yt-dlp Limits Bun Support After ‘Vibe-Coding’ Shift and Security Concerns
Table of Contents
A Sudden Shift in Runtime Support
The maintainers of yt-dlp, the widely used open-source command-line media downloader, have announced a significant pivot regarding their support for Bun. In a recent public notification, the project stated that Bun’s role as an ejs-compatible JavaScript runtime is being both limited and deprecated. This decision marks a sharp departure from previous compatibility goals, driven by a mix of technical security failures and a fundamental disagreement with the current trajectory of Bun’s development.
The move specifically affects the ejs package, which yt-dlp utilizes. Starting with the next release of yt-dlp and ejs, the project will only support a very narrow window of Bun versions: from 1.2.11 through 1.3.14. For users operating outside this specific range, the runtime will no longer be officially supported, creating a restrictive environment for those who preferred Bun over more traditional runtimes like Node.js.
The Security Catalyst
The decision to raise the minimum supported version of Bun from 1.0.31 to 1.2.11 was not arbitrary. According to the project’s announcement, building the ejs package with any Bun version earlier than 1.2.0 causes the ejs lockfile to be ignored. In the current climate of cybersecurity, where npm supply chain attacks have become increasingly sophisticated and frequent, ignoring a lockfile is a critical vulnerability. Lockfiles ensure that the exact versions of dependencies are installed across different environments; without them, a project is susceptible to malicious code injection via updated dependencies.
Furthermore, the project noted a technical roadblock: the ejs test suite simply cannot be executed on Bun versions older than 1.2.11. For a tool as mission-critical and widely deployed as yt-dlp, the inability to run comprehensive tests on a supported runtime is an unacceptable risk to stability.
‘Vibe-Coding’ and the Rust Transition
Perhaps the most striking part of the announcement is the project’s critique of Bun’s recent development philosophy. The yt-dlp team pointed to the fact that Bun was recently rewritten in Rust—reportedly with the assistance of Claude, an AI model—as a red flag. The maintainers described the current state of Bun’s development as having taken a turn toward being “fully vibe-coded,” a derogatory term in software engineering suggesting that development is driven by intuition and AI-generated guesses rather than rigorous engineering and architectural planning.
This shift has led yt-dlp to implement a “support ceiling” at version 1.3.14. The developers explained that this version represents the final release built from the original Zig codebase. By capping support here, yt-dlp is essentially attempting to insulate itself from the perceived instability and unpredictability of the new Rust-based iterations of Bun.
What This Means for Users
While Bun is not being removed entirely today, the “deprecated” status serves as a clear warning. The yt-dlp team has reserved the right to drop Bun support completely if the maintenance burden becomes too high. For the average user, this may not result in an immediate break in functionality, but for power users and developers integrating yt-dlp into larger automated workflows, it signals a need to migrate toward more stable, traditionally engineered runtimes.
The ejs wiki, which serves as the primary documentation for supported JavaScript runtimes, has not yet been updated to reflect these changes, but the project’s public notification serves as the definitive current policy. As the software landscape continues to grapple with the integration of LLMs in core infrastructure coding, the yt-dlp situation highlights a growing tension between rapid, AI-assisted iteration and the strict reliability required by open-source tooling.
