Deno 2.8 Lands as Bun Gets Deprecated by yt-dlp: The JavaScript Runtime Field Is Reshuffling

On May 22, 2026, Deno 2.8 shipped with Node.js compatibility at 76.4%, up from 42% in Deno 2.7.² The same month, yt-dlp maintainers announced they are capping Bun runtime support at versions 1.2.11 through 1.3.14 and deprecating it going forward.¹

yt-dlp deprecates Bun support

In a GitHub issue posted May 2026, yt-dlp maintainers announced they are capping Bun support at versions 1.2.11 through 1.3.14, effectively deprecating the runtime going forward.¹ The rationale has two components. First, Bun versions below 1.2.0 ignore the ejs lockfile during package builds, which the maintainers flagged as a security risk in light of recent npm supply-chain attacks. Second, and more editorially, they characterized Bun’s recent rewrite in Rust as “fully vibe-coded,” calling the shift “alarming and disappointing” and capping support at 1.3.14 because it is “the last release built from the original zig codebase.”

The security concern is concrete: if a runtime silently skips lockfile resolution, it opens the door to dependency substitution attacks that the lockfile was specifically designed to prevent. The “vibe-coded” criticism is subjective and reflects maintainer frustration, not a verifiable technical claim about Bun’s engineering process. Both are worth separating.

yt-dlp is a widely-used download tool. When a project with that level of adoption publicly walls off a runtime, it does two things: it reduces the runtime’s real-world test surface, and it signals to other maintainers that the cost of multi-runtime support can be shed without catastrophic blowback.

Deno 2.8 by the numbers

Deno 2.8 shipped May 22, 2026, with a substantial Node.js compatibility leap: from 42% in Deno 2.7 to 76.4%², meaning 3,405 of 4,457 tests in Node’s own test suite now pass.² That figure puts Deno ahead of Bun 1.3.14, which scored 40.6% on the same benchmark², according to the ByteIota analysis.

Performance numbers moved too. Cold npm installs are 3.66x faster (906ms versus 3,319ms in the prior release).² The node:http module throughput improved 2.21x, from 8,339 req/s to 18,431 req/s.² Delta upgrades now shrink download sizes by 87-93%², which matters for CI runners on constrained bandwidth. Over 500 commits landed across nearly every node: module.²

The compat race

Node.js compatibility has been the gatekeeper for alternative runtimes since the beginning. Projects don’t adopt a new runtime because it’s fast; they adopt it because their existing code runs on it without modification. Deno’s jump from 42% to 76.4%² in a single release is aggressive, and it changes the practical question teams ask during evaluation. Six months ago, the question was whether Deno could run your Node code at all. Now it’s whether the remaining 23.6%² of failing tests cover anything your project depends on.

Deno was created by Ryan Dahl³, who also created Node.js, after he publicly listed his regrets about Node’s design at JSConf EU 2018. That lineage gives Deno a specific kind of credibility on Node compat: the person building the compatibility layer is the person who built the original system. Whether that translates to faster convergence on the remaining gap is speculative, but the trajectory is measurable.

What the Bun rejection signals

The yt-dlp deprecation is a single data point, but it illustrates a structural problem for any runtime competing on speed and ergonomics while lagging on compatibility. Downstream maintainers don’t benchmark runtimes for fun. They support multiple runtimes because users file issues when things break. Each runtime-specific workaround is a maintenance tax paid in perpetuity.

Bun’s selling point has been raw speed: fast startup, fast installs, fast test runs. Those claims are real in microbenchmarks. But yt-dlp’s maintainers are telling a different story: the speed stopped compensating for the breakage. The lockfile-ignoring behavior below 1.2.0 was a security defect, and the upstream response was apparently slow enough or incomplete enough that capping support became the lower-effort path.

The broader signal: OSS maintainers are calculating the return on investment for multi-runtime support and, in at least one prominent case, concluding it’s negative. If that calculation spreads, runtimes that don’t maintain backward compatibility face a shrinking pool of downstream testers, which makes compatibility worse, which accelerates the exodus. It’s a feedback loop.

New Deno 2.8 CLI tools and breaking changes

Beyond compatibility and performance, Deno 2.8 adds six new CLI subcommands that move it closer to a full replacement for Node-based toolchains:

• deno audit fix, automated dependency vulnerability patching
• deno ci, a dedicated CI command (similar in intent to npm ci)
• deno pack, packaging and bundling
• deno why, dependency resolution tracing (the equivalent of npm ls with better graph output)
• deno bump-version, version bumping integrated into the runtime

Deno 2.8 also ships breaking changes; see the official release notes for details.

What this means for teams choosing a runtime

The practical takeaway is straightforward. If you’re running a three-runtime CI matrix (Node, Deno, Bun), the maintenance cost of the Bun column just went up: yt-dlp’s deprecation means fewer downstream projects are testing against Bun, which means regressions are less likely to be caught before they reach you.

Deno’s 76.4%² Node compat figure doesn’t mean you can drop Node tomorrow. It means the migration path from Node to Deno is now short enough that you can evaluate it project-by-project rather than ecosystem-wide. For new projects, Deno’s permission model, built-in TypeScript support, and now-largely-compatible Node API surface make it a credible default in a way it wasn’t six months ago.

Bun isn’t dead. Speed still matters, and Bun’s startup and install times remain competitive. But speed without compatibility is a demo, not a production runtime. The yt-dlp deprecation is a reminder that the downstream ecosystem gets a vote, and right now that vote is moving toward the runtime that ships fewer surprises, even if it’s not the fastest one on the benchmark.

Frequently Asked Questions

What specific breaking changes did Deno 2.8 introduce?

setTimeout and setInterval now return Node-style Timeout objects rather than plain numbers, which breaks any code that treats their return values as numeric IDs. Test sanitizers (resource leak and async-op detectors) also now default to false, so previously failing tests may silently pass unless sanitizer flags are explicitly re-enabled.

How does Deno’s underlying architecture differ from Node’s?

Deno is built on V8, Rust, and the Tokio async runtime, versus Node’s V8-plus-C++-plus-libuv stack. The Rust foundation provides memory-safe native bindings and enables Deno’s sandboxed permission model, where file-system, network, and environment access must be explicitly granted at invocation. Node has no equivalent permission-gating mechanism.

Can a project using Bun-specific APIs like Bun.spawn or Bun.file migrate to Deno?

No direct migration path exists. Bun’s proprietary APIs (Bun.spawn, Bun.file, Bun.serve) have no Deno or Node equivalents, so teams would need to rewrite those call sites against Deno’s own APIs or Node-compatible alternatives. The yt-dlp deprecation covers runtime execution compatibility, not API-level parity.

How does Deno 2.8’s TypeScript handling compare to Node and Bun?

Deno 2.8 ships TypeScript 6.0.3 built into the runtime with no external transpiler needed. Bun also supports TypeScript natively, while Node requires either the experimental —strip-types flag or a separate compilation step. The practical difference: Deno compiles TypeScript as a first-class runtime feature rather than stripping types at load time.