oven-sh · Jarred-Sumner · May 19, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/src/semver/SemverQuery.rs b/src/semver/SemverQuery.rs
@@ -722,7 +722,11 @@ pub fn parse(input: &[u8], sliced: SlicedString) -> Result<Group, AllocError> {
     let mut token = Token::default();
     let mut prev_token = Token::default();
 
-    let mut count: u8 = 0;
+    // u32, not u8: a range with >=256 `||`/whitespace comparators overflows a
+    // u8 on the 256th increment. Zig's ReleaseFast wrapped (256 -> 0) silently;
+    // Rust's debug profile has overflow-checks and would panic+abort. `count`
+    // is only ever compared `== 0`, so the wider type is strictly more correct.
+    let mut count: u32 = 0;
     let mut skip_round;
     let mut is_or = false;
 

diff --git a/test/cli/install/semver.test.ts b/test/cli/install/semver.test.ts
@@ -14,6 +14,7 @@
 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 // IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
+import { bunEnv, bunExe } from "harness";
 import { unsortedPrereleases } from "./semver-fixture.js";
 const { satisfies, order } = Bun.semver;
 
@@ -738,3 +739,18 @@
     expect(unsortedPrereleases.sort(Bun.semver.order)).toMatchSnapshot();
   });
 });
+
+test("a version range with >=256 || comparators does not abort", async () => {
+  const range = Array(300).fill("1.0.0").join(" || ");
+  await using proc = Bun.spawn({
+    cmd: [bunExe(), "-e", `process.stdout.write(String(Bun.semver.satisfies("1.0.0", ${JSON.stringify(range)})))`],
+    env: bunEnv,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  const [stdout, exitCode] = await Promise.all([proc.stdout.text(), proc.exited]);
+  // The 256th comparator overflowed a u8 counter -> panic+abort (exit 133) in
+  // debug builds. Fixed: a wider counter parses it fine, like released Bun.
+  expect(stdout).toBe("true");
+  expect(exitCode).toBe(0);
+});