Several copies of Bun accidentally share each other's /private/tmp/bun-node-*

[misha-drozd]

What version of Bun is running?

1.3.10+30e609e08

What platform is your computer?

Darwin 25.3.0 arm64 arm

What steps can reproduce the bug?

Put bun into a known location and create a minimal package:

mkdir stomp && cd stomp
wget https://github.com/oven-sh/bun/releases/download/bun-v1.3.10/bun-darwin-aarch64.zip
unzip bun-darwin-aarch64.zip
echo '{"scripts": {"cowsay": "cowsay"}}' > package.json
./bun-darwin-aarch64/bun add cowsay  

Now run the script. It creates a dir in /private/tmp:

./bun-darwin-aarch64/bun run cowsay moo

Output:

$ cowsay moo
 _____
< moo >
 -----
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Created files:

/private/tmp/bun-node-30e609e08/ 
total 0
lrwxr-xr-x 1 misha wheel 51 Mar  3 17:10 bun -> /Users/misha/Downloads/stomp/bun-darwin-aarch64/bun*
lrwxr-xr-x 1 misha wheel 51 Mar  3 17:10 node -> /Users/misha/Downloads/stomp/bun-darwin-aarch64/bun*

Now let's move Bun somewhere else, clean up node_modules and run the script again::

rm -rf node_modules
mv bun-darwin-aarch64 bun-darwin-aarch64-2
./bun-darwin-aarch64-2/bun run cowsay moo 

The output:

$ cowsay moo
env: node: No such file or directory
error: script "cowsay" exited with code 127```

Why? Because the file in /private/tmp hasn't been updated:

/private/tmp/bun-node-30e609e08/
total 0
lrwxr-xr-x 1 misha wheel 51 Mar  3 17:10 bun -> /Users/misha/Downloads/stomp/bun-darwin-aarch64/bun
lrwxr-xr-x 1 misha wheel 51 Mar  3 17:10 node -> /Users/misha/Downloads/stomp/bun-darwin-aarch64/bun

What is the expected behavior?

I expected that the second run cowsay invocation will work.

What do you see instead?

Second invocation failed because it didn't find working node symlink.

Additional information

The problem is that Bun creates a single directory under /private/tmp keyed by the commit ID of Bun. If the interpreter is later moved, or made inaccessible due to a sandbox (that's how I found this issue) the node symlink trick stops working.

Moreover, this path is hardcoded in run_command.zig, so it cannot be overridden. Cleaning up this directory every time Bun is run is not advisable, as it creates TOCTOU races.

Any one of the following solutions would help:

• Mix into the directory path the path to Bun executable, so that several Bun executables don't stomp on each other's directories.
• Make this path overridable using TMPDIR (this is the last temporary dir Bun uses that's not overridable using TMPDIR).