oven-sh · Jarred-Sumner · May 28, 2026 · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/packages/bun-usockets/src/crypto/openssl.c b/packages/bun-usockets/src/crypto/openssl.c
@@ -1119,8 +1119,15 @@ struct us_socket_t *us_internal_ssl_on_data(struct us_socket_t *s, char *data, i
     read += just_read;
 
     if (read == LIBUS_RECV_BUFFER_LENGTH) {
+      char *saved_input = loop_ssl_data->ssl_read_input;
+      unsigned int saved_length = loop_ssl_data->ssl_read_input_length;
+      unsigned int saved_offset = loop_ssl_data->ssl_read_input_offset;
       s = us_dispatch_data(s, loop_ssl_data->ssl_read_output + LIBUS_RECV_BUFFER_PADDING, read);
       if (!s || ssl_gone(s)) return NULL;
+      loop_ssl_data->ssl_read_input = saved_input;
+      loop_ssl_data->ssl_read_input_length = saved_length;
+      loop_ssl_data->ssl_read_input_offset = saved_offset;
+      loop_ssl_data->ssl_socket = s;
       read = 0;
       goto restart;
     }

diff --git a/packages/bun-uws/src/HttpContext.h b/packages/bun-uws/src/HttpContext.h
@@ -319,7 +319,7 @@ struct HttpContext {
 
             /* Route the method and URL */
             selectedRouter->getUserData() = {(HttpResponse<SSL> *) s, httpRequest};
-            if (!selectedRouter->route(httpRequest->getCaseSensitiveMethod(), httpRequest->getUrl())) {
+            if (!selectedRouter->route(httpRequest->getCaseSensitiveMethod(), httpRequest->getUrlForRouting())) {
                 /* We have to force close this socket as we have no handler for it */
                 us_socket_close((us_socket_t *) s, 0, nullptr);
                 return nullptr;

diff --git a/packages/bun-uws/src/HttpParser.h b/packages/bun-uws/src/HttpParser.h
@@ -321,6 +321,27 @@ namespace uWS
             return headers->value;
         }
 
+        std::string_view getUrlForRouting()
+        {
+            std::string_view url = getUrl();
+            if (url.length() && url[0] != '/') {
+                size_t schemeLength = 0;
+                if (url.length() >= 7 && strncasecmp(url.data(), "http://", 7) == 0) {
+                    schemeLength = 7;
+                } else if (url.length() >= 8 && strncasecmp(url.data(), "https://", 8) == 0) {
+                    schemeLength = 8;
+                }
+                if (schemeLength) {
+                    size_t pathStart = url.find('/', schemeLength);
+                    if (pathStart == std::string_view::npos) {
+                        return "/";
+                    }
+                    return url.substr(pathStart);
+                }
+            }
+            return url;
+        }
+
         /* Hack: this should be getMethod */
         std::string_view getCaseSensitiveMethod()
         {

diff --git a/src/http/HTTPContext.rs b/src/http/HTTPContext.rs
@@ -1292,6 +1292,7 @@ impl<const SSL: bool> Handler<SSL> {
             }
 
             bun_core::scoped_log!(HTTPContext, "Unexpected data on socket");
+            HTTPContext::<SSL>::terminate_socket(socket);
 
             return;
         }

diff --git a/src/http/lib.rs b/src/http/lib.rs
@@ -211,6 +211,7 @@ pub struct Flags {
     /// Set after the first H3 retry so a stale-session/GOAWAY race retries
     /// once on a fresh connection but never loops.
     pub h3_retried: bool,
+    pub is_node_http_client: bool,
 }
 
 impl Default for Flags {
@@ -233,6 +234,7 @@ impl Default for Flags {
             force_http1: false,
             force_http3: false,
             h3_retried: false,
+            is_node_http_client: false,
         }
     }
 }
@@ -768,7 +770,7 @@ use core::ffi::c_uint;
 
 use bstr::BStr;
 use bun_boringssl as boringssl;
-use bun_collections::ArrayHashMap;
+use bun_collections::{ArrayHashMap, VecExt};
 use bun_core::StringBuilder;
 use bun_core::{FeatureFlags, Global, Output, err};
 use bun_core::{OwnedString, String as BunString, Tag as BunStringTag, immutable as strings};
@@ -2260,7 +2262,10 @@ impl<'a> HTTPClient<'a> {
                     picohttp::Header::new(CONTENT_LENGTH_HEADER_NAME, value);
                 header_count += 1;
             }
-        } else if let Some(content_length) = original_content_length {
+        } else if let Some(content_length) = original_content_length
+            && (self.flags.is_node_http_client
+                || matches!(bun_core::parse_unsigned::<usize>(content_length, 10), Ok(0)))
+        {
             request_headers_buf[header_count] =
                 picohttp::Header::new(CONTENT_LENGTH_HEADER_NAME, content_length);
             header_count += 1;
@@ -3183,7 +3188,7 @@ impl<'a> HTTPClient<'a> {
             // if less than 16 it will always be a ShortRead
             if to_read!().len() < 16 {
                 bun_core::scoped_log!(fetch, "handleShortRead");
-                self.handle_short_read::<IS_SSL>(incoming_data, socket, needs_move);
+                self.handle_short_read::<IS_SSL>(to_read!(), socket, needs_move);
                 return;
             }
 
@@ -3206,7 +3211,7 @@ impl<'a> HTTPClient<'a> {
                         self.close_and_fail::<IS_SSL>(err!(ResponseHeadersTooLarge), socket);
                         return;
                     }
-                    self.handle_short_read::<IS_SSL>(incoming_data, socket, needs_move);
+                    self.handle_short_read::<IS_SSL>(to_read!(), socket, needs_move);
                     return;
                 }
                 Err(e) => {
@@ -3248,6 +3253,13 @@ impl<'a> HTTPClient<'a> {
                 bun_core::scoped_log!(fetch, "information headers");
 
                 self.state.pending_response = None;
+                if !needs_move {
+                    let remaining = to_read!().len();
+                    let buffer = &mut self.state.response_message_buffer.list;
+                    let consumed = buffer.len().saturating_sub(remaining);
+                    buffer.drain_front(consumed);
+                    to_read = bun_ptr::RawSlice::new(buffer.as_slice());
+                }
                 if to_read!().is_empty() {
                     // we only received 1XX responses, we wanna wait for the next status code
                     return;
@@ -4045,6 +4057,11 @@ impl<'a> HTTPClient<'a> {
     ) -> Result<bool, bun_core::Error> {
         debug_assert!(self.state.transfer_encoding == Encoding::Identity);
         let content_length = self.state.content_length;
+        if let Some(len) = content_length
+            && incoming_data.len() > len.saturating_sub(self.state.total_body_received)
+        {
+            self.state.flags.allow_keepalive = false;
+        }
         // is it exactly as much as we need?
         if is_only_buffer
             && let Some(len) = content_length

diff --git a/src/http_jsc/websocket_client.rs b/src/http_jsc/websocket_client.rs
@@ -1840,8 +1840,8 @@ impl<const SSL: bool> WebSocket<SSL> {
                 ws: NonNull::new(outgoing).map(|p| unsafe { CppWebSocketRef::new(p) }),
             }));
             // Backref so `handle_data` can drain the buffered slice ahead of
-            // fresh socket data, and so `deinit()` can reclaim the box if
-            // process.exit() races ahead of the microtask drain.
+            // fresh socket data, and so `deinit()` can detach from the box if
+            // teardown races ahead of the microtask drain.
             ws_ref.initial_data_handler = NonNull::new(initial_data);
 
             // Use a higher-priority callback for the initial onData handler
@@ -2053,18 +2053,19 @@ impl<const SSL: bool> WebSocket<SSL> {
         this_ref.clear_data();
         // deflate already dropped in clear_data; this is defensive parity with Zig
         this_ref.deflate = None;
-        // The queued microtask normally owns the handler box and clears this
-        // field via `handle_without_deinit` before freeing it. Reaching
-        // `deinit()` with the field still set means the microtask never
-        // drained (process.exit() under the API lock during onopen) and JSC
-        // is being torn down — reclaim the box so LSan doesn't flag it. In
-        // normal operation the adopted-socket I/O ref keeps `ref_count > 0`
-        // until after microtasks drain, so this branch is not hit.
         if let Some(handler) = this_ref.initial_data_handler.take() {
-            // SAFETY: allocated via `heap::into_raw` in init()/init_with_tunnel();
-            // sole remaining owner — JSC's microtask queue only holds the
-            // pointer encoded as a JSValue double and will not run again.
-            drop(unsafe { bun_core::heap::take(handler.as_ptr()) });
+            // SAFETY: the handler box was allocated via `heap::into_raw` in
+            // init()/init_with_tunnel() and is normally freed by the queued
+            // microtask in `InitialDataHandler::handle`; this field still
+            // being set means that microtask has not run yet, so the box is
+            // live and the raw field write does not alias any borrow.
+            unsafe { core::ptr::addr_of_mut!((*handler.as_ptr()).adopted).write(None) };
+            if this_ref.global_this.bun_vm().is_shutting_down() {
+                // SAFETY: same allocation as above; the VM is shutting down, so
+                // the queued microtask can no longer run and this is the sole
+                // remaining owner of the box.
+                drop(unsafe { bun_core::heap::take(handler.as_ptr()) });
+            }
         }
         bun_core::scoped_log!(alloc, "destroy({}) = {:p}", Self::ALLOC_TYPE_NAME, this);
         // SAFETY: this was allocated via heap::alloc in init/init_with_tunnel

diff --git a/src/install/PackageManager/PackageManagerOptions.rs b/src/install/PackageManager/PackageManagerOptions.rs
@@ -597,11 +597,21 @@ impl Options {
                                 || registry_.starts_with(b"http://"))
                         {
                             let prev_scope = self.scope.clone();
+                            let prev_url = prev_scope.url.url();
+                            let new_url = bun_url::URL::parse(registry_);
+                            let token = if bun_core::without_trailing_slash(new_url.host)
+                                == bun_core::without_trailing_slash(prev_url.host)
+                                && (new_url.is_https() || !prev_url.is_https())
+                            {
+                                prev_scope.token
+                            } else {
+                                Box::default()
+                            };
                             // PORT NOTE: was `std.mem.zeroes(Api.NpmRegistry)`; zeroed slices are
                             // invalid in Rust — use Default (empty strings) which is semantically equivalent.
                             let api_registry = Api::NpmRegistry {
                                 url: registry_.into(),
-                                token: prev_scope.token,
+                                token,
                                 ..Default::default()
                             };
                             self.scope = Npm::registry::Scope::from_api(b"", api_registry, env)?;

diff --git a/src/install/PackageManager/security_scanner.rs b/src/install/PackageManager/security_scanner.rs
@@ -535,11 +535,6 @@ impl<'a> PackageCollector<'a> {
                 continue;
             }
 
-            let dep_res = &pkg_resolutions[dep_pkg_id as usize];
-            if dep_res.tag != bun_install::resolution::Tag::Npm {
-                continue;
-            }
-
             if self.dedupe.get_or_put(dep_pkg_id)?.found_existing {
                 continue;
             }
@@ -572,11 +567,6 @@ impl<'a> PackageCollector<'a> {
                     continue;
                 }
 
-                let dep_res = &pkg_resolutions[dep_pkg_id as usize];
-                if dep_res.tag != bun_install::resolution::Tag::Npm {
-                    continue;
-                }
-
                 if self.dedupe.get_or_put(dep_pkg_id)?.found_existing {
                     continue;
                 }
@@ -609,10 +599,6 @@ impl<'a> PackageCollector<'a> {
                 if update_pkg_id != req.package_id {
                     continue;
                 }
-                if pkg_resolutions[update_pkg_id as usize].tag != bun_install::resolution::Tag::Npm
-                {
-                    continue;
-                }
 
                 let mut update_dep_id: DependencyID = invalid_dependency_id;
                 let mut parent_pkg_id: PackageID = invalid_package_id;
@@ -682,16 +668,18 @@ impl<'a> PackageCollector<'a> {
             let pkg_id = item.pkg_id;
             let _ = item.dep_id; // Could be useful in the future for dependency-specific processing
 
-            let pkg_path_copy: Box<[PackageID]> = item.pkg_path.clone().into_boxed_slice();
-            let dep_path_copy: Box<[DependencyID]> = item.dep_path.clone().into_boxed_slice();
+            if pkg_resolutions[pkg_id as usize].tag == bun_install::resolution::Tag::Npm {
+                let pkg_path_copy: Box<[PackageID]> = item.pkg_path.clone().into_boxed_slice();
+                let dep_path_copy: Box<[DependencyID]> = item.dep_path.clone().into_boxed_slice();
 
-            self.package_paths.put(
-                pkg_id,
-                PackagePath {
-                    pkg_path: pkg_path_copy,
-                    dep_path: dep_path_copy,
-                },
-            )?;
+                self.package_paths.put(
+                    pkg_id,
+                    PackagePath {
+                        pkg_path: pkg_path_copy,
+                        dep_path: dep_path_copy,
+                    },
+                )?;
+            }
 
             let pkg_deps = pkg_dependencies[pkg_id as usize];
             for _next_dep_id in pkg_deps.begin()..pkg_deps.end() {
@@ -703,11 +691,6 @@ impl<'a> PackageCollector<'a> {
                     continue;
                 }
 
-                let next_pkg_res = &pkg_resolutions[next_pkg_id as usize];
-                if next_pkg_res.tag != bun_install::resolution::Tag::Npm {
-                    continue;
-                }
-
                 if self.dedupe.get_or_put(next_pkg_id)?.found_existing {
                     continue;
                 }
@@ -773,9 +756,9 @@ impl<'a> JSONBuilder<'a> {
                 json_buf.extend_from_slice(b",\n");
             }
 
-            // SAFETY: `PackageCollector::collect_packages_from_root` only inserts
-            // packages whose resolution tag is `Tag::Npm` into `package_paths`,
-            // so the `npm` union variant is the active field here.
+            // SAFETY: `PackageCollector::process_queue` only inserts packages
+            // whose resolution tag is `Tag::Npm` into `package_paths`, so the
+            // `npm` union variant is the active field here.
             let npm = pkg_res.npm();
             if dep_id == invalid_dependency_id {
                 write!(
@@ -889,14 +872,10 @@ fn attempt_security_scan_with_retry(
 
     // PORT NOTE: destructure `collector` here to release its `&PackageManager`
     // borrow before constructing `SecurityScanSubprocess` (which needs `&mut`).
-    // Only `package_paths` and the dedupe count are read past this point.
-    let PackageCollector {
-        dedupe,
-        package_paths,
-        ..
-    } = collector;
+    // Only `package_paths` is read past this point.
+    let PackageCollector { package_paths, .. } = collector;
     let mut package_paths = package_paths;
-    let packages_scanned = dedupe.count();
+    let packages_scanned = package_paths.count();
 
     let mut code: Vec<u8> = Vec::new();
 

diff --git a/src/install/TarballStream.rs b/src/install/TarballStream.rs
@@ -665,19 +665,20 @@ impl TarballStream {
         // Tag::Extract` for streaming tarballs).
         let tarball = &self.extract_task.request_extract().tarball;
         let (_, basename) = tarball.name_and_basename();
-        if !tarball.resolution.tag.is_git()
-            && tarball.resolution.tag != ResolutionTag::LocalTarball
-            && !crate::dependency::is_safe_install_folder_name(&basename[0..basename.len().min(32)])
-        {
-            self.invalid_name = true;
-            return Err(bun_core::err!("InstallFailed"));
-        }
+        let truncated_basename = &basename[0..basename.len().min(32)];
+        let tmpname_suffix: &[u8] =
+            if crate::dependency::is_safe_install_folder_name(truncated_basename) {
+                truncated_basename
+            } else if tarball.resolution.tag.is_git()
+                || tarball.resolution.tag == ResolutionTag::LocalTarball
+            {
+                b"package"
+            } else {
+                self.invalid_name = true;
+                return Err(bun_core::err!("InstallFailed"));
+            };
         let mut buf = PathBuffer::uninit();
-        let tmpname = FileSystem::tmpname(
-            &basename[0..basename.len().min(32)],
-            &mut buf[..],
-            bun_core::fast_random(),
-        )?;
+        let tmpname = FileSystem::tmpname(tmpname_suffix, &mut buf[..], bun_core::fast_random())?;
         // allocator.dupeZ → owned NUL-terminated copy.
         self.tmpname = ZBox::from_bytes(tmpname.as_bytes());
 

diff --git a/src/install/extract_tarball.rs b/src/install/extract_tarball.rs
@@ -243,29 +243,29 @@ impl ExtractTarball {
         // `open_dir_at_windows_a` boundary, not here.
         let mut tmpname_buf = PathBuffer::uninit();
         let (name, basename) = self.name_and_basename();
-        if !self.resolution.tag.is_git()
-            && self.resolution.tag != ResolutionTag::LocalTarball
-            && !bun_install::dependency::is_safe_install_folder_name(
-                &basename[0..basename.len().min(32)],
-            )
-        {
-            log.add_error_fmt(
-                None,
-                bun_ast::Loc::EMPTY,
-                format_args!(
-                    "Refusing to install package with invalid name \"{}\"",
-                    bun_fmt::s(name),
-                ),
-            );
-            return Err(bun_core::err!("InstallFailed"));
-        }
+        let truncated_basename = &basename[0..basename.len().min(32)];
+        let tmpname_suffix: &[u8] =
+            if bun_install::dependency::is_safe_install_folder_name(truncated_basename) {
+                truncated_basename
+            } else if self.resolution.tag.is_git()
+                || self.resolution.tag == ResolutionTag::LocalTarball
+            {
+                b"package"
+            } else {
+                log.add_error_fmt(
+                    None,
+                    bun_ast::Loc::EMPTY,
+                    format_args!(
+                        "Refusing to install package with invalid name \"{}\"",
+                        bun_fmt::s(name),
+                    ),
+                );
+                return Err(bun_core::err!("InstallFailed"));
+            };
 
         let mut resolved: &'static [u8] = b"";
-        let tmpname = FileSystem::tmpname(
-            &basename[0..basename.len().min(32)],
-            &mut tmpname_buf.0,
-            bun_core::fast_random(),
-        )?;
+        let tmpname =
+            FileSystem::tmpname(tmpname_suffix, &mut tmpname_buf.0, bun_core::fast_random())?;
         {
             let extract_destination = match bun_sys::make_path::make_open_path(
                 tmpdir,
-Original file line number
+Diff line change
@@ Expand Up / @@ -1292,6 +1292,7 @@ impl<const SSL: bool> Handler<SSL> { @@
                 }
                 bun_core::scoped_log!(HTTPContext, "Unexpected data on socket");
+                HTTPContext::<SSL>::terminate_socket(socket);
                 return;
             }
@@ Expand Down @@