![Yt-dlp – [Announcement] Bun support is now limited and deprecated](https://theideamagazine.com/wp-content/uploads/2026/05/yt-dlp-announcement-bun-support-is-now-limited-and-deprecated-featured.jpg)
TL;DR
Yt-dlp has announced that support for the Bun JavaScript runtime will be limited and deprecated. Only Bun versions 1.2.11 to 1.3.14 will be supported moving forward, citing security and compatibility issues. The change aims to mitigate risks from recent development shifts in Bun.
Yt-dlp has announced that support for the Bun JavaScript runtime will be limited and deprecated in future releases, supporting only Bun versions 1.2.11 through 1.3.14. This change reflects concerns over security vulnerabilities and compatibility issues stemming from recent development shifts in Bun, a JavaScript runtime increasingly used in various projects.
The decision was communicated via a post on Hacker News, where the maintainers explained that support for Bun earlier than version 1.2.11 will be discontinued due to security risks associated with building the ejs package on older Bun versions. Specifically, versions earlier than 1.2.0 cause the ejs lockfile to be ignored, raising significant security concerns amid recent npm supply chain attacks.
Additionally, the support floor was raised because the ejs test suite cannot be run with Bun versions earlier than 1.2.11. The recent rewrite of Bun in Rust, using Claude, has led to development that the maintainers describe as ‘vibe-coded,’ raising alarms about future stability. The support ceiling is set at version 1.3.14, which is the last release built from the original Zig codebase. Support for Bun will be deprecated entirely if maintaining compatibility becomes too burdensome.
Why It Matters
This development is significant because it highlights ongoing security concerns and stability issues associated with Bun, a JavaScript runtime gaining popularity among developers. For users of yt-dlp, a popular video downloader, the change means they will need to ensure their Bun environment is within the supported versions to avoid disruptions. The move also underscores broader challenges in maintaining compatibility with rapidly evolving open-source projects, especially those undergoing major rewrites or architectural changes.
Bun JavaScript runtime versions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Bun has experienced rapid development, including a recent rewrite in Rust, which has introduced instability and compatibility challenges. Previously, Bun was based on Zig, but the shift in codebase and ongoing development approach have prompted maintainers of yt-dlp to restrict support to a narrow range of versions. The decision aligns with broader concerns about supply chain security, particularly given recent npm-related attacks that exploit vulnerabilities in package management workflows.
“Support for Bun earlier than version 1.2.11 is being discontinued due to security concerns and testing limitations.”
— Yt-dlp team
“We reserve the right to completely drop support for Bun if maintaining compatibility becomes too burdensome.”
— Yt-dlp team
Bun Runtime Essentials: The Fastest JavaScript Server Environment: Bun Runtime Essentials: The Fastest JavaScript Server Environment
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear how widely used Bun is within the yt-dlp community or whether alternative JavaScript runtimes might be adopted in future updates. The full impact of Bun’s recent development direction, especially its rewrite in Rust, remains to be seen, and the timeline for potential further deprecation is uncertain.
Deno Demystified: Build Secure JavaScript Servers: A beginner’s guide to Deno – the modern Node.js alternative – through real-world projects
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Next steps include the upcoming release of yt-dlp with the updated support range, after which users relying on Bun will need to verify their environment’s version. Developers and users should monitor future updates for any further changes or potential complete removal of Bun support, especially if stability issues escalate.
DENO PROGRAMMING FOR MODERN JAVASCRIPT RUNTIMES: Secure scripting with TypeScript integration and built-in tooling
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Why is yt-dlp deprecating support for Bun?
Support is being deprecated due to security vulnerabilities in older Bun versions and compatibility issues caused by recent development changes, including a rewrite in Rust.
Which Bun versions will still be supported?
Versions 1.2.11 through 1.3.14 will continue to be supported in upcoming yt-dlp releases.
What should users do if they rely on Bun for yt-dlp?
Users should ensure their Bun environment is within the supported version range and stay updated with yt-dlp releases for any further changes.
Could support for Bun be completely removed in the future?
Yes, the yt-dlp team has indicated they reserve the right to fully drop support if maintaining compatibility becomes too burdensome.
Will this affect other JavaScript runtimes supported by yt-dlp?
This change specifically impacts Bun support; other supported runtimes remain unaffected unless further updates are announced.
Source: Hacker News
