yt-dlp announces limited and deprecated Bun support
Original: Bun support is now limited and deprecated
Why This Matters
Shows growing security focus in open source tools amid supply chain threats
The yt-dlp project announced it is limiting and deprecating support for Bun JavaScript runtime. Only Bun versions 1.2.11 through 1.3.14 will be supported due to compatibility and security concerns with the ejs package.
The yt-dlp maintainers announced significant changes to Bun support due to compatibility and security issues. The minimum required Bun version is being raised from 1.0.31 to 1.2.11 because earlier versions cause the ejs package lockfile to be ignored during builds, creating security risks amid recent npm supply chain attacks. Support is capped at version 1.3.14. The changes will take effect with the next yt-dlp and/or ejs release. The decision reflects growing concerns about JavaScript runtime security in open source tools that process external content.