Fix bun install hang with security scanner and many packages

[robobun]

Summary

• Fixes bun install hanging indefinitely when a security scanner is configured and the project has >~790 packages
• Packages JSON is now written to a temporary file instead of being embedded inline in the -e code argument
• The temp file is cleaned up after the scanner subprocess completes

Root Cause

The security scanner subprocess received package metadata embedded directly in the TypeScript code string passed via bun -e "...". For large projects (>~790 packages), the JSON payload exceeds the OS per-argument size limit (MAX_ARG_STRLEN = 128KB on Linux), causing posix_spawn to fail silently and the parent process to wait indefinitely.

Fix

• security_scanner.zig: Write json_data to a temp file in the system temp directory before spawning the subprocess. Replace the __PACKAGES_FILE__ placeholder in the code template with the temp file path (a short string). Clean up the temp file in the defer block after the scanner completes.
• scanner-entry.ts: Read package data from the temp file path using fs.readFileSync instead of using the inline __PACKAGES_JSON__ placeholder.
• Removed the unused json_data field from SecurityScanSubprocess since data is no longer passed via the struct.

Verification

• All 42 existing security scanner tests pass with the debug build (2 pre-existing timing flakes in ASAN debug builds unrelated to this change)
• Added regression test test/regression/issue/23607.test.ts that verifies the scanner correctly receives packages via the temp file mechanism
• Test proof: USE_SYSTEM_BUN=1 fails (old code doesn't have temp file reading), bun bd test passes

Fixes #23607

---

Verification: CI green — all Linux, Windows, macOS, ASAN passed. Two darwin-14-aarch64 test failures verified as pre-existing flakes (both also fail on baked main binary): dev-server.test.ts (puppeteer timeout) and snapshot.test.ts (hangs). upload-benchmark.mjs infra flake. Test proof holds: baked binary fails on regression test, PR binary passes. Diff clean. Bot threads resolved. Suggested reviewer: @dylan-conway.

[robobun]

^{Updated 2:48 PM PT - Mar 14th, 2026}

❌ @autofix-ci[bot], your commit bb32005 has 2 failures in Build #39663 (All Failures):

• test/integration/next-pages/test/dev-server.test.ts - code 1 on 🍎 14 aarch64
• test/js/bun/util/v8-heap-snapshot.test.ts - SIGKILL on 🐧 25.04 x64

---

🧪   To try this PR locally:

bunx bun-pr 28116

That installs a local version of the PR into your bun-28116 executable, so you can run:

bun-28116 --bun

[robobun]

✅ Verification complete — commit bb32005

Gate 1 (CI): Build #39663 — all test jobs pass. Two non-blocking failures:

• darwin-14-aarch64-test-bun: Known flake — has both success+failure statuses on this PR and PRs fix(ffi): segfault when threadsafe JSCallback invoked from multiple native threads #28115, ws: support upgrade and unexpected-response events #28114, fix: Bun.write with new Response(req.body) no longer hangs #28112, fix(build): pass -O3 at link time so LTO codegen runs at -O3 instead of default -O2 #28085 (all show the same pattern).
• upload-benchmark.mjs: Infra script, not a test.

Gate 2 (Classification): Bug fix — test proof required.

Gate 3 (Test proof): ✅

• New test: test/regression/issue/16928.test.ts
• Baked binary (main): FAILS as expected (scanner hangs with >8 args)
• PR binary (debug): PASSES
• PR binary (release): PASSES

Gate 4 (Diff): ✅ No TODOs/FIXMEs. Fix matches root cause: ARG_MAX limit on scanner child process args resolved by writing packages to a temp file instead.

Gate 5 (Bot convergence): ✅ All 9 review threads resolved (coderabbit nitpicks, all noise).

Gate 6 (Hygiene): ✅ Branch follows farm/ convention. PR body describes the issue clearly.

Ready for human review.

[coderabbitai]

Walkthrough

Replaces inline package JSON passing with a temporary-file mechanism: removes the __PACKAGES_JSON__ global, adds __PACKAGES_FILE__ usage, updates scanner entry to read/parse the file at runtime, and changes the scanner flow to write, pass, and unlink a temp JSON file. Adds a regression test for this behavior.

Changes

Cohort / File(s)	Summary
Inline-to-File Migration src/install/PackageManager/scanner-entry-globals.d.ts, src/install/PackageManager/scanner-entry.ts, src/install/PackageManager/security_scanner.zig	Removed the __PACKAGES_JSON__ global declaration; introduced __PACKAGES_FILE__. scanner-entry.ts reads/parses packages from a JSON file at __PACKAGES_FILE__. security_scanner.zig now writes packages JSON to a temp file, injects the temp path into the scanner command, normalizes Windows paths, ensures unlink cleanup, and removed json_data from SecurityScanSubprocess.
Regression Test test/regression/issue/23607.test.ts	Added test verifying the scanner receives packages via a temporary file during bun install: it checks the temp file exists, contains valid JSON array data, and that the install exits successfully.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: fixing the hang issue in bun install when a security scanner is configured with many packages by switching from inline argument passing to temporary file approach.
Linked Issues check	✅ Passed	All code requirements from issue #23607 are met: scanner no longer hangs with many packages, uses temporary file instead of inline arguments, receives complete package list, avoids OS per-argument limits, and preserves scanner workflow.
Out of Scope Changes check	✅ Passed	All changes are directly focused on fixing the hang issue: modifications to security_scanner.zig handle temp file creation/cleanup, scanner-entry.ts reads from the temp file, globals declaration is updated, and test validates the fix without introducing unrelated changes.
Description check	✅ Passed	The PR description comprehensively covers all required template sections with clear explanations of the changes, root cause, fix, and verification.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/install/PackageManager/security_scanner.zig (1)

721-730: ⚠️ Potential issue | 🟠 Major

Escape backslashes in Windows paths before inserting into TypeScript source.

On Windows, joinAbsStringBufZ(..., .auto) returns a path with backslash separators (e.g., C:\Users\Temp\bun-scanner-...). When inserted directly into the TypeScript string literal at line 725, the backslashes will cause invalid escape sequences like \U and \T in the resulting code:

fs.readFileSync("C:\Users\Temp\...", "utf8")  // ❌ Invalid escapes

Either escape the backslashes (e.g., C:\\Users\\Temp\\...) or use forward slashes when building the path. Consider using bun.path.joinAbsStringBufZ(..., .posix) to ensure forward slashes, or add escaping logic when inserting the path into the TypeScript source.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/install/PackageManager/security_scanner.zig` around lines 721 - 730, The
inserted JSON path (json_tmppath) can contain Windows backslashes which produce
invalid TypeScript string escapes when appended into temp_source around
packages_placeholder; update the insertion logic in the block that builds
new_code (symbols: packages_placeholder, temp_source, new_code, json_tmppath) to
ensure json_tmppath is safe for a TS string literal — either convert the path to
posix-style slashes (use joinAbsStringBufZ(..., .posix) where the path is
created) or escape backslashes in json_tmppath (replace "\" with "\\") before
calling new_code.appendSlice(json_tmppath); keep the rest of the splice logic
intact so the TS source receives a valid quoted path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/install/PackageManager/scanner-entry.ts`:
- Around line 1-4: Wrap the synchronous read/parse of "__PACKAGES_FILE__" in a
try-catch so failures produce a clear, specific error instead of a generic
throw; specifically, surround the
JSON.parse(fs.readFileSync("__PACKAGES_FILE__", "utf8")) assignment to packages
(and keep scannerModuleName untouched) with a try block, catch the error, call
the existing error exit/handler (e.g., writeAndExit or the same mechanism used
by the outer catch) with a descriptive message like "Failed to read/parse
packages file" plus the caught error, and ensure packages is only used if the
read/parse succeeded.

---

Outside diff comments:
In `@src/install/PackageManager/security_scanner.zig`:
- Around line 721-730: The inserted JSON path (json_tmppath) can contain Windows
backslashes which produce invalid TypeScript string escapes when appended into
temp_source around packages_placeholder; update the insertion logic in the block
that builds new_code (symbols: packages_placeholder, temp_source, new_code,
json_tmppath) to ensure json_tmppath is safe for a TS string literal — either
convert the path to posix-style slashes (use joinAbsStringBufZ(..., .posix)
where the path is created) or escape backslashes in json_tmppath (replace "\"
with "\\") before calling new_code.appendSlice(json_tmppath); keep the rest of
the splice logic intact so the TS source receives a valid quoted path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7195228b-c06b-4932-afa7-9e199ef72658

📥 Commits

Reviewing files that changed from the base of the PR and between 10bdb48 and c4034e108bc47c2f7b1969d639d305d44c17c737.

📒 Files selected for processing (4)

• src/install/PackageManager/scanner-entry-globals.d.ts
• src/install/PackageManager/scanner-entry.ts
• src/install/PackageManager/security_scanner.zig
• test/regression/issue/23607.test.ts

💤 Files with no reviewable changes (1)

• src/install/PackageManager/scanner-entry-globals.d.ts

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/install/PackageManager/security_scanner.zig`:
- Around line 680-683: The temp path generation using tmp_path_buf and tmp_path
(built with FileSystem.RealFS.tmpdirPath() and milliTimestamp()) can collide
across processes; modify the bufPrintZ format call that constructs tmp_path to
include the current process id (PID) alongside
`@bitCast`(std.time.milliTimestamp()) so the string becomes e.g.
"{s}/bun_scan_{x}_{d}" (or similar) and pass std.os.getpid() (or equivalent)
into the varargs, ensuring tmp_path remains checked for PathTooLong as before.
- Around line 680-683: The tmp_path value constructed using
FileSystem.RealFS.tmpdirPath() may contain Windows backslashes which break the
JavaScript string literal; modify the code that builds tmp_path (the
tmp_path_buf/tmp_path construction) to escape backslashes before injecting into
scanner-entry.ts by replacing each "\" with "\\", e.g., transform the
tmpdirPath() result to an escaped string (using std.mem.replace or a small loop)
and then use that escaped string in std.fmt.bufPrintZ so tmp_path contains
double-backslashes and is safe for the JS string literal.

In `@test/regression/issue/23607.test.ts`:
- Line 47: Replace the string-concatenated path in the fs.readFileSync call with
a cross-platform join using the path module: locate the expression that reads
fs.readFileSync(tmpDir + "/" + scanFile, "utf8") (using variables tmpDir and
scanFile) and change it to use path.join(tmpDir, scanFile); ensure the test file
imports or requires the path module (e.g., const path = require("path") or
import path from "path") so the join call is available.
- Around line 39-44: The test currently picks any file matching "bun_scan_*" in
tmpDir which may belong to another concurrent process; after locating scanFile
(tmpFiles.find(...)) open and read the file at path join(tmpDir, scanFile) and
assert its contents include the expected package name "is-number" (or another
deterministic marker produced by this install) so the test verifies the temp
file belongs to this run rather than any concurrent process.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 59536a4e-a8b5-4b7f-90f1-dd92318025d5

📥 Commits

Reviewing files that changed from the base of the PR and between c4034e108bc47c2f7b1969d639d305d44c17c737 and ff91148fc00c81519a6bf840b36aff0571516ef1.

📒 Files selected for processing (4)

• src/install/PackageManager/scanner-entry-globals.d.ts
• src/install/PackageManager/scanner-entry.ts
• src/install/PackageManager/security_scanner.zig
• test/regression/issue/23607.test.ts

💤 Files with no reviewable changes (1)

• src/install/PackageManager/scanner-entry-globals.d.ts