It's also sad that Bun is written in Zig, which has not had a proper review of the stdlib since it's not v1 yet, where Andrew has already stated publicly that Zig should not be used in production until v1 due to security vulnerabilities in the standard lib.
Bun uses Zig’s standard library carefully. We read the code for the parts we use (and sometimes change it locally). We also rely on mature C/C++ libraries like picohttpparser, BoringSSL, c-ares (along with the C std lib). We use lots of code from WebKit, and are starting to use more of their security features like segregated heaps
Bun is currently below v1.0, so not declared production-ready either.
But I'm not sure Bun should go to 1.0 without Zig going to 1.0 too. And Zig 1.0 is a distant target, which is a normal timeline for a programming language.
Bun is apparently targeting September 7th for a 1.0 release. I also have concerns about delivering a stable api using a language that doesn't have one yet.
Tbh I've had the same issue delivering my own 1.x software with 0.x dependencies and my argument has always been that it's my problem, not the client's, so "do not worry". Being realistic, no sw offers any guarantees and Zig's 1.0 stability is more of a "contract" than a "guarantee".
I've never heard Andrew say you shouldn't use Zig in production because of "security vulnerabilities", but simply because Zig is quite immature (expect bugs including segfaults in perfectly "good" code) and changing constantly, not something anyone should want in a production setting.
Honestly. In a world in which JavaScript is the number one language, I’m walking back on the idea that “instability means no good for production”.
10 years ago, I thought for sure that JavaScript devs were eventually going to get sick of breaking and deprecating changes, but they’re still going strong with picking frameworks that just don’t give a shit, switching to new breaking tool chains, etc.
It seems that there are A LOT of developers willing to put up with a whole lot more than I am.
The one I found a while back was a DOS in UTF-8 decoding. I believe it's since been fixed but things like that given that the standard library hasn't been audited. Andrew will definitely have that happen at some point but I'd not put anything Zig into production right now, personally.
> Andrew has already stated publicly that Zig should not be used in production until v1 due to security vulnerabilities in the standard lib.
Andrew has made the claim a couple years ago that Zig should not be used in production yet. The part about security is not at all part of anything he ever claimed, and is in fact only something that you went crazy about on your own.
While I can understand holding real hard onto your opinion, please don't put words in people's mouths, especially when the person in question does not share your position on the matter at all.
As an outside observer without any connection to any of these project I'd recommend that you step back from posting strongly held negative opinions and reflect on your biases and assumptions here. It sounds like you are unreasonably disgruntled against zig and derailing tangentially related threads, then claiming unwarranted victimhood.
We are talking about two projects (zig and bun), likely years before 1.0, and you complain they're not perfect, or improving on your timeline. Projects improve security and quality by increasing adoption and thus human resources available for auditing and fixes. You seem to be advocating against adoption, or presuming current users are uninformed about the project's status.
My hobbyist-level interactions with the zig community indicated nothing by calm professionalism and enthusiasm for quality software.
I find it rather odd that junon's constantly bringing up this security issue for the past 6+ months in all threads that are even in the same neighborhood as Zig, acknowledges that maybe his conversations should go private enough that he asks Dang to anonymize his past public comments so they aren't associated with him.... Just to repeatedly do it again.
Are we going to come back to this thread in a month and see all these comments of his anonymized too?
I have no dog in this fight as I don't use Bun or Zig nor do I plan on it, but from another outsiders perspective, he definitely seems to have a grudge against Zig and Andrew and is trying to play victim over it.
Please observe that in my post I only recommend reflection, and describe how their communication sounds like to me. Seems like I'm not the only one. I am specifically trying to avoid the overtly adversarial language of telling someone off, or telling them what to think or do, so please don't ascribe that unnecessarily.
Dude. It’s really odd behaviour of a person to have their pull request rejected, so they respond by going in to every single hn post related to zig and posting major exaggeration.
Your pull request was rejected because it wasn’t the direction the language wanted to go.
You keep saying that zig people don’t wish to reconcile privately, but looking at your posts, it’s clear why they’ve stopped engaging with you.
> Yes you and Andrew seem to have a vendetta against me on HN
Two years ago you found a utf8 decoding function in the stdlib that asserted in its documentation that it expects valid utf8. You then went on a Zig community on Discord and started saying that it's a vulnerability because if you feed it invalid utf8, the function will not work correctly. People told you that, well, that's part of the function contract, but you didn't want to hear it and went to post everywhere that Zig doesn't take security seriously (actual quote from you). People also tried to explain to you that a function that does validate the encoding would be welcome, but that since Zig was a new programming language, we didn't have one yet and that for now that's what the stdlib offered (ie the function that expects valid utf8). In the meantime somebody else did implement the better API but, two years later, you're still here fixated on that same thing.
> Just strange the Zig team refuses to reconcile this privately and instead resorts to berating me on HN of all places.
From my perspective the best outcome would be that you somehow realize how silly this entire thing is and finally let go. For more complex situations I could understand having an "agree to disagree" conclusion, but given the incredibly ridiculous nature of this specific issue I don't think there's much more for anybody else to learn.
If the above can't happen then I would ask you simply to stop posting misinformation about Zig.
But here we are.