Bun support is now limited and deprecated

The article announces that yt-dlp is limiting and deprecating support for Bun as a JavaScript runtime due to compatibility and security issues. Only Bun versions 1.2.11 through 1.3.14 will be supported, with the minimum version raised to address security concerns from ignored lockfiles and the maximum version set because Bun was rewritten in Rust using Claude, moving away from its original Zig codebase. Deprecation means yt-dlp may fully drop Bun support in the future if maintaining it becomes too burdensome.

- - Notifications You must be signed in to change notification settings - Fork 13.8k Announcement Bun support is now limited and deprecated 16766 Description Due to foreseeable compatibility and security issues, yt-dlp's support for Bun as an ejs -compatible JavaScript runtime is being both limited and deprecated. As of the next yt-dlp and/or ejs release, only Bun versions 1.2.11 through 1.3.14 will be supported. The rationale for this change is twofold: - The minimum required version is being raised from 1.0.31 to1.2.11 because building theejs package with a version earlier than1.2.0 results in the ejs lockfile being ignored, which is a significant security concern for users when considering all of the recent npm supply chain attacks. Additionally, the support floor is being bumped to1.2.11 instead of1.2.0 because theejs test suite cannot be run with versions of Bun earlier than1.2.11 . - Bun was recently rewritten in Rust using Claude, and its development seems to have taken a turn towards being fully vibe-coded. This is alarming and disappointing for a number of reasons, and frankly it seems like a future headache that we'd prefer to avoid. We are adding a support ceiling of version 1.3.14 , as that is the last release built from the original zig codebase. Bun support will also be deprecated. This means that while yt-dlp will continue to support this narrower range of Bun versions for as long as they're able to meet the needs of yt-dlp and ejs, we reserve the right to completely drop support for Bun should it at any point become too burdensome to maintain. See the EJS wiki article for more information about supported JavaScript runtimes, but note that it has not yet been updated to reflect the changes announced in this post. Before commenting, please ask yourself: Do I actually care about using bun with yt-dlp? Or am I here because I followed a link on hackernews and I love posting?