Yt-dlp – [Announcement] Bun support is now limited and deprecated

Yt-dlp has announced that support for Bun as an ejs-compatible JavaScript runtime will be limited to versions 1.2.11 through 1.3.14 and will eventually be deprecated. This change is driven by security concerns and compatibility issues with recent Bun versions, affecting users relying on Bun for scripting within yt-dlp.

The developers of yt-dlp stated that support for Bun will be restricted to a specific version range — from 1.2.11 to 1.3.14 — in upcoming releases. The decision follows the raising of the minimum required Bun version from 1.0.31 to 1.2.11, due to security vulnerabilities associated with older versions, especially considering recent npm supply chain attacks. Additionally, the support floor was increased because the ejs test suite cannot run on Bun versions earlier than 1.2.11, and Bun’s recent rewrite in Rust has raised concerns about its future stability and development trajectory.

The support ceiling at 1.3.14 is set because it is the last release built from Bun’s original zig codebase. The yt-dlp team reserves the right to completely drop support for Bun if maintaining compatibility becomes too burdensome, emphasizing their focus on security and stability for users.

Why It Matters

This development matters because it reflects ongoing concerns about the security and stability of JavaScript runtimes used in media downloading tools like yt-dlp. Limiting Bun support aims to mitigate potential security vulnerabilities and compatibility issues, but also signals a shift away from newer or experimental runtime environments. Users relying on Bun for scripting within yt-dlp will need to adapt to these changes, and developers may need to consider alternative solutions.

Background

Bun is an alternative JavaScript runtime that has gained attention for its performance and modern features, but recent developments, including its rewrite in Rust, have raised questions about its stability and future support. Previously, yt-dlp supported a broader range of Bun versions, but security concerns and compatibility challenges prompted this restriction. The change aligns with broader industry efforts to improve supply chain security amid increasing npm-related vulnerabilities.

“Support for Bun will be limited to versions 1.2.11 through 1.3.14, and support will be deprecated if maintaining it becomes too burdensome.”

— yt-dlp developers

“The rationale for the change is twofold: raising the minimum required Bun version due to security concerns and compatibility issues with the test suite.”

— source from hacker news

What Remains Unclear

It is not yet clear how many users rely on Bun within yt-dlp or how quickly support might be fully dropped if maintenance becomes too burdensome. The exact timeline for complete deprecation has not been specified, and future development of Bun remains uncertain following its rewrite in Rust.

What’s Next

Next steps include the release of yt-dlp updates that enforce the new version range for Bun support. Users are advised to verify their runtime environment and consider alternative JavaScript runtimes if necessary. Developers will monitor Bun’s development and security status to decide whether to continue support or fully deprecate it in future versions.

Key Questions

Why is yt-dlp limiting Bun support now?

Due to security vulnerabilities in older Bun versions and compatibility issues with recent releases, yt-dlp is restricting support to a specific version range to ensure stability and security.

Will Bun support be completely removed in the future?

The yt-dlp team reserves the right to fully deprecate Bun support if maintaining it becomes too burdensome or insecure, but no specific timeline has been provided. Learn more about Yt-dlp’s support changes.

What versions of Bun will still be supported?

Versions 1.2.11 through 1.3.14 will be supported in upcoming yt-dlp releases.

How does this affect users relying on Bun for scripting?

Users will need to ensure they are using supported Bun versions within the specified range or consider switching to alternative JavaScript runtimes to avoid compatibility issues.

Source: Hacker News