的 youtube 下载器 yt-dlp 宣布，将不支持 Bun 的最新版本， Bun 1.3.15 及更高版本
https://t.co/QdCOlpRUE4

原因竟然是：Bun 团队使用 C...

Popular YouTube Downloader yt-dlp to Drop Support for Latest Bun Versions

Viking(@vikingmute)5月23日371 字 (约 2 分钟)

yt-dlp maintainer stops supporting Bun versions 1.3.15 and above due to code quality concerns from Claude-based Rust rewrite.

入选理由：yt-dlp 不再支持 Bun 1.3.15 及以上版本

FeaturedTweet#Bun#yt-dlp#Claude#Rust#Open Source中文

针对最近的各种攻击，我一直在用 pnpm 的
minimumReleaseAge=10080 （分钟）或者 npm 的
min-release-age=7 （天，v11.10+）或者 bun 的
m...

For recent attacks, I've been using pnpm's minimumReleaseAge=10080 (minutes) or npm's min-release-age=7 (days, v11.10+) or bun's minimumReleaseAge=604800 (seconds). It's a very practical and effective defense against npm supply chain attacks.

Viking(@vikingmute)5月13日357 字 (约 2 分钟)

Viking recommends using the package version cooling mechanism provided by pnpm, npm, or bun to defend against npm supply chain attacks, ensuring that newly released packages must cool down for a certain period before being installed, thus avoiding attack windows.

入选理由：pnpm、npm 和 bun 提供了包版本冷却机制，分别设置为 10080 分钟、7 天和 604800 秒。

FeaturedTweet#npm#supply chain attack#security#package manager中文

一个基于 Bun + OpenTUI + SolidJS 构建终端仪表盘，在 TUI 里统一管理看板任务、日程安排和 Claude Code 代理会话。

https://t.co/LWchmTrJK...

A Terminal Dashboard Built with Bun + OpenTUI + SolidJS, Unifying Kanban Tasks, Calendar, and Claude Code Agent Sessions in a TUI

Geek(@geekbb)5月31日101 字 (约 1 分钟)

This project builds a terminal TUI dashboard using Bun + OpenTUI + SolidJS to unify Kanban task boards, calendar scheduling, and Claude Code agent sessions—though it lacks technical depth or architecture details.

入选理由：采用 Bun（超快 JS 运行时）替代 Node.js 提升启动与执行性能