yt-dlp deprecates Bun support, citing lockfile bug and Rust rewrite concerns

The yt-dlp project is narrowing and deprecating support for Bun as a JavaScript runtime for its ejs companion package. Going forward, only Bun versions 1.2.11 through 1.3.14 will be supported. The lower bound exists because earlier versions silently ignored the ejs lockfile when building the package — a meaningful exposure in light of the recent wave of npm supply chain attacks — and because the ejs test suite refuses to run on anything older than 1.2.11.

The upper bound is more pointed. The maintainers note that Bun was recently rewritten from Zig into Rust with heavy use of Claude, and they characterize the project’s trajectory as drifting toward ‘vibe-coded’ development. Version 1.3.14 is the final release built from the original Zig codebase, and the team is unwilling to bet on the rewritten runtime’s stability or security posture.

Support is also formally deprecated, meaning the maintainers reserve the option to drop Bun entirely if maintenance burden grows. The move is a notable vote of no-confidence in an AI-assisted rewrite of a widely-used runtime, and it reframes supply chain risk to include the provenance and engineering discipline behind the tooling itself.