May 22, 2026
Unsafe at Any Speed?
Bun's unreleased Rust port has 13,365 unsafe blocks
Bun’s big rewrite sparks panic, memes, and “AI slop” accusations
TLDR: Bun’s unreleased rewrite contains 13,365 places where Rust’s safety checks are bypassed, but the company says the live product still runs the older version for now. Commenters turned that into a trust war, with some yelling “AI slop,” others calming down, and everyone asking whether the speed payoff is worth the mess.
Bun’s upcoming rewrite has landed in the middle of a full-on comment-section food fight. The raw fact is eye-popping: the unreleased Rust version of Bun contains 13,365 "unsafe" blocks, meaning chunks of code where the language’s built-in guardrails are temporarily switched off. The audit argues that this doesn’t automatically mean disaster: a lot of those blocks sit where Bun talks to older C and C++ libraries, and many are apparently expected to stay. It also says the shipped version of Bun still uses the old Zig code, so this is a pre-release cleanup, not a problem already sitting on users’ laptops.
But the community was far less calm than the audit. One camp instantly went nuclear, calling the whole thing “AI slop” and mocking the idea of moving to a “safe” language while stuffing it with unsafe code anyway. Another big complaint? The presentation itself. Readers dragged the page for drowning people in charts, counts, and diagrams that looked fancy but, in their view, explained almost nothing. The vibe was basically: cool graphs, but should we trust any of this?
Still, not everyone grabbed a pitchfork. Some commenters were relieved to learn the rewrite hasn’t shipped yet, calling that detail the real comfort blanket in all this chaos. And of course, the performance crowd showed up right on cue with the most Bun question imaginable: okay, but is it still fast? So the drama now has three fronts: trust, readability, and speed — with the comments delivering all the popcorn energy.
Key Points
- •The audit reports 13,365 unsafe blocks in Bun’s unreleased Rust port, measured on May 21, 2026 with vendored C/C++ excluded.
- •The article says performance code, the Zig port, and the FFI boundary account for roughly two-thirds of the unsafe sites.
- •It lists additional unsafe constructs including 1,352 unsafe functions, 1,011 unsafe extern declarations, 405 unsafe impls, and 22 unsafe traits, with every unsafe block requiring a // SAFETY: comment.
- •A large share of the unsafe code is tied to FFI and JavaScriptCore GC behavior, including 3,986 calls and 4,159 C declarations across eight libraries.
- •The audit proposes that many unavoidable unsafe sites should be isolated in *_sys crates or safe redeclarations, while only sites that prevent undefined behavior in release builds count as truly fixed.