Bun Is Being Rewritten from Zig to Rust

Good morning and welcome to the Builder's Briefing for May sixth, twenty twenty-six. I'm Alex, here with Sam, and we have a packed one today — a major runtime rewrite shaking up the JavaScript ecosystem, some really practical AI cost numbers, and a container security bug you need to patch right now.

Yeah, and honestly the big story today had me doing a double-take when I saw the commit land. Let's get into it.

So here it is — Bun is being rewritten from Zig to Rust. Jarred Sumner's commit dropped yesterday, and this isn't some experimental branch. It touches the core runtime. The full thing is getting ported.

This is huge. And honestly? Not entirely surprising. I mean, Zig is a fantastic language, but the ecosystem just never caught up. If you're building something that millions of developers depend on, you need a deep package ecosystem, mature tooling, and frankly, people you can hire. Rust has all three.

Exactly. And for folks shipping on Bun today — nothing breaks right now. The Zig codebase keeps working, keeps shipping releases. But long-term, this is the play for stability. Rust's borrow checker catches entire classes of memory bugs that Zig leaves to developer discipline.

Right, and what's wild is the timing. This lands the same week as that widely-discussed post from Tweede Golf arguing that async Rust basically never left MVP state. So Bun is migrating to a language whose async story is still considered half-baked. There's real irony there.

It's a great point. I think we'll either see the Bun team push Rust's async ergonomics forward — which would be a gift to the whole ecosystem — or they'll lean on their own event loop abstractions and kind of sidestep the async Rust pain entirely. Either way, this is the biggest runtime architecture decision in the JS world since Deno chose Rust back in twenty eighteen.

And it's another data point in the broader trend. If you're choosing a systems language for a new project — Zig is still excellent for embedded and kernel-adjacent stuff, but for application-level systems programming, Rust just keeps winning the gravity war.

Alright, let's talk AI. Google shipped multi-token prediction drafter models for Gemma four. If you're self-hosting Gemma, this is basically a free latency win — plug in the drafter, get two to three X faster generation with no quality loss through speculative decoding.

That's a really nice incremental improvement. No drama, just genuinely useful. I also want to flag the local deep research story — someone got an open-source research agent hitting roughly ninety-five percent accuracy on SimpleQA running Qwen three point six twenty-seven B locally on a thirty-ninety.

Yeah, with ten-plus search engine integrations including arXiv and PubMed. If you're building internal research tools, that's a strong starting point. Everything runs locally and encrypted. Link in the briefing.

Now here's the one that made me stop and think — Reflex benchmarked agent computer-use against structured API calls, and found a forty-five X cost gap. Forty-five times more expensive to have an agent click around a screen than to just call an API.

That number is staggering. And the takeaway is so clear — don't use screen-scraping agents where a proper API integration exists. Save computer-use for the genuinely unstructured stuff where there is no API. This is basic cost discipline, but I think a lot of teams are skipping it because computer-use demos look so cool.

Absolutely. And on the agent tooling front, there's a neat project called Engram — it's a Go binary that gives any coding agent persistent long-term memory using SQLite and FTS5, exposed as an MCP server. If your agents keep forgetting project context between sessions, this is a drop-in fix.

That's interesting because it's agent-agnostic — CLI, HTTP, TUI interfaces. And it directly addresses that critique piece we also saw this week about organizations deploying AI without fixing their information architecture. Everyone's got individual AI productivity, but organizational knowledge stays siloed.

Right — the gap isn't in individual smarts, it's in shared context. That's a product opportunity for anyone building AI-powered knowledge tools.

Let's shift to dev tools. We already mentioned the async Rust critique — if you're starting a new Rust project, seriously consider whether you actually need async or if blocking I/O with threads is just simpler for your use case. It's not a cop-out, it's pragmatic.

Totally agree. Also trending this week — DocuSeal, an open-source DocuSign alternative. Forty-six hundred engagements. If you're building a SaaS that needs document signing workflows, embedding this could save you from a painful DocuSign API bill and vendor lock-in.

And one more Rust sighting — Brush, a bash-compatible shell written in Rust. Interesting for dev containers or embedded Linux where you want shell compatibility without shipping actual bash.

Rust everywhere. Speaking of infrastructure — Docker twenty-nine just switched the default image store to containerd. If you're running CI/CD pipelines, test your image builds because some edge cases around multi-platform manifests behave differently now.

And on the security side, two things that need attention. First — a multi-tenant auth vulnerability found in a DoD contractor's system. Any authenticated user could access other tenants' data. Zero auth on the tenant boundary. If you're building multi-tenant SaaS, test tenant isolation as aggressively as you test auth. Row-level security is not optional.

Yikes. And the second one?

A container copy bug — CVE twenty twenty-six dash three one four three one — that bypasses rootless container protections. If you're running rootless Podman or Docker in CI, patch immediately. This defeats the security model you're relying on.

That's scary because rootless is supposed to be the safe option. Definitely patch that today.

Quick hits! iOS twenty-seven adds a 'Create a Pass' feature to Apple Wallet — no developer account needed for simple passes. If you're building loyalty or ticketing features, this dramatically lowers the friction to get into users' wallets.

Oh, and this one made me smile — the 555 timer turns fifty-five years old this week. Happy birthday to the little chip that taught a generation of engineers what oscillation means.

Also, apparently about ten percent of AMC movie showings sell zero tickets, and someone built a site to find them for you. Link in the briefing if you want a private theater experience.

That's the most useful hack I've heard all week.

So pulling it all together — Rust keeps consolidating as the default for systems-level product infrastructure. Bun's migration, Pingora's traction, Brush — all pointing the same direction. The async pain is real, but the ecosystem gravity is undeniable.

And on the AI side, the story is cost discipline. Computer-use is forty-five X more expensive than APIs. Agents need persistent memory to stop being expensive amnesiacs. Invest in structured integrations first, and give your agents memory before you give them more capabilities.

That's the briefing for May sixth, twenty twenty-six. All the links are in the show notes. If something we covered today changes how you're building, we'd love to hear about it.

Go patch that container bug, give your agents some memory, and we'll see you tomorrow. Happy building, everyone.