Silkenweb Example: Hackernews Clone

Oven: The Company Behind Bun

279 points by mostafah 2 years ago | 113 comments

hardwaregeek 2 years ago
I have a lot of respect for Jarred and bun. The lean approach of just one person working for a year is rather underrated imo. No funding and therefore no pressure for growth. No overhead from scaling up a team and having to implement process, standards, etc. And at the same time, incredible content marketing by just tweeting about every little detail. Me and many others got hooked just because Jarred was posting interesting stuff and kept posting interesting stuff. It wasn't a stuffy blog or padded out conference talks, it was just good, technical content.
My only hope is that Jarred gets some rest for a bit. According to his Twitter he's been pulling 80 hour weeks and while that does lead to impressive work, it's not great from a human perspective. Hope he can rest up and keep this going for the long haul!
- fizx 2 years ago
  I've done this solo sprint for a year to get a startup running a few times in my career.
  The time it worked, I worked 10-4pm (heads down) in the ideation phase, ate well, slept well, got two hours of exercise daily, and had an interesting social life. Once the startup took on a life of its own, the personal life started to suffer and I got up to 80+hrs for a month or two before settling into ~60.
  The two times it didn't work, I embraced the 60hr/week grind and was a bit more isolated, perhaps drank a bit more to unwind, and my focus deeply suffered.
  I really love the solo thing, but in the early days, be creative and happy. The grind will find you. Market fit means more work. No doubt Jarred will find building a company and Bun at the same time even more challenging that just building Bun.
- brundolf 2 years ago
  > The lean approach of just one person working for a year is rather underrated imo
  It's honestly got me thinking about doing the same thing for my Big Project that I've been squeezing into nights and weekends for the past year and a half
  - ignoramous 2 years ago
    Read also: The unreasonable effectiveness of just showing up every day, https://news.ycombinator.com/item?id=27833064
- aaroninsf 2 years ago
  He should have rested up and taken a week off to get some perspective before attempting to write recruiting spam on Twitter.
  Sounding twitchy and strung out and high strung and histrionic? A filter for sure, but not for the things he thinks he wants.
  This is how you get broken, desperate, unhealthy people, and that is reflected permanently in culture, and almost always in product, with poor prognosis for success.
  Seriously the guy needs to chill the f--- out.
  - ignoramous 2 years ago
    tbf, some people are just that ambitious and driven. See also: Elite athletes like Djokovic, Nadal, Phelps, Bolt et al
AaronFriel 2 years ago
It's an incredible achievement, though I worry about the use of an unproven language (Zig) that lacks memory safety by design. JavaScript runtimes, especially those with JITs, have been plagued by vulnerabilities from memory safety, type confusion, and data races.
Node.js, despite being based on V8, is still susceptible independently of V8 and introduces its own vulnerabilities. It's not sufficient for the runtime to be secure, but the new facilities Bun provides must also be vetted.
Bun/Oven are new, and similar in position to Node. Here are the hard questions I'd ask if I were on a security team and asked to review adopting Bun:
1. Will Oven adopt a security policy for Bun? (https://github.com/oven-sh/bun/security)
2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)
3. Will Oven support Zig development to avoid an existential risk in upstream vulnerabilities?
- Jarred 2 years ago
  > 1. Will Oven adopt a security policy for Bun? (https://github.com/oven-sh/bun/security)
  Yes.
  > 2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)
  Fuzzing will begin soon. Regular security audits will happen around the 1.0 release. Bug bounty seems like a good idea, but it's too early today to know when this will start.
  > 3. Will Oven support Zig development to avoid an existential risk in upstream vulnerabilities?
  Yes. Oven will donate to Zig Software Foundation.
  More broadly - I think about all of this a lot, but until now Bun has been mostly the work of just me. Bun is still very early - there's a lot that's just not implemented yet.
  - AaronFriel 2 years ago
    Thanks for answering Jarred, and I appreciate your answers given the early stage you're at. Runtime diversity in Node is quite exciting, and I'm sure you've more interesting challenges ahead than just security.
    I look forward to seeing what you can make of it with Oven.
- brundolf 2 years ago
  Worth clarifying that Bun isn't a from-scratch JS runtime, it's a wrapper around JavaScriptCore (WebKit's JS engine), like Node is around V8
  As you say, there's still plenty of room for vulnerabilities in the parts it does implement, and Zig isn't strictly memory-safe. However, Zig has lots of modern features like optional-types that help quite a bit with avoiding memory errors: https://www.scattered-thoughts.net/writing/how-safe-is-zig/
  Which is to say your question is definitely valid, but there are also reasons to think this isn't as huge a concern as it might seem
  - jamil7 2 years ago
    > Worth clarifying that Bun isn't a from-scratch JS runtime, it's a wrapper around JavaScriptCore (WebKit's JS engine)
    Does this mean you could potentially run some Node code on iOS?
- andrei 2 years ago
  > 2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)
  We're huge fans of bun at Fuzzbuzz (waiting for it to get a bit more production-ready). If Jarred's interested, we'd be happy to donate some compute to support fuzzing Bun.
  <hn username> @ fuzzbuzz.io
- TakeBlaster16 2 years ago
  > though I worry about the use of an unproven language
  Maybe this will be the company that proves it :)
- naikrovek 2 years ago
  I am fairly confident that Zig does not lack memory safety by design; from what I understand, the language as a whole isn't even finished, and the memory safety design isn't like a GC'd language or like Rust, so people assume there isn't memory safety when in reality it is at least partially implemented.
  - AaronFriel 2 years ago
    I'm afraid "partially implemented" memory safety is also widely known in the offensive security industry as "not memory safe". Many people have fooled themselves into thinking there is a gradient with safer C++ abstractions, libraries in C, custom allocators, static analyzers, valgrind, etc.
    - naikrovek 2 years ago
      the entire language is partially implemented yet you are judging it as if it is complete and set in stone.
      Rust isn't even memory safe if you want to be THIS pedantic about it. the unsafe keyword exists in Rust, and it is often used.
    - rileyphone 2 years ago
      Is there not a gradient though? Are C++ smart pointers equally as bad as regular old malloc? Can safer abstractions not render most buffer overflows impossible?
    - cocoto 2 years ago
      There is definitely a gradient in safety and almost everybody agree with that. What is controversial is how much safety you actually need.
- jmartin2683 2 years ago
  Agreed. Rust is a far more reasonable/obvious choice.
dang 2 years ago
Related:
Will Bun JavaScript Take Node's Crown - https://news.ycombinator.com/item?id=32457587 - Aug 2022 (321 comments)
Bun: A Complete Overhaul of the JavaScript Ecosystem - https://news.ycombinator.com/item?id=32243534 - July 2022 (25 comments)
Bun gets “bun:FFI” – call native libraries from JavaScript - https://news.ycombinator.com/item?id=32120090 - July 2022 (16 comments)
Bun (can become) the ideal JavaScript runtime - https://news.ycombinator.com/item?id=32067268 - July 2022 (14 comments)
Bun: Fast JavaScript runtime, transpiler, and NPM client written in Zig - https://news.ycombinator.com/item?id=31993429 - July 2022 (314 comments)
Bun – fast JavaScript and CSS bundler - https://news.ycombinator.com/item?id=29179848 - Nov 2021 (36 comments)
Kind of related:
Hop: Faster than unzip and tar at reading individual files - https://news.ycombinator.com/item?id=29178710 - Nov 2021 (128 comments)
brrrrrm 2 years ago
Congrats to Jarred! Bun has blown me away in terms of performance. Often (in other projects) performance claims out of nowhere are simply cherry-picked but I’ve found bun repeatedly impressing me with both speed and elegance.
What doesn’t get mentioned enough is just how friggin ergonomic bun is. Install it and you’ll see what I mean immediately. Play with any API in the “bun:” namespace and it’s just a breath of fresh air.
- brundolf 2 years ago
  I'm curious about where all that performance comes from
  I know it uses the WebKit JS runtime instead of V8, which is super interesting. Does that cause a performance lift? Or is there some other secret sauce that pervades throughout Bun? Or is it just a matter of Jarred giving lots of attention to spot-optimizing the most important bottlenecks outside of the core runtime?
  - Jarred 2 years ago
    There's no secret sauce
    Just lots of time spent profiling and trying things
    On the runtime side, JavaScriptCore/WebKit's team are extremely receptive to feedback, especially performance-related. Today, @Constellation made `Promise.all` about 30% faster https://github.com/WebKit/WebKit/pull/3569
    - vips7L 2 years ago
      Have you done any comparisons with Graal’s NodeJS runtime?
  - nicoburns 2 years ago
    It's worth noting that most of Node's API are written in JavaScript, and often not particularly optimised JavaScript (sometimes constrained by API compatibility). I think bun is taking the approach of implementing a lot of core APIs in zig.
    - brundolf 2 years ago
      That's surprising, I didn't know that about Node
  - brrrrrm 2 years ago
    I suspect it’s the latter. I would guess V8 with a thin wrapper and a ton of effort from someone who cares about perf to port all the native goodies of node would get similar wins.
    - ricardobeat 2 years ago
      Absolutely. And it has been done already, JustJS[1] has made it to the top 10 fastest in the TechEmpower benchmarks. It’s Linux only though, and not nearly as complete or easy to use, which makes it unappealing for real world projects.
      [1] https://github.com/just-js/just
    - cheeselip420 2 years ago
      Good thing Cloudflare is open-sourcing their V8-based Workers runtime soon.
- verdverm 2 years ago
  I'm curious if it will be as fast after implementing some must have features like sourcemaps, minification, and tree shaking? Bun is definitely not production ready yet, but I'm keeping my eye on it for sure
  https://github.com/oven-sh/bun#not-implemented-yet
  - Jarred 2 years ago
    Sourcemaps are technically already implemented, but not for bundled dependencies. Initially, it was a 30% drop, but I made it use lots of SIMD and that compensated a lot. When you use Bun's runtime, it transpiles every file (including non-TypeScript files) and generates an in-memory sourcemap so that error messages have useful line/column numbers. Bun's fast startup time is very much in spite of things like this.
    Minification will likely make it faster because there will be less code to print (see https://twitter.com/evanwallace/status/1396304029840396290). Many of the syntax compression and small optimizations like ("foo" + " " + "bar") becoming "foo bar" are implemented already, but not the whitespace removal
    It might have an impact on bundling performance overall because that will involve an extra pass to more correctly handle `export * as from`, which isn't as important when used with the runtime (since that can happen at runtime)
    - verdverm 2 years ago
      I'm not looking to use Bun as a JS runner because all of my JS runs in the browser. The time and complexity of implementing these processes will increase build time. We will have to wait to see how it compares to existing tools for bundling and creating production code.
  - ctvo 2 years ago
    > I'm curious if it will be as fast after implementing some must have features like sourcemaps, minification, and tree shaking?
    Can you explain why you think a transpilation step will prove to be a technical challenge here? The "bundler" part of Bun seems like a very small piece, and not something that would impact its performance as a runtime too greatly.
    - brundolf 2 years ago
      A lot of the conversation around Bun's performance has included the performance of non-runtime things like how fast it can install packages, perform builds, cold-start, etc
    - verdverm 2 years ago
      I only use JS/TS on the client side, which will end up running in the browser, thus being able to use Bun to create production code will require these features. I didn't say they were technical challenges, but these processes require more complex analysis and algos.
  - brrrrrm 2 years ago
    I’m not familiar with deployment in the modern web world, but I’m curious how fast those specific features need to be in a production setting? Are they done dynamically for every request?
- Aeolun 2 years ago
  > Often (in other projects) performance claims out of nowhere are simply cherry-picked
  I’ve had it proven true only two times so far. First time was with esbuild.
alberth 2 years ago
My moneys on Just-JS.
It’s consistently in the top 5 fastest web framework (beating out Rust, etc).
Just-JS is already faster than Bun.
Additionally, JSCore appears to be a significant reason why Bun is faster than NodeJS (V8). Just-JS is investigating switching to JSCore as well - which will only extend its lead.
https://github.com/just-js/just
https://www.techempower.com/benchmarks/#section=data-r21
https://twitter.com/justjs14/status/1560741923106725889#m
https://twitter.com/justjs14/status/1557856790897106944#m
- iainmerrick 2 years ago
  Besides being Linux-only, the GH page lists intentional restrictions like “commonjs modules, no support for ES modules” -- that seems like a biggie!
  The benchmarks seem to focus exclusively on startup time, which is certainly important but not the only important thing. (And unless I misread those tweets it’s only a tiny bit ahead of bun.)
  More competition is good and helps keep everyone honest, of course, but it looks like extremely early days for this project.
- christophilus 2 years ago
  Bun does ESM, JSX, Typescript and SQLite support out of the box. It also does bundling. It’s quite nice.
  I’m thinking of building a zero-dependency toolkit on top of it. I rewrote Tailwind this weekend with that in mind, and my 4-second Tailwind build (on a 90k line project) now takes 200ms. That’s mostly due to how I architected my Tailwind library; not Bun, but Bun is fast where it’s been optimized.
  I love the idea of a zero (or very low) dependency, modern toolkit. I’m rooting for Bun.
  - emptysea 2 years ago
    I'm interested to hear more about your tailwind rewrite? Any interesting challenges and any plans on open sourcing it?
- esquire_900 2 years ago
  You might be right, though it's Linux only, and still has a "coming soon" as documentation. Worth keeping an eye on, but seems more in the experimental phase compared to bun.
- b_fiive 2 years ago
  Linux only? I think that'll cap adoption regardless of any perf advantages
  - indymike 2 years ago
    > Linux only? I think that'll cap adoption regardless of any perf advantages
    For web applications, Linux is usually the eventual development target, and running Linux development environments on Windows and MacOS is a solved problem. So no, not really going to be much of a problem.
tsujp 2 years ago
While obviously extremely impressed with Bun and Jarred's achievement (especially because I really like Zig being similar to C) I'm also shocked that he was able to get a 3-letter `.sh` domain (bun) _and_ a 4-letter `.sh` domain (oven) both real words!
Looked to me that Oven was registered shortly after Bun exploded in popularity.
- plesiv 2 years ago
  Don't be shocked. There are plenty of short domains left for grab, they're just expensivish for most people (usually $100 - $1000 but could be more). Glad that's the case, otherwise squatters would've "invested" into them already.
benreesman 2 years ago
Are Bun and Deno in direct competition or do these projects address different markets?
- DangitBobby 2 years ago
  They are roughly in competition, though Deno made the decision early on to largely split itself from the ecosystem and existing conventions of Node (and an enormous body of existing JavaScript packages on npm), whereas Bun did not. Bun, AFAIK, aims to be compatible with Node and existing the npm ecosystem.
  - benreesman 2 years ago
    I met Ryan Dahl once at like a CouchDB meetup in Oakland or something a decade ago. He was obviously a brilliant guy, and humble, and very likable as a result.
    I very much admire that he seems to be trying to get things right in light of lessons learned, but history would imply that backwards compatibility tends to trump better technology on average.
  - wangbinyq 2 years ago
    Deno already have a node compatibility mode, and will support import npm packages directly.
    - DangitBobby 2 years ago
      Sure, but it doesn't because initially they chose not to.
- yencabulator 2 years ago
  It seems both are attempting to make money by providing their own "serverless clouds" and hoping people will use those, instead of AWS/GCP/Cloudflare Workers/Fly/etc.
mwexler 2 years ago
For those like me who didn't know:
https://bun.sh/. "Bun is a fast all-in-one JavaScript runtime. Bundle, transpile, install and run JavaScript & TypeScript projects — all in Bun. Bun is a new JavaScript runtime with a native bundler, transpiler, task runner and npm client built-in."
- tantalor 2 years ago
  "Run TypeScript" is misnomer, unless I'm missing something, it compiles TS -> JS and "runs" that.
  - lioeters 2 years ago
    "Run JavaScript" is a misnomer, it compiles JS -> bytecode and "runs" that.
    - seanw444 2 years ago
      "Run bytecode" is a misnomer, it compiles bytecode -> machine code and "runs" that.
    - tantalor 2 years ago
      It might, if the code can be optimized. There are all sorts of reasons why it might not. For example, at one point in time, a switch statement with more than 128 cases could not be optimized.
      https://github.com/petkaantonov/bluebird/wiki/Optimization-k...
j3s 2 years ago
finally, a tech company with a cute design aesthetic :D i'm so happy to see a cute little bun in an oven instead of standard tech company imagery. i've never used bun and don't have great reason to, but it makes me hopeful to see.
christophilus 2 years ago
> Before Oven can offer hosting, Bun needs a stable release. The goal: a stable release of Bun in under six months from today (August 23rd).
Wow! That is an ambitious timeline. Also ambitious is this:
> The plan is to run our own servers on the edge in datacenters around the world. Oven will leverage end-to-end integration of the entire JavaScript stack (down to the hardware) to make new things possible.
That’s a lot of work in a crowded space. Maybe they’re aiming for an acquisition or something?
Anyway, I wish them luck. Bun probably tops the list of projects I’m excited about at the moment.
vasergen 2 years ago
from the bun website > Bun natively implements hundreds of Node.js and Web APIs, including ~90% of Node-API functions
Is there any status tracker to see what is supported and what is not, or in other words how do I know if bun supports a particular framework or a library?
hestefisk 2 years ago
Interesting effort. How do you plan to make money? I would love to do something like this but it must be really hard to figure how to turn revenue sustainably apart from donations, consulting and maybe some sort of hosting services.
behnamoh 2 years ago
I love these funny names. First time I introduced HomeBrew to my gf, she was all laughing at the funny terms:
```
   keg - Program binaries created from source

   bottle - Program binaries downloaded

   cellar - Directory where kegs / binaries are stored

   tap - git repository

   cask - macos native binary (not used in Linux)
```
- 1shooner 2 years ago
  Ok, but I'm not really looking to my package manager for entertainment. To me this jargon is just needlessly obtuse.
  - gmassman 2 years ago
    I 100% agree. Cutesy names should end once the package name has been chosen. Package authors and contributors that overdo the thematic names should stick to writing fiction, not code.
    - 2 years ago
    - naikrovek 2 years ago
      "keg" and "bottle" are cutesy?
      well, to see the exact opposite of "cutesy", please fork homebrew and give all of those things GUIDs for names, including all the packages a user could install; you'll soon see why the names chosen are quite acceptable, indeed.
  - hackernewds 2 years ago
    hm quite a sour take. I find that the names actually are reflective of an actual storage process so they fulfill both the playfulness and the natural naming.
    - 1shooner 2 years ago
      It's skeuomorphism for the cli.
  - tails4e 2 years ago
    Yep, I found homebrew confusing exactly because of this 'bespoke' terminology.
    - phantomathkg 2 years ago
      I think homebrew is OK. It should be originated from the idea where the install script is user created instead of maintained by the original package author?
  - geodel 2 years ago
    I mean in a way its right. One then need to go for professional companies, sign profession contracts, pay professional service fee and real professional sounding software
- juancampa 2 years ago
  I find these terms to be incredibly confusing though. I've seen them many times but can't seem to remember what's what.
- SwiftyBug 2 years ago
  I'm always confused by Homebrews' names. While I find it amusing, it kind of gets in my way most of the time.
yencabulator 2 years ago
Someone please translate this into non-buzzwordspeak:
> Oven will leverage end-to-end integration of the entire JavaScript stack (down to the hardware) to make new things possible.
qudat 2 years ago
Grats! Excited to see where this ends up
howon92 2 years ago
Congrats on the funding!
latenightcoding 2 years ago
"Oven, the company behind Bun, has raised $7m in funding"
"Oven will provide incredibly fast serverless hosting & continuous integration for backend & frontend JavaScript apps"
Isn't trying to dethrone node.js (by making Bun better and more popular) something worth pursuing on its own, or there is no money in that?
- eatonphil 2 years ago
  It doesn't seem like they're going far from the Deno playbook.
  https://deno.com/blog/series-a
- naikrovek 2 years ago
  I am surprised every day at how much raw human effort has gone (and continues to go) into making JavaScript into a good language, when at most 1/20th of that effort could have been used to simply replace it with something that is good to begin with.
  - iainmerrick 2 years ago
    The positive interpretation is that this is an example of Gall’s law: https://en.wikipedia.org/wiki/John_Gall_(author)#Gall's_law
    Today’s JavaScript works because it has gradually evolved from the primordial JS which (just about) worked; at each stage in the chain it’s seen real-world usage as an in-browser language.
    The alternative would be to build something better from scratch -- but that never works, says Gall’s law -- or to take some other battle-hardened language (C? Java? Python?) -- but trying to adapt those to work well in the browser would hit just as many technical and political barriers as JS did in becoming a decent general-purpose language.
    - naikrovek 2 years ago
      Javascript has had zero barriers in becoming what it is, specifically because people are afraid to attempt to unseat it. there has never been an adult in the room willing to ask “is spending several hundred thousand person-years on this hack of a language better than starting over with something that is more thought out?” Of course it would be better to replace it, especially so in the early days when people saw what was coming.
      everyone just continues doing what they are doing on the assumption that either JS is the best that humans can come up with, or that it’s too difficult to unseat it. both are ways of saying “i don't want to think about that problem right now.”
      so then someone made the simultaneously laziest and most expensive decision ever: put JS on the server, too. now the code serving the client and the client itself get one thread each. “gosh, performance isn’t great here, but i don’t want to think about that, i have a sprint goal.”
      it is only recently that WASM became a thing, and adoption seems slow. it has only succeeded because it did not try to usurp JavaScript’s position, and even requires JavaScript code to interact with the page content or the user in any way. if you can’t beat ‘em, or don’t want to try, join ‘em.
      JS has hit zero barriers and has never been strenuously challenged at all. if it had, it would be gone. everyone just keeps throwing money at it because they don't want to think about how awful it is.
      Only Google attempted it with Dart, and then they got tired and gave up, because the team was (presumably) minuscule compared to the team working on JavaScript in the same effing browser.
- brundolf 2 years ago
  Yes, there is literally no money in doing that by itself. I don't blame the developers for doing what's needed to fund the project.
  - squeaky-clean 2 years ago
    I don't know why this was downvoted, what's the monetization plan of making an improved runtime just for the sake of it with no complementary business model? Do you make it closed source and sell/subscribe it? Do you try to survive off of paid support? (A runtime should be incredibly stable and not need support). Hope you get enough donations?
- solardev 2 years ago
  Isn't that what they're doing? Providing a monetizable system around open source software. It's the Vercel/Next.js model
  - quickthrower2 2 years ago
    I wonder if AWS is a sleeping crocodile ready to eat all these dev-focused paas companies up (by competing or takeovers) in a while. Maybe they are waiting to see who wins first.
    - brd529 2 years ago
      I’m not sure where this movement went but efforts like SSPL [1] and similar aim to make it hard for cloud providers to resell an open source product as a service.
      [1] https://techcrunch.com/2018/11/29/the-crusade-against-open-s...
    - solardev 2 years ago
      Many of them, like Vercel, still use AWS under the hood. AWS has Amplify too. No matter what you use, Bezos wins...
- 2 years ago
anothernewdude 2 years ago
Why do they call it oven when you of in the cold food of out hot eat the food?
- lucakiebel 2 years ago
  I feel like there’s two reasons why I don’t understand your comment at all. Either you made a pun somewhere in there that just went way over my head, or it’s way too early for me to be up. But I have no idea what „of in the cold food of out hot eat the food“ could mean
  - 10000truths 2 years ago
    It’s a reference to a meme:
    https://knowyourmeme.com/memes/why-do-they-call-it-oven
    - lucakiebel 2 years ago
      Wow, thanks for enlightening me!
  - jcparkyn 2 years ago
    It's a reference to a meme, which is intentionally nonsense.
    - bombcar 2 years ago
      It's not actually nonsense, some minor edits will make it clear.
      > Why do they call it oven when you "oven" (of in) the cold food and "oveout" (of out) the hot food to eat?
- revolvingocelot 2 years ago
  More importantly, has anyone really been far even as decided to use even go want to do look more like?
- s_dev 2 years ago
  My brain is soup after trying to read this.
  - swader999 2 years ago
    JavaScript does this too.
- 2 years ago
digitaLandscape 2 years ago
oandrew 2 years ago
.b