yt-dlp deprecates Bun support, limits to versions 1.2.11-1.3.14 over security concerns
By
tamnd
9d ago· 2 min readenCode
65/100
Toasty
Bagelometer↗
Toasted just enough. A reliable bake, gently seasoned.
Score65TypenewsSentimentnegative
Summary
yt-dlp is deprecating and limiting support for Bun as a JavaScript runtime due to compatibility and security concerns. Starting with the next release, only Bun versions 1.2.11 through 1.3.14 will be supported. The minimum version is raised from 1.0.31 to 1.2.11 because earlier versions ignore the ejs lockfile, creating security risks amid rising npm supply chain attacks.
Key quotes
· 2 pulledDue to foreseeable compatibility and security issues, yt-dlp's support for Bun as an ejs-compatible JavaScript runtime is being both limited and deprecated.
The minimum required version is being raised from 1.0.31 to 1.2.11 because building the ejs package with a version earlier than 1.2.0 results in the ejs lockfile being ignored, which is a significant security concern for users when considering all of the recent npm supply chain attacks.
Due to foreseeable compatibility and security issues, yt-dlp's support for Bun as an ejs-compatible JavaScript runtime is being both limited and deprecated. As of the next yt-dlp and/or ejs release...
