Bun Rewrites Its Core in Rust, The Zig Era Is Over

Good morning and welcome to the Builder's Briefing for May sixteenth, twenty twenty-six. I'm Alex, joined as always by Sam, and we have a packed show today — a huge runtime rewrite, a wild day in security disclosures, and some real signals on where AI tooling is heading.

Yeah, honestly, today's news lineup reads like someone set off fireworks in every corner of the ecosystem simultaneously. Let's get into it.

So the big story — Bun has rewritten its core runtime from Zig to Rust. The PR merged, six hundred and fifty-eight comments on Hacker News, and the Zig era for Bun is officially over.

Okay, I'll be honest — when I first saw the PR I thought it was a joke. Bun was the poster child for Zig in production. Like, the single highest-profile project keeping Zig on everyone's radar.

Right, and the rationale is surprisingly pragmatic. It's not that Zig is bad — it's that Rust's ecosystem, the tooling maturity, and critically the hiring pipeline just outscale what Zig can offer today. You can find Rust engineers. Finding Zig engineers at scale is a different story.

That's the part that hits hardest. For anyone building production infrastructure, this is the signal — Deno chose Rust from day one, and now Bun concedes. If you're starting a new CLI tool or runtime today and you pick anything other than Rust, you really need a specific reason why.

For teams already shipping on Bun, expect a transition period. They're targeting performance parity first, but the move to Rust's memory model should actually reduce a class of edge-case crashes that Zig's manual memory management occasionally surfaced. So longer term, this should be a win.

And if you've been writing Bun native plugins — yeah, your workflow just changed. Time to brush up on that Rust.

Alright, shifting to AI news. Anthropic open-sourced what they're calling Agent Skills — basically a composable, reusable format for teaching Claude agents specific capabilities.

This is interesting because it's the closest thing we've seen to a standard plugin interface for agents. Build a skill once, share it across deployments. There's already a project out there that turns any content source into NotebookLM-ready output using this format.

Meanwhile, OpenAI shipped Codex into the ChatGPT mobile app. So now you can kick off code generation tasks from your phone — reviewing PRs on the go, prototyping from the couch.

The real play there is making Codex the default coding surface outside of your IDE. I think this changes how product managers and founders prototype more than it changes how engineers work day to day.

And one more AI item I want to flag — OpenAI is wiring ChatGPT directly into bank accounts through Plaid integration. If you're building in fintech, the general-purpose AI assistant is coming for personal finance workflows.

Yeah, that's a competitive signal for sure. If you're a fintech startup, you need to differentiate on trust, compliance, and domain depth — or risk being commoditized by a chat window. That's a real threat now.

On the launches side, Supertone dropped an ONNX-based text-to-speech engine that runs fully on-device with multilingual support. Three and a half thousand engagement — builders are hungry for this.

If you're currently paying per-request for cloud TTS, this is your path to zero marginal cost. Run it on the edge, own your inference. That's the dream, and it's actually shipping now.

Also worth mentioning — the Rust compiler project is formalizing an official policy for LLM-generated contributions. This is going to become the template for how major open-source projects handle AI-authored code.

That one's quiet but important. Expect provenance and review requirements to tighten across the whole ecosystem. If you contribute to big projects, pay attention to how this evolves.

Okay, security. Buckle up because today was intense. A new Nginx vulnerability called Nginx-Rift is public with exploit code already on GitHub. If you're running Nginx in production — and let's be honest, you probably are — check your exposure now.

And that's not even the wildest one. There's now a public kernel memory corruption exploit targeting Apple's M5 silicon. First real proof that M-series chips aren't immune at the kernel level.

On top of that, Google's Project Zero documented a full zero-click exploit chain for the Pixel ten. And research dropped showing Mullvad VPN exit IPs are surprisingly fingerprintable — which kind of undermines the whole commercial VPN anonymity assumption.

All of this in one day. If you're not running automated vulnerability scanning against your stack — something like Nuclei with its community-driven YAML templates — today is literally your wake-up call. Pair Nuclei with that Nginx-Rift disclosure for immediate testing.

Quick fun ones before we wrap — OCaml is running on a satellite as part of the Borealis mission. Functional programming in orbit. The type system's formal verification properties doing real work where failure literally isn't an option.

I love that so much. Also, Start9 shipped a RISC-V-based consumer router — open hardware networking is finally becoming real. And apparently Amazon workers are making up tasks just to hit their internal AI usage quotas, which is… painfully on brand.

Ha! Alright, three patterns to act on. One — on-device inference is production-ready. If you're still paying per-request for TTS or translation, prototype a local alternative this weekend. Two — Rust's gravity in developer tooling is undeniable after Bun's migration. The ecosystem advantages compound faster than anything else out there.

And three — the security surface is widening fast. Nginx, M5 kernel, Pixel zero-clicks, all in one day. Automated scanning isn't optional anymore. Get your tooling in place now, not after the incident.

That's the briefing for May sixteenth. Links to everything we mentioned are in the show notes. Stay sharp, keep building, and we'll see you tomorrow.

See you tomorrow, folks. Go patch your Nginx.