yt-dlp is narrowing and deprecating its Bun support for the ejs JavaScript runtime. Starting with the next release, only Bun versions 1.2.11 through 1.3.14 will remain supported. The project raised its minimum version from 1.0.31 to 1.2.11 because older Bun builds cause the ejs lockfile to be ignored, creating security risks amid recent npm supply chain attacks.

A second reason drove the change. Bun was recently rewritten in Rust using Claude, and its development appears to have shifted toward being fully vibe-coded. The yt-dlp maintainers called this alarming and a future headache they prefer to avoid. They set a support ceiling at version 1.3.14, the last release built from the original zig codebase.

Support will remain for this narrow version range as long as it meets yt-dlp and ejs needs. The maintainers reserve the right to drop Bun entirely if maintenance becomes too burdensome. The EJS wiki has not yet been updated to reflect these changes.