Bun founder denies any connection to Claude Code data leak; immediately locks the post after one sentence

The founder of the open-source JavaScript runtime Bun, Jarred Sumner, personally stepped in to respond to the allegations, denying that Bun was the fundamental reason behind the supposed Claude Code source code leak by Anthropic’s flagship product. The post quickly drew responses from nearly a hundred people using emojis, with a large number of developers flooding into the comments. After Sumner posted his response, he locked the thread and modified the title to manage and end the discussion.

GitHub Issue #28001: Should Bun be blamed for the Claude Code leak?

Developer jakeg’s attribution logic has some apparent persuasive power: Anthropic acquired Bun in December 2025, and the acquisition announcement explicitly stated that “Bun is a key extension of the Claude Code infrastructure.” Jarred Sumner and his team also joined Anthropic after the acquisition. In addition, Bun has a bug where, even with the development: false configuration, Bun.serve() still exposes .map files to the browser. Meanwhile, Claude Code’s npm package unexpectedly ended up including a source map of about 60MB—together, the three elements seem to form a causal chain.

Sumner’s response was direct and concise: “This has nothing to do with Claude Code. This bug targets Bun’s frontend development server. Claude Code is not a frontend application—it’s a TUI (terminal user interface program), and it does not compile standalone executables using Bun.serve().” He then locked the issue to prevent non-collaborators from continuing to comment, and modified the title to clearly label it as “Bun’s frontend development server” to prevent incorrect attribution from spreading further.

The fundamental differences between the two bugs: why they are completely different technically

Sumner’s denial is technically supported by clear evidence: the two issues are entirely different types of errors:

Bun #28001 (frontend server bug): Under the development: false configuration, Bun.serve() still exposes .map mapping files to the browser client; the impact is limited to web applications that use Bun as the frontend development server; since the submission on March 11, it has been three weeks without being merged into a fix

Claude Code leak (CI/CD packaging configuration error): The v2.1.88 npm package accidentally bundled a 60MB source map file during the build; Anthropic’s official description is “a release packaging problem caused by human error”—in essence, .npmignore failed to exclude the relevant files; Claude Code is a TUI terminal application and does not use the frontend service path of Bun.serve()

Bun’s bundler and its frontend development server are completely independent modules. Although Claude Code uses Bun as its build tool, its technical pathway has no intersection with the frontend server functionality involved in #28001.

Background on the Claude Code leak: 512K lines of code accidentally becoming public information

The starting point of this technical controversy was a major mistake discovered by Solayer Labs’ Chaofan Shou at the early hours of March 31: in Claude Code v2.1.88’s npm package, 512,000 lines of TypeScript code, 1,906 files, and a full 59.8MB source map were accidentally included. Within a few hours, the code was mirrored to GitHub, and the number of forks surpassed 41,000.

It is worth noting that this is not Anthropic’s first time making the same mistake—when Claude Code was first released in February 2025, the same leak had already happened once, for the same reason: the Bun build tool generates source maps by default, and .npmignore failed to correctly exclude those files. Community analysis of the leaked code revealed secrets about Claude Code’s performance: among the 512K lines, only 1.6% (about 8,000 lines) directly calls the AI model; the remaining 98.4% consists of a query engine, tool system, safety controls, and a multi-agent collaboration architecture—forming a complete execution environment centered on an LLM, rather than a typical chat interface.

Frequently asked questions

Did Bun bug #28001 cause the Claude Code source code leak?

No. The two issues are fundamentally different technically: Bun #28001 is a problem where, under a specific configuration, the frontend development server accidentally exposes source maps to the browser; the Claude Code leak is a CI/CD packaging configuration mistake during release, causing build artifacts to be mistakenly included in the npm package. Claude Code is a TUI terminal application and does not use Bun’s frontend development server. Jarred Sumner’s denial is technically accurate.

Why did Jarred Sumner choose to lock the post instead of letting the discussion continue?

Sumner has already provided a clear and concise technical explanation, but the nature of the public issue means that incorrect technical attribution could continue to spread, harming Bun’s reputation. Locking the thread and modifying the title is a standard management action to cut off the further spread of incorrect information after the technical explanation is complete, especially for issues with misleading titles—this is a common practice in open-source projects.

This Claude Code leak—how many times has the same problem happened before?

This is the second time. When Claude Code was first released in February 2025, the same source map leak had already occurred once, for exactly the same reason—Bun’s build tool generates source maps by default, and the .npmignore configuration failed to correctly exclude those files. After the first leak, Anthropic did not add sufficient safeguards into the CI/CD process, ultimately causing v2.1.88 to repeat the same mistake.