bun-types 1.2.21-canary.20250814T140633 → 1.2.21-canary.20250815T140623

package/bun.d.ts

@@ -596,6 +596,23 @@ declare module "bun" {
     options?: StringWidthOptions,
   ): number;
 
+  /**
+   * Remove ANSI escape codes from a string.
+   *
+   * @category Utilities
+   *
+   * @param input The string to remove ANSI escape codes from.
+   * @returns The string with ANSI escape codes removed.
+   *
+   * @example
+   * ```ts
+   * import { stripANSI } from "bun";
+   *
+   * console.log(stripANSI("\u001b[31mhello\u001b[39m")); // "hello"
+   * ```
+   */
+  function stripANSI(input: string): string;
+
   /**
    * TOML related APIs
    */

package/docs/api/fetch.md

@@ -336,7 +336,7 @@ This will print the request and response headers to your terminal:
 ```sh
 [fetch] > HTTP/1.1 GET http://example.com/
 [fetch] > Connection: keep-alive
-[fetch] > User-Agent: Bun/1.2.21-canary.20250814T140633
+[fetch] > User-Agent: Bun/1.2.21-canary.20250815T140623
 [fetch] > Accept: */*
 [fetch] > Host: example.com
 [fetch] > Accept-Encoding: gzip, deflate, br

package/docs/api/spawn.md

@@ -140,7 +140,7 @@ You can read results from the subprocess via the `stdout` and `stderr` propertie
 ```ts
 const proc = Bun.spawn(["bun", "--version"]);
 const text = await proc.stdout.text();
-console.log(text); // => "1.2.21-canary.20250814T140633\n"
+console.log(text); // => "1.2.21-canary.20250815T140623\n"
 ```
 
 Configure the output stream by passing one of the following values to `stdout/stderr`:

package/docs/cli/pm.md

@@ -213,7 +213,7 @@ To display current package version and help:
 
 ```bash
 $ bun pm version
-bun pm version v1.2.21-canary.20250814T140633 (ca7428e9)
+bun pm version v1.2.21-canary.20250815T140623 (ca7428e9)
 Current package version: v1.0.0
 
 Increment:

package/docs/cli/publish.md

@@ -7,7 +7,7 @@ Use `bun publish` to publish a package to the npm registry.
 $ bun publish
 
 ## Output
-bun publish v1.2.21-canary.20250814T140633 (ca7428e9)
+bun publish v1.2.21-canary.20250815T140623 (ca7428e9)
 
 packed 203B package.json
 packed 224B README.md

package/docs/guides/ecosystem/nuxt.md

@@ -9,7 +9,7 @@ $ bunx nuxi init my-nuxt-app
 ✔ Which package manager would you like to use?
 bun
 ◐ Installing dependencies...
-bun install v1.2.21-canary.20250814T140633 (16b4bf34)
+bun install v1.2.21-canary.20250815T140623 (16b4bf34)
  + @nuxt/devtools@0.8.2
  + nuxt@3.7.0
  785 packages installed [2.67s]

package/docs/guides/install/add-peer.md

@@ -15,7 +15,7 @@ This will add the package to `peerDependencies` in `package.json`.
 ```json-diff
 {
   "peerDependencies": {
-+   "@types/bun": "^1.2.21-canary.20250814T140633"
++   "@types/bun": "^1.2.21-canary.20250815T140623"
   }
 }
 ```
@@ -27,7 +27,7 @@ Running `bun install` will install peer dependencies by default, unless marked o
 ```json-diff
 {
   "peerDependencies": {
-    "@types/bun": "^1.2.21-canary.20250814T140633"
+    "@types/bun": "^1.2.21-canary.20250815T140623"
   },
   "peerDependenciesMeta": {
 +   "@types/bun": {

package/docs/guides/install/from-npm-install-to-bun-install.md

@@ -97,7 +97,7 @@ $ bun update
 $ bun update @types/bun --latest
 
 # Update a dependency to a specific version
-$ bun update @types/bun@1.2.21-canary.20250814T140633
+$ bun update @types/bun@1.2.21-canary.20250815T140623
 
 # Update all dependencies to the latest versions
 $ bun update --latest

package/docs/guides/test/run-tests.md

@@ -21,7 +21,7 @@ Here's what the output of a typical test run looks like. In this case, there are
 
 ```sh
 $ bun test
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test.test.js:
 ✓ add [0.87ms]
@@ -47,7 +47,7 @@ To only run certain test files, pass a positional argument to `bun test`. The ru
 
 ```sh
 $ bun test test3
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test3.test.js:
 ✓ add [1.40ms]
@@ -85,7 +85,7 @@ Adding `-t add` will only run tests with "add" in the name. This works with test
 
 ```sh
 $ bun test -t add
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test.test.js:
 ✓ add [1.79ms]

package/docs/guides/test/snapshot.md

@@ -18,7 +18,7 @@ The first time this test is executed, Bun will evaluate the value passed into `e
 
 ```sh
 $ bun test test/snap
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test/snap.test.ts:
 ✓ snapshot [1.48ms]
@@ -61,7 +61,7 @@ Later, when this test file is executed again, Bun will read the snapshot file an
 
 ```sh
 $ bun test
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test/snap.test.ts:
 ✓ snapshot [1.05ms]
@@ -78,7 +78,7 @@ To update snapshots, use the `--update-snapshots` flag.
 
 ```sh
 $ bun test --update-snapshots
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test/snap.test.ts:
 ✓ snapshot [0.86ms]

package/docs/guides/test/update-snapshots.md

@@ -29,7 +29,7 @@ To regenerate snapshots, use the `--update-snapshots` flag.
 
 ```sh
 $ bun test --update-snapshots
-bun test v1.2.21-canary.20250814T140633 (9c68abdb)
+bun test v1.2.21-canary.20250815T140623 (9c68abdb)
 
 test/snap.test.ts:
 ✓ snapshot [0.86ms]

package/docs/guides/util/version.md

@@ -5,7 +5,7 @@ name: Get the current Bun version
 Get the current version of Bun in a semver format.
 
 ```ts#index.ts
-Bun.version; // => "1.2.21-canary.20250814T140633"
+Bun.version; // => "1.2.21-canary.20250815T140623"
 ```
 
 ---

package/docs/installation.md

@@ -14,7 +14,7 @@ Kernel version 5.6 or higher is strongly recommended, but the minimum is 5.1. Us
 ```bash#macOS/Linux_(curl)
 $ curl -fsSL https://bun.com/install | bash # for macOS, Linux, and WSL
 # to install a specific version
-$ curl -fsSL https://bun.com/install | bash -s "bun-v1.2.21-canary.20250814T140633"
+$ curl -fsSL https://bun.com/install | bash -s "bun-v1.2.21-canary.20250815T140623"
 ```
 
 ```bash#npm
@@ -189,10 +189,10 @@ Since Bun is a single binary, you can install older versions of Bun by re-runnin
 
 ### Installing a specific version of Bun on Linux/Mac
 
-To install a specific version of Bun, you can pass the git tag of the version you want to install to the install script, such as `bun-v1.2.0` or `bun-v1.2.21-canary.20250814T140633`.
+To install a specific version of Bun, you can pass the git tag of the version you want to install to the install script, such as `bun-v1.2.0` or `bun-v1.2.21-canary.20250815T140623`.
 
 ```sh
-$ curl -fsSL https://bun.com/install | bash -s "bun-v1.2.21-canary.20250814T140633"
+$ curl -fsSL https://bun.com/install | bash -s "bun-v1.2.21-canary.20250815T140623"
 ```
 
 ### Installing a specific version of Bun on Windows
@@ -201,7 +201,7 @@ On Windows, you can install a specific version of Bun by passing the version num
 
 ```sh
 # PowerShell:
-$ iex "& {$(irm https://bun.com/install.ps1)} -Version 1.2.21-canary.20250814T140633"
+$ iex "& {$(irm https://bun.com/install.ps1)} -Version 1.2.21-canary.20250815T140623"
 ```
 
 ## Downloading Bun binaries directly

package/docs/runtime/debugger.md

@@ -124,11 +124,11 @@ await fetch("https://example.com", {
 This prints the `fetch` request as a single-line `curl` command to let you copy-paste into your terminal to replicate the request.
 
 ```sh
-[fetch] $ curl --http1.1 "https://example.com/" -X POST -H "content-type: application/json" -H "Connection: keep-alive" -H "User-Agent: Bun/1.2.21-canary.20250814T140633" -H "Accept: */*" -H "Host: example.com" -H "Accept-Encoding: gzip, deflate, br" --compressed -H "Content-Length: 13" --data-raw "{\"foo\":\"bar\"}"
+[fetch] $ curl --http1.1 "https://example.com/" -X POST -H "content-type: application/json" -H "Connection: keep-alive" -H "User-Agent: Bun/1.2.21-canary.20250815T140623" -H "Accept: */*" -H "Host: example.com" -H "Accept-Encoding: gzip, deflate, br" --compressed -H "Content-Length: 13" --data-raw "{\"foo\":\"bar\"}"
 [fetch] > HTTP/1.1 POST https://example.com/
 [fetch] > content-type: application/json
 [fetch] > Connection: keep-alive
-[fetch] > User-Agent: Bun/1.2.21-canary.20250814T140633
+[fetch] > User-Agent: Bun/1.2.21-canary.20250815T140623
 [fetch] > Accept: */*
 [fetch] > Host: example.com
 [fetch] > Accept-Encoding: gzip, deflate, br
@@ -170,7 +170,7 @@ This prints the following to the console:
 [fetch] > HTTP/1.1 POST https://example.com/
 [fetch] > content-type: application/json
 [fetch] > Connection: keep-alive
-[fetch] > User-Agent: Bun/1.2.21-canary.20250814T140633
+[fetch] > User-Agent: Bun/1.2.21-canary.20250815T140623
 [fetch] > Accept: */*
 [fetch] > Host: example.com
 [fetch] > Accept-Encoding: gzip, deflate, br

package/docs/runtime/shell.md

@@ -532,6 +532,74 @@ Hello World! pwd=C:\Users\Demo
 
 Bun Shell is a small programming language in Bun that is implemented in Zig. It includes a handwritten lexer, parser, and interpreter. Unlike bash, zsh, and other shells, Bun Shell runs operations concurrently.
 
+## Security in the Bun shell
+
+By design, the Bun shell _does not invoke a system shell_ (like `/bin/sh`) and
+is instead a re-implementation of bash that runs in the same Bun process,
+designed with security in mind.
+
+When parsing command arguments, it treats all _interpolated variables_ as single, literal strings.
+
+This protects the Bun shell against **command injection**:
+
+```js
+import { $ } from "bun";
+
+const userInput = "my-file.txt; rm -rf /";
+
+// SAFE: `userInput` is treated as a single quoted string
+await $`ls ${userInput}`;
+```
+
+In the above example, `userInput` is treated as a single string. This causes
+the `ls` command to try to read the contents of a single directory named
+"my-file; rm -rf /".
+
+### Security considerations
+
+While command injection is prevented by default, developers are still
+responsible for security in certain scenarios.
+
+Similar to the `Bun.spawn` or `node:child_process.exec()` APIs, you can intentionally
+execute a command which spawns a new shell (e.g. `bash -c`) with arguments.
+
+When you do this, you hand off control, and Bun's built-in protections no
+longer apply to the string interpreted by that new shell.
+
+```js
+import { $ } from "bun";
+
+const userInput = "world; touch /tmp/pwned";
+
+// UNSAFE: You have explicitly started a new shell process with `bash -c`.
+// This new shell will execute the `touch` command. Any user input
+// passed this way must be rigorously sanitized.
+await $`bash -c "echo ${userInput}"`;
+```
+
+### Argument injection
+
+The Bun shell cannot know how an external command interprets its own
+command-line arguments. An attacker can supply input that the target program
+recognizes as one of its own options or flags, leading to unintended behavior.
+
+```js
+import { $ } from "bun";
+
+// Malicious input formatted as a Git command-line flag
+const branch = "--upload-pack=echo pwned";
+
+// UNSAFE: While Bun safely passes the string as a single argument,
+// the `git` program itself sees and acts upon the malicious flag.
+await $`git ls-remote origin ${branch}`;
+```
+
+{% callout %}
+**Recommendation** — As is best practice in every language, always sanitize
+user-provided input before passing it as an argument to an external command.
+The responsibility for validating arguments rests with your application code.
+{% /callout %}
+
 ## Credits
 
 Large parts of this API were inspired by [zx](https://github.com/google/zx), [dax](https://github.com/dsherret/dax), and [bnx](https://github.com/wobsoriano/bnx). Thank you to the authors of those projects.

package/docs/test/dom.md

@@ -55,7 +55,7 @@ Let's run this test with `bun test`:
 
 ```bash
 $ bun test
-bun test v1.2.21-canary.20250814T140633
+bun test v1.2.21-canary.20250815T140623
 
 dom.test.ts:
 ✓ dom test [0.82ms]

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.2.21-canary.20250814T140633",
+  "version": "1.2.21-canary.20250815T140623",
   "name": "bun-types",
   "license": "MIT",
   "types": "./index.d.ts",