Yt-dlp – [Announcement] Bun support is now limited and deprecated

Yt-dlp has announced that support for the Bun JavaScript runtime will be limited to versions 1.2.11 through 1.3.14 and will be deprecated in future releases, citing security and compatibility concerns. More details about the yt-dlp Bun support update.

The change is driven by security issues related to npm supply chain attacks and technical limitations. The minimum supported Bun version is being raised from 1.0.31 to 1.2.11 because earlier versions cause the ejs lockfile to be ignored, posing security risks. Additionally, the support floor is set at 1.2.11 because the ejs test suite cannot run with Bun versions earlier than that. Bun’s recent rewrite in Rust using Claude and its shift toward being fully vibe-coded have raised concerns about future stability and maintainability. The support ceiling is set at 1.3.14, the last release from Bun’s original zig codebase, but more on the yt-dlp Bun support deprecation.

Why It Matters

This development matters because it impacts users relying on Bun for JavaScript execution within yt-dlp, a popular media downloader. The move reflects ongoing concerns about security vulnerabilities in npm supply chains and the stability of Bun’s evolving codebase. Developers and users need to be aware of these limitations and plan accordingly, especially if they depend on Bun for their workflows.

Background

Bun, a JavaScript runtime alternative to Node.js, was rewritten in Rust using Claude and has recently shifted towards a vibe-coded development style. Prior to this, support for Bun in yt-dlp was broader, but recent security issues and technical challenges prompted the change. The decision aligns with broader industry concerns about supply chain security and the stability of rapidly evolving software projects. The announcement indicates a cautious approach, supporting only specific Bun versions that meet security and testing requirements.

“Support for Bun is being limited to versions 1.2.11 through 1.3.14 and will be deprecated in future releases due to security and compatibility concerns.”

— Yt-dlp developers

“We reserve the right to completely drop support for Bun should it become too burdensome to maintain.”

— Yt-dlp team

What Remains Unclear

It is not yet clear how many users are affected or how quickly support might be fully deprecated beyond the announced version range. The long-term stability of Bun remains uncertain given its recent codebase rewrites and development direction.

What’s Next

Next steps include the release of yt-dlp updates supporting only the specified Bun versions and possible future removal of Bun support. Users relying on Bun should monitor upcoming yt-dlp releases and consider alternative JavaScript runtimes if needed.

Key Questions

Why is yt-dlp limiting Bun support?

Support is limited due to security concerns related to npm supply chain attacks and technical issues with older Bun versions, which hinder testing and stability. Learn more about yt-dlp’s Bun support changes.

Will Bun support be completely removed?

Yes, yt-dlp reserves the right to fully deprecate and remove Bun support if maintaining it becomes too burdensome or unstable.

Which Bun versions will still be supported?

Versions 1.2.11 through 1.3.14 will continue to be supported in upcoming yt-dlp releases.

How does this affect users relying on Bun?

Users should ensure they operate within the supported version range or consider switching to other JavaScript runtimes to avoid compatibility issues.

Source: Hacker News