Update oven/bun Docker tag to v1.3.13

[renovate]

This PR contains the following updates:

Package	Update	Change
oven/bun	patch	1.3.11-alpine → 1.3.13-alpine

---

Release Notes

oven-sh/bun (oven/bun)

v1.3.13: Bun v1.3.13

To install Bun v1.3.13

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.13:

bun upgrade

Read Bun v1.3.13's release notes on Bun's blog

Thanks to 8 contributors!

• @​alii
• @​ant-kurt
• @​chrislloyd
• @​cirospaciari
• @​dylan-conway
• @​jarred-sumner
• @​robobun
• @​sosukesuzuki

v1.3.12: Bun v1.3.12

To install Bun v1.3.12

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.12:

bun upgrade

Read Bun v1.3.12's release notes on Bun's blog

Thanks to 8 contributors!

• @​alii
• @​ant-kurt
• @​cirospaciari
• @​dylan-conway
• @​gameroman
• @​jarred-sumner
• @​robobun
• @​sosukesuzuki

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 2am and before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

oven/bun (docker) 1.3.11-alpine -> 1.3.13-alpine

Risk: 🟢 Safe

The Deep Dive

Update Scope

Patch update for the oven/bun Alpine image used by the Frank API sidecar at kubernetes/frank/deployment.yaml:88 (api initContainer running /etc/api/api-entrypoint.sh → bun install + bun run --watch server.js). Skips two patch releases: bun-v1.3.12 (fixes 120 issues) and bun-v1.3.13 (fixes 82 issues). Other containers in the pod (syncthing, nginx, openclaw, alpine-chrome) are unchanged.

Performance & Stability

• bun install streams tarballs to disk — package extraction now happens during download instead of buffering full .tgz + .tar in memory; reduces memory ~17× per the v1.3.13 blog post. Directly relevant: api-entrypoint.sh:36 runs bun install on every container start. Can be disabled with BUN_FEATURE_FLAG_DISABLE_STREAMING_INSTALL=1 if it misbehaves.
• 5% lower runtime memory — mimalloc upgraded from v2 to v3 plus libpas scavenger support on Linux; also fixes a class of long-running-process hangs and crashes (v1.3.13). The Frank API is a long-running bun run --watch process, so this is on the hot path.
• 5.5× faster gzip via zlib-ng 2.3.3 — drop-in replacement of the Cloudflare zlib fork (v1.3.13). Affects any node:zlib / Bun.gzipSync / fetch decode paths that the API may use.
• 8× less memory for source maps — bit-packed binary representation, decode now ~0 cost (v1.3.13).
• JavaScriptCore upgrade (1,316 upstream commits) — broad performance improvements (IC for array.length, string-length folding, SIMD identifier parsing, etc.).

Features & UX

Several new features land in this update; none are wired up by the current Frank config and no action is required. To adopt any of them you would need to edit server.js inside the frank-data PVC (not in this repo):

• Bun.cron() in-process scheduler (v1.3.12 blog) — schedule callbacks on a cron expression. Not used by Frank; api-entrypoint.sh runs bun run --watch server.js, no cron in the entrypoint or container env. To enable: in server.js, call Bun.cron("0 9 * * *", async () => { ... }) (UTC schedule); using job = Bun.cron(...) for auto-stop, .unref() if it should not keep the process alive. No new env vars or container changes needed.
• bun test --parallel/--isolate/--shard/--changed (v1.3.13 blog) — only relevant inside the container if you run bun test; the runtime entrypoint never invokes the test runner. To enable: invoke bun test --parallel[=N], bun test --isolate, bun test --shard=M/N, or bun test --changed[=ref] (e.g. from a CI step that kubectl execs into the pod or from a separate test image). No code changes required.
• Range request support in Bun.serve() (v1.3.13 blog) — automatic 206 Partial Content for file responses. Useful only if server.js serves files via Bun.file(); not visible in this repo (server.js lives in the frank-data PVC). To enable: return new Response(Bun.file(path)) from a Bun.serve({ fetch }) handler or a static routes: entry — Range: headers are then honored automatically with no extra config.
• SHA3 in node:crypto / WebCrypto (v1.3.13 blog) — to enable: pass "sha3-224", "sha3-256", "sha3-384", or "sha3-512" to crypto.createHash() / crypto.createHmac() / crypto.subtle.digest() / crypto.subtle.sign|verify().
• X25519 deriveBits in WebCrypto (v1.3.13 blog) — to enable: await crypto.subtle.deriveBits({ name: "X25519", public: peerPubKey }, privKey, 256) (pass null for full 32-byte output).
• ws+unix:// / wss+unix:// WebSocket client (v1.3.13 blog) — to enable: new WebSocket("ws+unix:///tmp/app.sock") or "ws+unix:///tmp/app.sock:/api/stream" for a request path; for TLS use wss+unix:// with tls: options.

Key Fixes

• socket.setTimeout() no longer spuriously fires on active reads (v1.3.13 blog) — the inactivity timer was previously only reset on writes, so long-lived sockets consuming HTTP response bodies, DB query results, or streamed pipes could timeout incorrectly (the release notes call out a Mongoose timeout regression). Frank's api container talks Postgres via DATABASE_URL and runs an HTTP server on port 3001, so this is the most directly relevant runtime fix.
• Worker lifecycle crashes fixed — worker.terminate(), sending messages, or natural exit could crash (v1.3.13 blog).
• node:http2 h2c server compatibility fixed for strict HTTP/2 peers (curl, Node http2.connect, Envoy) — invalid ENABLE_PUSH setting and malformed end-of-stream sequence (v1.3.13 blog).
• Unix domain socket lifecycle now matches Node.js (v1.3.12 blog) — binding to an existing .sock file now returns EADDRINUSE instead of silently stealing it; close() removes the socket file. Behavior change but not in use here (no unix: listener configured).
• os.freemem() on Linux now reads MemAvailable rather than sysinfo.freeram, matching Node.js (v1.3.13 blog) — reported value will be larger; harmless unless code thresholds on it.

Newer Versions

bun-v1.3.13 is the latest release per gh release list --repo oven-sh/bun (next-newest is 1.3.12). No newer patch is being skipped.

Hazards & Risks

No breaking changes identified for this deployment. Both bun-v1.3.12 and bun-v1.3.13 are patch releases; the release notes contain no removals or compatibility breaks affecting bun install or bun run. Items worth noting but not blocking:

• Open upstream issue #30010 describes a Bun.SQL/PostgresSQLConnection wrapper leak that drives RSS up ~340 MB/h under load. The reporter explicitly states the same behavior was observed on earlier 1.3.x, so this is pre-existing in the currently deployed 1.3.11 — it does not represent new risk introduced by this PR. Whether it matters at all depends on whether server.js (in the frank-data PVC, not visible in this repo) uses Bun.SQL; if it does, the workaround per the issue is drizzle-orm/node-postgres + pg.Pool.
• bun install streaming extraction is enabled by default. server.js and package.json live in the frank-data PVC and are not accessible for static inspection from this repo; registry configuration (private registries, custom .npmrc/bunfig.toml) cannot be verified. The upstream-provided escape hatch is BUN_FEATURE_FLAG_DISABLE_STREAMING_INSTALL=1 if extraction misbehaves. Not currently set in deployment.yaml.
• os.freemem() on Linux now reports MemAvailable rather than freeram, which yields a larger number; only relevant if server.js thresholds on it.
• Unix-socket bind to an existing file now throws EADDRINUSE instead of stealing it. The Frank API binds TCP port 3001 only — no unix: listener configured — so no impact.

Sources

• Bun v1.3.13 release
• Bun v1.3.13 blog post (full changelog)
• Bun v1.3.12 release
• Bun v1.3.12 blog post (full changelog)
• oven-sh/bun security advisories
• Open issue: Bun.SQL PostgresSQLConnection leak (pre-existing)
• Frank deployment manifest
• Frank API entrypoint script

---

🟢 Verdict: Safe

Two-patch bump on a stable 1.x line with no breaking changes, all CI green, and concrete wins on the hot path (bun install memory, runtime allocator, socket.setTimeout correctness). The one notable open issue (Bun.SQL connection-wrapper leak) is pre-existing in 1.3.11 per the upstream reporter, so this PR does not increase risk. Safe to merge; no follow-up actions needed.