yt-dlp Cuts Ties With Newer Bun Versions, Citing ‘Vibe-Coding’ and Security Risks
Table of Contents
A Sudden Shift in Runtime Support
The maintainers of yt-dlp, the widely used command-line media downloader, have announced a significant retreat from their support of the Bun JavaScript runtime. In a move that signals a deeper distrust of recent development trends in the JS ecosystem, the project is not only limiting the versions of Bun it will support but is officially deprecating the runtime entirely.
The announcement came via a GitHub issue, where the project team detailed a narrowing window of compatibility. Starting with the next release of yt-dlp and the associated ejs library, support will be strictly limited to Bun versions 1.2.11 through 1.3.14. Any version outside of this narrow corridor will no longer be officially supported.
The Security Catalyst
The decision to raise the minimum supported version from 1.0.31 to 1.2.11 is rooted in a critical security vulnerability. According to the maintainers, building the ejs package with Bun versions earlier than 1.2.0 causes the ejs lockfile to be ignored. In an era defined by increasingly sophisticated npm supply chain attacks, the failure to respect a lockfile is a non-starter for a tool used by millions of developers and power users worldwide.
The floor was pushed further to 1.2.11 because the ejs test suite—the primary mechanism for ensuring the software doesn’t break during updates—simply cannot run on versions older than that. For the yt-dlp team, the trade-off between backward compatibility and basic functional testing was an easy choice.
The ‘Vibe-Coding’ Controversy
While security concerns provided the immediate technical justification, the most striking part of the announcement is the critique of Bun’s internal development philosophy. The yt-dlp team expressed alarm over Bun’s recent architectural shift, specifically noting that the runtime was recently rewritten in Rust with the assistance of Claude, an AI model from Anthropic.
The maintainers characterized this new direction as “vibe-coding,” a derogatory term in this context suggesting that the software is being developed based on perceived results and AI-generated patterns rather than rigorous, human-led engineering and stability benchmarks. This shift has led yt-dlp to implement a “support ceiling” at version 1.3.14.
The reasoning is blunt: version 1.3.14 is the final release built from the original Zig codebase. By capping support here, the yt-dlp team is effectively refusing to integrate the AI-influenced Rust rewrite, viewing it as a “future headache” that poses an unacceptable risk to the project’s stability.
What This Means for Users
For the majority of yt-dlp users who rely on the default Python environment, this change will be invisible. However, for those utilizing Bun as an ejs-compatible JavaScript runtime to extend the tool’s functionality, the window of stability has just become much smaller.
The deprecation status means that while the 1.2.11 to 1.3.14 range remains functional for now, the maintainers reserve the right to drop Bun support entirely if it becomes too burdensome to maintain. The project is essentially putting Bun on probation, signaling that they would rather lose the runtime’s performance benefits than deal with the unpredictability of its current development trajectory.
Users are encouraged to check the EJS wiki for alternative supported JavaScript runtimes, though the team noted that the documentation is still being updated to reflect these specific restrictions.
