Yt-dlp – [Announcement] Bun support is now limited and deprecated

TL;DR

Yt-dlp will now support only a narrow range of Bun versions (1.2.11 to 1.3.14) and will deprecate support altogether if maintaining it becomes too burdensome. The change addresses security and compatibility concerns.

Yt-dlp has announced that support for Bun as an ejs-compatible JavaScript runtime will be limited to versions 1.2.11 through 1.3.14 and will eventually be deprecated. This change is driven by security concerns and compatibility issues with recent Bun versions, affecting users relying on Bun for scripting within yt-dlp.

The developers of yt-dlp stated that support for Bun will be restricted to a specific version range — from 1.2.11 to 1.3.14 — in upcoming releases. The decision follows the raising of the minimum required Bun version from 1.0.31 to 1.2.11, due to security vulnerabilities associated with older versions, especially considering recent npm supply chain attacks. Additionally, the support floor was increased because the ejs test suite cannot run on Bun versions earlier than 1.2.11, and Bun’s recent rewrite in Rust has raised concerns about its future stability and development trajectory.

The support ceiling at 1.3.14 is set because it is the last release built from Bun’s original zig codebase. The yt-dlp team reserves the right to completely drop support for Bun if maintaining compatibility becomes too burdensome, emphasizing their focus on security and stability for users.

Why It Matters

This development matters because it reflects ongoing concerns about the security and stability of JavaScript runtimes used in media downloading tools like yt-dlp. Limiting Bun support aims to mitigate potential security vulnerabilities and compatibility issues, but also signals a shift away from newer or experimental runtime environments. Users relying on Bun for scripting within yt-dlp will need to adapt to these changes, and developers may need to consider alternative solutions.

Bun Runtime Essentials: The Fastest JavaScript Server Environment: Bun Runtime Essentials: The Fastest JavaScript Server Environment

Bun Runtime Essentials: The Fastest JavaScript Server Environment: Bun Runtime Essentials: The Fastest JavaScript Server Environment

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

Bun is an alternative JavaScript runtime that has gained attention for its performance and modern features, but recent developments, including its rewrite in Rust, have raised questions about its stability and future support. Previously, yt-dlp supported a broader range of Bun versions, but security concerns and compatibility challenges prompted this restriction. The change aligns with broader industry efforts to improve supply chain security amid increasing npm-related vulnerabilities.

“Support for Bun will be limited to versions 1.2.11 through 1.3.14, and support will be deprecated if maintaining it becomes too burdensome.”

— yt-dlp developers

“The rationale for the change is twofold: raising the minimum required Bun version due to security concerns and compatibility issues with the test suite.”

— source from hacker news

Deno Demystified: Build Secure JavaScript Servers: A beginner’s guide to Deno – the modern Node.js alternative – through real-world projects

Deno Demystified: Build Secure JavaScript Servers: A beginner’s guide to Deno – the modern Node.js alternative – through real-world projects

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It is not yet clear how many users rely on Bun within yt-dlp or how quickly support might be fully dropped if maintenance becomes too burdensome. The exact timeline for complete deprecation has not been specified, and future development of Bun remains uncertain following its rewrite in Rust.

Javascript: Guia do Programador

Javascript: Guia do Programador

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What’s Next

Next steps include the release of yt-dlp updates that enforce the new version range for Bun support. Users are advised to verify their runtime environment and consider alternative JavaScript runtimes if necessary. Developers will monitor Bun’s development and security status to decide whether to continue support or fully deprecate it in future versions.

Bun Runtime Essentials: The Fastest JavaScript Server Environment: Bun Runtime Essentials: The Fastest JavaScript Server Environment

Bun Runtime Essentials: The Fastest JavaScript Server Environment: Bun Runtime Essentials: The Fastest JavaScript Server Environment

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Why is yt-dlp limiting Bun support now?

Due to security vulnerabilities in older Bun versions and compatibility issues with recent releases, yt-dlp is restricting support to a specific version range to ensure stability and security.

Will Bun support be completely removed in the future?

The yt-dlp team reserves the right to fully deprecate Bun support if maintaining it becomes too burdensome or insecure, but no specific timeline has been provided. Learn more about Yt-dlp’s support changes.

What versions of Bun will still be supported?

Versions 1.2.11 through 1.3.14 will be supported in upcoming yt-dlp releases.

How does this affect users relying on Bun for scripting?

Users will need to ensure they are using supported Bun versions within the specified range or consider switching to alternative JavaScript runtimes to avoid compatibility issues.

Source: Hacker News

You May Also Like

Pyodide 314.0: Python packages can now publish WebAssembly wheels to PyPI

Pyodide 314.0 now supports publishing Python packages as WebAssembly wheels to PyPI, streamlining package distribution for browser-based Python environments.

Outcome-First Decisions: Keep, Change, or Kill

A new decision framework helps organizations evaluate ongoing initiatives based on current outcomes, promoting effective pruning of projects.

RSVP-and-payment co-host tool for supper club hosts

A new co-host tool for RSVP and payment collection is being tested by independent supper club hosts to streamline private event management.

Thrymvault: A System Around Your Content

Thrymvault introduces a private, self-hosted platform that consolidates content creation, management, and collaboration into one interconnected system.