yt-dlp Pulls Back on Bun Support, Citing ‘Vibe-Coding’ and Security Concerns
Table of Contents
A Sudden Pivot in Runtime Support
The maintainers of yt-dlp, the ubiquitous open-source command-line media downloader, have announced a significant retreat from their support of the Bun JavaScript runtime. In a candid GitHub announcement, the project team detailed a move to both limit and deprecate Bun’s role as an ejs-compatible runtime, citing a combination of security vulnerabilities and a fundamental shift in how Bun is being developed.
For users who rely on the ejs library and the JS Challenge framework within yt-dlp, the change introduces a strict version window. Starting with the next release of yt-dlp and ejs, the software will only support Bun versions 1.2.11 through 1.3.14. Any versions falling outside this narrow corridor are effectively unsupported.
The Security Driver: Lockfiles and Supply Chain Risks
The decision to raise the minimum supported version from 1.0.31 to 1.2.11 is not arbitrary; it is a response to a critical failure in how older versions of Bun handle dependencies. According to the announcement, building the ejs package with any Bun version earlier than 1.2.0 causes the ejs lockfile to be ignored.
In the current landscape of software development, ignoring a lockfile is a precarious gamble. With the surge in npm supply chain attacks—where malicious actors inject code into deep-dependency trees—lockfiles serve as the primary defense by ensuring that only vetted, specific versions of a package are installed. By bypassing this mechanism, older versions of Bun inadvertently opened a security door that the yt-dlp team is no longer willing to leave ajar.
Furthermore, the team noted that the ejs test suite simply cannot run on versions prior to 1.2.11, making it impossible to guarantee stability or correctness for users on legacy Bun builds.
The ‘Vibe-Coding’ Controversy
While the security concerns provide a technical justification, the most striking part of the announcement is the criticism of Bun’s current development trajectory. The yt-dlp team expressed alarm over Bun’s recent transition, noting that the runtime was recently rewritten in Rust using Claude, an AI model from Anthropic.
The maintainers characterized the current state of Bun’s development as having shifted toward being “fully vibe-coded.” In developer parlance, “vibe-coding” refers to a process where AI generates large swaths of code based on general prompts and “vibes” rather than rigorous manual architectural planning and deterministic engineering.
For a tool like yt-dlp, which requires extreme precision to handle the volatile nature of video site updates, this lack of predictable engineering is a liability. The team has implemented a “support ceiling” at version 1.3.14 specifically because it represents the final release built from the original Zig codebase. By capping support here, yt-dlp is effectively opting out of the AI-driven rewrite era of Bun until it proves itself stable.
What This Means for the Ecosystem
This move signals a broader tension in the open-source community: the clash between the rapid, AI-accelerated pace of new tool development and the slow, methodical stability required by critical infrastructure software.
Bun support is now officially deprecated. While yt-dlp will maintain the 1.2.11 to 1.3.14 range for as long as it remains functional and secure, the project has explicitly reserved the right to drop Bun entirely if maintenance becomes too burdensome. Users are encouraged to consult the EJS wiki for alternative JavaScript runtimes that offer more predictable long-term support.
