
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@fluojs/platform-bun
Advanced tools
English 한국어
Bun-backed HTTP adapter for the fluo runtime, built on native Bun.serve().
npm install @fluojs/platform-bun
This package is intended to run on Bun. The published manifest intentionally does not declare engines.node, so npm metadata stays aligned with the Bun runtime contract; the repository's Node.js 20+ requirement only applies to the maintainer build/test toolchain.
Use this package when running fluo applications on the Bun runtime. This adapter leverages Bun's high-performance Request/Response bridge and native fetch-style architecture, providing a seamless and fast experience for Bun users.
During application shutdown, the adapter stops new ingress and gives active HTTP handlers a bounded drain window before Bun forcefully tears the server down. If signal-driven shutdown exceeds forceExitTimeoutMs or fails, fluo reports that condition through logging and process.exitCode while leaving final process termination to Bun or the surrounding host.
import { createBunAdapter } from '@fluojs/platform-bun';
import { fluoFactory } from '@fluojs/runtime';
import { AppModule } from './app.module';
const app = await fluoFactory.create(AppModule, {
adapter: createBunAdapter({ port: 3000 }),
});
await app.listen();
If you prefer to manage the Bun server yourself, you can use the fetch handler directly.
import { createBunFetchHandler } from '@fluojs/platform-bun';
const handler = await createBunFetchHandler({
dispatcher: app.getHttpDispatcher(),
});
Bun.serve({
fetch: handler,
port: 3000,
});
The adapter supports Bun's native server.upgrade() through the @fluojs/websockets/bun binding.
// gateways automatically use Bun's native upgrade when the Bun adapter is active
@WebSocketGateway({ path: '/ws' })
export class MyGateway {}
routes Object AccelerationOn Bun >=1.2.3, the adapter opportunistically registers safe static and parameterized fluo routes through Bun.serve({ routes }) while still routing matched requests back through the shared fluo dispatcher.
For semantically safe unversioned routes, Bun hands the pre-matched descriptor and params to the shared dispatcher so duplicate route matching is skipped while raw body, multipart, SSE, error responses, shutdown drain behavior, and websocket upgrade delegation stay on the same shared execution path. If route shape parity is unsafe, such as same-shape parameter routes with different param names, ALL-method handlers, normalization-sensitive paths, or non-URI versioning, the adapter falls back to fetch-only dispatch for those routes instead of changing fluo semantics.
If app middleware rewrites the framework request method or path after a Bun native handoff is attached, the dispatcher discards that stale handoff and rematches the rewritten request. Unsupported methods such as OPTIONS and CORS preflight behavior remain owned by the shared dispatcher/middleware path unless a fluo route explicitly owns them.
createBunAdapter(options): Recommended factory for the Bun adapter.createBunFetchHandler(options): Creates a native fetch(request) handler for custom Bun.serve() setups.bootstrapBunApplication(module, options): Advanced bootstrap without implicit startup logging.runBunApplication(module, options): Compatibility helper for quick startup with signal wiring.The adapter also exports the typed Bun integration seams used by realtime packages:
BunHttpApplicationAdapter: HttpApplicationAdapter implementation backed by Bun.serve().BunAdapterOptions: host, port, TLS, raw-body, multipart, and shutdown options accepted by createBunAdapter().BootstrapBunApplicationOptions and RunBunApplicationOptions: application bootstrap/run options for Bun-hosted apps.BunWebSocketBinding and BunRealtimeBindingHost: binding contracts used by @fluojs/websockets/bun before normal HTTP dispatch.BunWebSocketBindingHost: Backward-compatible alias for configuring Bun realtime bindings.BunServeOptions, BunServerLike, BunWebSocketHandler, BunServerWebSocket, BunWebSocketMessage, BunApplicationSignal, BunCorsInput, BunTlsOptions, and CreateBunFetchHandlerOptions: Lower-level Bun host, websocket, signal, CORS, TLS, and fetch-handler integration types.globalThis.Bun.serve() at listen time. Tests may provide a Bun-compatible test double, but production use is Bun-only.rawBody: true, and SSE framing.routes object is available and a fluo route shape is semantically safe to pre-register, the adapter lets Bun short-circuit path matching before handing the request back to the shared dispatcher. Unsupported or ambiguous route shapes fall back to the regular fetch path, and stale handoffs are ignored if middleware rewrites method/path before handler matching.>=1.2.3; versioned routes, ALL handlers, same-shape conflicts, normalization-sensitive paths, and OPTIONS/CORS preflight stay on the fetch/shared-dispatch path.rawBody, and multipart limits continue to flow through the shared runtime parser.hostname, port, and tls are forwarded to Bun.serve(). Startup logs report the configured HTTP or HTTPS listen URL.close() stops new ingress, waits for in-flight HTTP handlers, clears adapter state after drain settles, and removes signal listeners registered by runBunApplication().listen() starts the server. Upgrade requests are offered to the configured binding before falling back to HTTP dispatch.BunHttpApplicationAdapter exposes getServer(), getListenTarget(), getRealtimeCapability(), configureRealtimeBinding(), configureWebSocketBinding(), listen(), and close().packages/platform-bun/src/adapter.test.ts is the package-local regression target for the documented contract. It includes Bun fetch-style portability assertions for malformed cookies, JSON/text raw-body preservation, multipart raw-body exclusion, SSE framing, native-route param parity, same-path multi-method handoff, versioning fallback, normalization-sensitive fallback, OPTIONS/CORS ownership, and same-shape route fallback, plus focused tests for startup logging, shutdown listener cleanup, in-flight drain behavior, timeout reporting, and websocket binding delegation.
The broader repository suite also exercises Bun through createWebRuntimeHttpAdapterPortabilityHarness(...) alongside Deno and Cloudflare Workers in packages/testing/src/portability/web-runtime-adapter-portability.test.ts, keeping the shared web-runtime portability baseline aligned across fetch-style platforms.
@fluojs/runtime: Core framework runtime.@fluojs/websockets: Includes specific subpath @fluojs/websockets/bun.@fluojs/socket.io: Supports the native Bun engine.packages/platform-bun/src/adapter.test.tspackages/websockets/src/bun/bun.test.tsFAQs
Bun-based HTTP adapter for the Fluo runtime.
The npm package @fluojs/platform-bun receives a total of 30 weekly downloads. As such, @fluojs/platform-bun popularity was classified as not popular.
We found that @fluojs/platform-bun demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.