![Yt-dlp – [Announcement] Bun support is now limited and deprecated](https://the-sound-of-music-guide.com/wp-content/uploads/2026/05/yt-dlp-announcement-bun-support-is-now-limited-and-deprecated-featured.jpg)
TL;DR
Yt-dlp has announced that support for Bun as a JavaScript runtime will be limited and deprecated. Only specific versions will be supported, citing security and compatibility concerns. The change aims to prevent future issues but may lead to complete removal of Bun support.
Yt-dlp has announced that support for Bun as a JavaScript runtime will be limited to specific versions and eventually deprecated, citing security vulnerabilities and compatibility issues. This change affects users relying on Bun for ejs support within yt-dlp, a popular media downloader tool.
According to the official announcement, yt-dlp will now support only Bun versions 1.2.11 through 1.3.14. The minimum supported version has been raised from 1.0.31 to 1.2.11 due to security concerns related to npm supply chain attacks, as building the ejs package with earlier Bun versions results in ignored lockfiles, creating potential security risks.
The support floor is set at Bun 1.2.11 because earlier versions cannot run the ejs test suite, which is essential for maintaining compatibility. Additionally, Bun has recently been rewritten in Rust using Claude, a development shift that has raised concerns among the yt-dlp developers about future stability and maintenance complexity.
The support ceiling is set at Bun 1.3.14, the last release based on the original Zig codebase. Support for Bun will be deprecated, meaning yt-dlp may entirely drop support if maintaining it becomes too burdensome. The announcement notes that the official EJS wiki has not yet been updated to reflect these changes.
Why It Matters
This development matters because yt-dlp is widely used for downloading media content, and its support for JavaScript runtimes like Bun impacts users who rely on this setup. The decision to limit and deprecate Bun support aims to enhance security and stability but could inconvenience users who depend on unsupported Bun versions or anticipate future support removal.
The change underscores ongoing concerns about the stability of Bun, especially after its recent rewrite in Rust, which has caused apprehension among developers. It also highlights the importance of security in open-source projects, especially with recent npm supply chain attacks emphasizing the need for secure dependency management.
JavaScript runtime environment for media downloader
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Yt-dlp’s support for Bun has been part of its effort to support various JavaScript runtimes for executing embedded scripts within media downloads. Bun, initially praised for its performance, has recently undergone significant changes, including a rewrite in Rust, which has raised stability and security questions. Prior to this announcement, support was broader, but recent development shifts prompted a reassessment of compatibility and security risks.
The decision aligns with broader industry concerns about supply chain security and the stability of emerging JavaScript runtimes. Support for Bun was initially introduced to leverage its performance benefits, but ongoing development issues have prompted the yt-dlp team to tighten support parameters.
“Support for Bun will now be limited to versions 1.2.11 through 1.3.14, with support for earlier versions deprecated due to security and compatibility issues.”
— yt-dlp developers
“We may completely drop Bun support if it becomes too burdensome to maintain, especially given recent changes in its development.”
— yt-dlp maintainers
secure npm package manager
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear whether the yt-dlp team will fully remove Bun support in future releases or continue supporting only within the specified version range. The impact on users relying on unsupported versions remains uncertain, as does the timeline for any further changes.
Bun JavaScript runtime versions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Next steps include the upcoming release of yt-dlp with these support changes implemented. Users are advised to verify their Bun versions and prepare for possible transition away from Bun if their current setup falls outside the supported range. The yt-dlp team may issue further updates depending on how Bun’s development evolves.
media downloader with JavaScript support
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Why is yt-dlp deprecating Bun support?
Due to security concerns related to npm supply chain attacks and compatibility issues stemming from recent changes in Bun’s development, yt-dlp is limiting and eventually deprecating support for Bun.
Which Bun versions will still be supported?
Versions 1.2.11 through 1.3.14 will be supported in upcoming yt-dlp releases.
Will Bun support be completely removed?
Support may be entirely dropped if maintaining it becomes too burdensome, especially given recent development changes in Bun.
How does this affect users relying on Bun for yt-dlp?
Users should verify their Bun version is within the supported range; those on unsupported versions may experience compatibility issues or need to switch runtimes.
Source: Hacker News
