It is impossible to review the entire rewritten codebase. There are just too many lines of code, 1 million lines to be exact [1].
There are countless reasons that this is a very bad thing for consumers of Bun. First and foremost you've instantly lost any and all assurance that it works the way it's supposed to. Every project has load-bearing bugs that may or may not still exist. Can you trust the core behavior is the same?
If the Bun maintainers are willing to completely replace their core product over the span of a week, how is anyone supposed to rely on it? What's preventing another rewrite in a few more weeks?
If you want to position your product as a dependency, it needs to be stable and reliable. Throwing away a million lines of code and replacing the entire product overnight is pretty much the polar opposite of stable and reliable.
It has nothing to do with AI rewriting the code, it's the reckless abandon and wild disregard for consumers that is the problem. It's literally a rug pull.
It’s all the same just different syntax. Which, by the way, is why it looks ugly to rust developers. The devs wanted the code to look familiar to them.
I do think they should have called this 2.0 though. Would not feel such a rush (1.3.14 has a few regressions, and no one really cares because there are lots of small rust fires now).
Overall, the bigger issue is that bun chases shiny objects. But never finishes. Just look at test stuff. Most of vistest, but not all. Most of jest, but not all. Most of pnpm, but not all. Now we have image stuff, so most of sharp, but not all. dev server? Most of vite, but you guessed it… not all. Long running process… mostly like node but with memory leaks (and a motivation for rust I’m sure).
When I saw them posting about the Image routines my heart sank. Another shiny object. Coincided with test bugs so I moved to vitest completely.
That reminds me of Chris Reigrut's story from https://thedailywtf.com/articles/Holiday_Smorgasbord
As lots of large and small companies have shown, test suites can only find what you test for. Vibe coded test suites can find?
With quite a peculiar set of supported formats different between operating systems.
What if there was some malicious code within the 1 million lines?
It does matter, that's why those people quit because it's such a shitshow, progress happens at a glacial pace, more and more defects and slowdowns keep being created even if they have a big QA department/teams and the users are probably trapped because the software is the only thing in town, the bosses are the ones that makes the purchase decisions, or the it comes attached to big and/or expensive machines and they can't just buy another one for another X years.
Large LLM-written code is called slop for a reason. It's hard to understand because oftentimes it does not follow human logic.
Not really. At some point the technical debt accumulates and the only option is to trash it all and start over.
The only party that profits here are the cloud token providers.
I feel this argument is not valid, especially for large code bases.
Documentation and code quality is what is important, not who wrote the code.
More importantly, it's not the same thing at all. All the code in windows (at least until recently) was written by humans, understood by humans and reviewed by humans. And that code has stood the test of time, proven its value and stability in the wild, on billions of systems. The fact that the current maintainers haven't needed to understand or replace the code is some indication of the code's quality.
Almost none of Bun's rust code has been even seen by a human, and it's only about two weeks old.
I'm somewhat willing to accept vibe-coded code if it's either absolutely non-critical, well reviewed, or maybe in the long term if it's proven itself. But not two week old code.
All of which was battle-tested on millions, if not billions, of devices over 40 years. The new Bun is effectively a different project than it was a month ago, with next to no prod use.
I have no problem having a dependency on a 40 year/billions of use software, I do have misgivings about a dependency on a project that has never been used in prod, and was only written last week.
It is far easier to understand some part of the various NT source code leaks than it is to understand Claude code leak
Well, they didn't really need to. A complete rewrite is effectively a different project. You may feel comfortable using a new project in prod, but most people are not.
Project A: used in production for 3 years - high trust.
Project B: Has yet to be used in production - low trust.
IDGAF about automated tests, let other users shake out the inevitable bugs that show up in prod and after a few years of stability, then we'll see.
To me, it's not about whether humans reviewed the code or not (they didn't), it's more about "here's this brand-new shiny codebase of ~1m Sloc, of which exactly zero lines has been used in prod".
10 engineers each reviewing 5,000 LoC a day for 20 days can do it.
And that is being highly conservative with the estimate. A good chunk of the the code is probably highly trivial boilerplate one can easily skim over in minutes.
Counterpoint: I look back at code I wrote a few years ago and just take it on faith that I knew what I was doing at some point. That's still better than never knowing, but it requires faith--faith in a human, vs. faith in an LLM.
In old days we chose between Turbo/Borland C, Quick C and GCC. We didn't think them same or trust blindly even if we didn't know how they worked.
The best developers hand optimized assembly for sub routines which they knew compilers were not good at, the rest of us sure didn't understand how any of it worked, but nonetheless felt the differences and chose with dollars and usage .
Or did we forget software inherently is opinionated
Unfortunately, his followers don't realize that something like a batteries-included runtime is a huge commitment to build on top of, and governance you can trust matters as much, if not more, than the lines of code.
The way this has been handled is just baffling. A Rust rewrite is supposed to be a freebie for hype, and even an AI rewrite could have been interesting if approached more scientifically and transparently... but instead the opposite of that happened.
if it works, it will keep working. they just don't want to support and maintain it and solve issues.
I think you cannot make this comparison because Rust version wasn’t in fact written by the Bun team. It wasn’t even read by them.
Yt-dlp devs made a good call. If Claude is good enough to rewrite millions of lines of Bun, it is good enough to maintain Bun fork of yt-dlp. And since Bun is part of Anthropic, they can afford it too.
To be clear, I'm not implying support for the merge. I am against this whole YOLO approach to engineering. Just curious how the switch is going since I haven't seen any news since the merge announcement.
(Hilarious in the way that's terribly sad, of course.)
And what are you referring to as "behavior"?
BUT.
"Ignore anything but actual problems" is a terrible stance to take generally for software and dependency selection. Incidents are fairly sparse, process is much easier to observe. So if you can find connections between process and incident possibility, that's a very reasonable heuristic. And it's easy to find examples of overaggressive LLM usage introducing problems into software.
> Due to foreseeable compatibility and security issues
Hmm, Zig bun crashes plenty.
I wish yt-dlp linked to detail on why there are foreseeable compatibility issues. Both projects have test suites, in an ideal world they would allow fast rewrites. Maybe they want to limit inflaming the situation, but if they have spotted some specific issues it would be good to see.
I hope Bun.rs is 1.4 or even 2.0 and not a minor release, with some alpha/beta releases.
But it's been available for a week. And so far, seems like crickets on actual data on any regressions. It's more "I just don't like this!" style grumbling.
It should be a major release indeed, and communicated as such, with full accountability of the migration beyond an “all tests pass”. A major tool should move slower, be tested longer, more thoroughly, since it’s used my millions.
It’s reminiscent of JavaScript world, where something is in beta for mere days (e.g. Expo’s short release cycle).
bun upgrade --canary
I still hope there is a beta release.
There really shouldn't be a reason for vibe coders to complain about any software decisions. Vibe coding a personal fork you better agree with should be a piece of cake. Isn't that part of the vibe code promise?
This is just the standard misguided entitlement people feel towards other people's projects supported by other people's time and effort. It's continually outrageous to me how people feel they can just volunteer other people's time and effort to support their own wants. The people who do the work are entitled to make their decisions and if you don't like it fork it yourself. This has been the way of this ecosystem since it started.
yt-dlp is surprisingly hackable as is.
It appears they mixed JS building into their python project, aiming to support multiple package managers which are executed from their python script.
This explains the otherwise non-sensical explanation about bun < v2 ignoring the lockfile: they use a separate lockfile for each package manager. They did not check in one for bun v1, which they claimed to support, consequently it is not using a lockfile.
That's not how JS packaging normally works. I would set up a separate folder for the JS project, and use one package manager to build the project, like anyone else does.
Publish the package to npm, or bundle the tarball with your python program.
I guess the permission model of the JS runtime could be another topic, but at least they would have their build fixed without worrying about Node dependency resolution and package managers in their Python code.
It's a big slushy of emotions that I understand (both positive and negative) but it makes it so hard to actually tells what problem someone actually has when they just use "vibe coding" as a general LLM usage slur.
I'm using LLMs to assist my development and I'm measurably (in all the ways we engineers could possibly care about) doing better work faster.
https://x.com/karpathy/status/1886192184808149383
In the case of this specific port, the port was done so fast that it is clear humans did not verify the soundness of the translation. It is not clear whether this manual verification will ever occur.
That being said, most software projects were already doing "vibe coding" by Dijkstra's standards long before AI showed up. Going on vibes and forgetting that correctness even exists ;)
Guaranteeing the correctness of complex code is difficult, but it will increasingly become non-optional as we now have a billion hackers in a data center.
---
Edit: "Bun's unreleased Rust port has 13,365 unsafe blocks"
I'm using LLMs to assist my development and I'm measurably (in all the ways we
engineers could possibly care about) doing better work faster.
Writing code is rarely the limiting factor in our work.
I agree the maintenance burden is probably being undervalued by developers in general, but there's just no way the work I do isn't faster. I just categorically couldn't have achieved the outputs I do now in the time windows I have. The software just wouldn't have existed in the world of 3 years ago and I did enough coding back then to say that with certainty.
I know it's anecdotal, but I have so much data from my own experiences and those of my peers that I know these new tools are here to stay. It also makes me believe that those studies are either flawed or out of date.
I'm not vibe-measuring my output ;)
I don't select my engineering tools because they give me a bad feeling - I select them because they do the thing I want them to. If Bun starts having more bugs and feeling like worse software, I'll stop using it. But I will base that on data -- not a feeling I have. Jarred has done a lot of impressive stuff with Bun, and it seems unlikely he would ship this rewrite if it didn't meet his quality bar - I am willing to see him out here.
On the flip side it's not on the yt-dlp authors to test Bun's new development process and see if it results in more segfaults, OOMs, security vulnerabilities, etc. In fact it would arguably be negligent to experiment on your users if you thought there was a reasonable probability of increased security vulnerabilities.
I think there's a good argument that the responsible thing to say would be "we aren't going to immediately support running our software on a new bun release cut from main right now".
It seems a bit unfortunate to me that they've apparently already intending to never support future releases instead of planning on re-evaluating in the future. On the other hand the yt-dlp developers definitely don't owe anyone anything.
I think your final comment gets at it. If they said "OK, I am skeptical, so we're going to pause on updating to see how this Rust thing plays out" -- that sounds like a reasonable engineering decision. Saying "because they vibe coded we are dropping support for Bun" sounds political.
The other side of this is that as far as I'm aware, Bun support in yt-dlp was always experimental. They mainly use Deno.
It's not a rewrite exactly. Nobody wrote anything. Not a single human has even seen, much less understood those 1m lines.
Also I don't think it's wrong to use an action as an input to judging engineering character. That could be read as judging yt-dlp or judging bun but in this case I mean it's reasonable to judge bun's developers.
IDK if i'd personally judge this action quite so badly though. It depends how they went about it and what they proffessed to get out of it.
I am very much against letting llms think and decide for you, but I don't think it's so wrong for an actual coder to employ automation.
But if they are acting like it's magic and everything will be so much better after the magic llm uses the magic safe language... yeah that definitely gets the side eye. Or no eye. Just no longer interested in or concerned with their output.
Since this is being offered as the next release version while still being new and stuffed with unsafe, looks like it's the latter. So I'm with yt-dlp in this case.
It doesn't matter if the new code happens to be ok or not, it's still a problem that they got there by hoping a black box does the right thing. A black box that that no one wrote and no one understands, not just themselves.
gcc is a black box to me, but I know that someone wrote it and understands it (or some people collectively understand all it's parts), and I know that any time I want, I can choose to understand any part of it, and satisfy myself that it is doing something both sane and deterministic.
So a developer choosing to use gcc when it's a black box to them does not reflect badly on them to me.
But no one can say that about any llm or ai. So yeah, a developer choosing to use them, depending on exactly how, may reflect badly on them.
The same was true for cheap off-shore gig coding by humans too. I have tried to use them myself in the past, hire out for small generic programming jobs using those web sites where you put up some escrow money and post a job and people bid for it, you choose one, they do it and get paid from the escrow. I only tried about 3 times for the same small job and every time I git ridiculously shit (but technically functional) results.
These were humans 15-20 years ago, no possibility of hidden ai usage like today, and it's essentially the same dynamic of just hoping some magic will get you something good for cheap, and accepting any result that appears good as good.
If someone said that that's how they made their product, I would decide that product is probably pretty crap inside and no way should I buy it or invest in it as a dependency if I have any choice.
And that's humans not ai. The problem isn't really the ai, it's the judgement to use an ai that way.
What are you talking about? There is no upstream rejecting contributions here. It's the original bun developers who vibe-ported it to rust and they absolutely could and did upstream their vibe coded changes because they are the upstream.
Project governance is very important on a project; the fact that Bun's authors bent the knee to their new owner shows where their priorities lie.
> Have you observed Bun have more segfaults, OOMs, etc, since the Rust rewrite? Have you noticed more security vulnerabilities? Have you seen more bugs?
I - them - are not going to sit around waiting for bugs to start crashing everything
> I don't select my engineering tools because they give me a bad feeling - I select them because they do the thing I want them to
Good thing that you don't run an open source project then, I would remove anyone's project from my dependencies who thinks like that.
Not caring about governance is how we end up with repeated supply chain attacks.
But this also isn't a fair comparison. The article doesn't say "let's wait 6 months", it says they are fully deprecating Bun. Those are two very different statements. I would have had no issue with the first.
And FWIW I think my viewpoint is the uncommon one. Look at all the responses to a previous thread about it [1] and see how many of them are negative. It's certainly a majority.
Can we at least try to be a bit more accurate and less hyperbolic?
I will continue to use Bun because the same people that made bun have made this decision. I trusted them one week ago. I have used bun for the past 2 years, and so have many others.
I'm not about to just assume they've become immature idiots yolo'ing stuff overnight. They're still the same people they were a week ago. Or two weeks ago.
Bun being replaced entirely with stochastically generated code is red flag (regardless of whether it was or not). But Bun was also acquired by a huge corporation, which has been classically a huge red flag. Both of these are plenty of reason for yt-dlp not to support Bun.
In either case, this seems like a niche use case. I've used yt-dlp for years and I've never used Bun with it. If Anthropic really wants their recent acquisition to be supported in yt-dlp, it can fork it and support it itself.
It is significantly easier to modify code that you personally wrote, or code that you have read and understood to fix an issue in previously. This is why the maintainers of a project change slowly over time and it takes a long time for new ones to get up to speed.
All of Bun has been rewritten by a tool. In a different language that maintainers may not be fully proficient in.
Even though the rewrite was done well, and even if we assume it's functionally equivalent to the old Zig code, there will still be future issues. And ALl of the maintainers are essentially now new hires who have never seen that code in their lives.
It's not "politics" to have an ounce of sense to foresee problems in such a project as a dependency.
When deciding to support a given thing, you have to make a determination as to whether it's worth the effort or not.
You don't simply ignore unknowns. That effectively means assigning the unknowns zero cost, which is unlikely to turn out to be true. Generally, the more unknowns, the higher the risk, and the higher the risk, the higher the estimated cost.
There are a lot of unknowns about vibe bun right now.
One effective strategy for dealing with unknowns is to turn them into knowns if you can. Here, that probably means waiting to see how vibe bun turns out.
If it turns out to be stable and highly compatible, at some point in the future, they can always pick up support then.
What happened to
> don't select my engineering tools because they give me a bad feeling
Who cares if you have a good feeling about this dude? There are obvious and clear conflicts of interest at play here. If you care at all about quality, you'll wait before adopting new releases until bugs get discovered/ironed out. Don't adopt based on some dude's reputation when that reputation was built under a very different incentive environment.
being reactive is fine if you can tolerate issues. otherwise, you need to be proactive -- don't wait for the train to hit you before you move off the tracks
So, great, if this dude wants to regress through the workforce to a level of engineering maturity I associate with a high school student, I don't wish to try to be the one to stop him. Doesn't mean I'm gonna follow him. It's possible to be smart enough to just not walk into the tarpit. He's going in, I'm not.
Bun made a snap decision to merge 1M lines of unreviewed code within a week, including code generated moments before the merge. AI or not, that forces downstream users to cope with total unpredictability. This process bears no resemblance to science or engineering.
All the QA work you're demanding of yt-dlp is work Bun should've done. Trying to flip that responsibility proves your argument isn't grounded in engineering principles. And you sure made your feelings known in your comments for someone who claims not to let emotions affect technical decisions.
yt-dlp made a sane technical decision to drop a high-risk dependency. Not only is the Bun code now unpredictable, but the maintainer is too. The maintainer called the rewrite "experimental," then merged it within a week. If direct statements can flip overnight without warning or explanation, it's no wonder downstream projects want out. Especially when yt-dlp already supports alternative JS runtimes.
With that in mind, is there anything that yt-dlp uses the Bun runtime for which it can not use the other supported runtimes for? Similarly, perhaps the yt-dlp maintainers shouldn't keep supporting Bun just because it gives them a good feeling when every runtime incurs a maintenance cost.
That said, as a developer I skim over so much bullshit simply based on "bad feelings". I don't have time to evaluate every potentially useful technology in terms of whether it does what I want it to do, and no one else does either. It's clear to me that Bun is in an experimental phase of development and I think that's a good enough reason to move on if your use case is not.
Seems reasonable to preemptively drop support and let someone else either suffer the fallout, or get proven wrong and just pick up support again. It's not for a lack of people motivated by IA. Unless the motivation is more "use my IA generated content" than "actually consume IA generated content", of course.
I'm glad some engineers realize that technology is inseparable from politics. It always has been. All evil came from engineers who beleived they were above politics. Selecting the tool which got the job done/made the number go up/paid a paycheck is how we got Facebook, Google, Palantir, crypto, AI, techno-fascism and neo-feudalism. None of it would've have happened without engineers blindly applying their knowledge to achieve "purely" technical results, while ignoring the social consequences. With the hindsight of the last 20 years, anyone who still advocates for an irresponsible adoption of technology should be considered automatically suspect
Among tools that meet a technical expectation—especially for (often) superfluous activities like downloading videos—I pick one that feels right and costs the right amount, and that's the one that wins. Free + works + usable is an unbeatable combination.
However, I'd argue their decision is related to a peer dependency than it is itself one about an engineering tool, which is an assessment of the risk surface and potential cost associated with doing so. I already wasn't using bun at all, but if they stopped supporting whichever runtime I do use, I can either adapt or stop using yt-dlp, which I won't because this isn't a technical thing worth wasting much time on. This mild, recent change to recently introduced peer dependency integration is largely inconsequential, and I support the call to not waste time providing extra support if it hypothetically became necessary.
The argument that you somehow cant unless you go through trouble of testing it is way more "politics" and way less "engineering".
...so you do use feelings in your calculation? To be clear, I have no problem with that and think there is some level of speculation you need to do when deciding what to rely on.
As a hypothetical, pretend that Bun added obfuscated binary blobs that get executed at build time. Well, your code still works and no effects show up at runtime. Are you going to keep using it or dump it based on the "feeling" that something isn't right?
But you do select your engineering tools on faith apparently.
Will you use untrustworthy dependencies in your project, which has users? I think, no.
I don't know, but I feel that this is the case with yt-dlp.
And this is absolutely engineering - care about quality and security of your software, which is used by thousands of people
I have a t-shirt signed by THE Jarred himself, how much are you willing to pay for it? Comes with a month of free Claude max subscription.
No healthy engineering team is going to do that. And I’d want to distance myself as far as I could from a project that behaves like that.
Regardless of the other aspects, this is a joke in any context I have been in since I started working in this field about 9 years ago.
Even as pure logic, you know they do what you want it to do only after you chose them. You can’t possibly be trying every option to the fullest capacity of your application.
You also converge on the “Jarred” aspect and the guy that made the decision in the title post has the opposite sentiment
Except "because we can" and the expectation that some kind of bug will be reduced and other metrics will not get worse
All Bun devs are happy to change programming language?
When their competition is already in rust and more mature
While using the LLM that is now paying their salaries. Kind of a conflict of interest
Even a major version upgrade is enough for me not to touch it for 6 months, let alone a full rewrite
Has Bun posted any analysis and shown the data?
Jarred promised a blog post just like he promised to not merge the slop branch.
Those bad feelings are often your years of experience trying to tell you something.
Your argument could go other way too. Why haven't they landed if they're so confident with the change?
I do, for example when I see constant behavior of lying, or negligence for security issues or not considering valid PRs and rewriting it to fit their paid plan and so on.
> I select them because they do the thing I want them to.
This is one of the dimensions when I pick the tools, I know Oracle produces nice products, but I don't want to get sued if I do something accidentally their lawyers dislike.
Even multiple people can not go through 1m lines of code for any kind of vulnerability in 7 days, let alone 'observe' more segfaults, OOMS, unsafe behavior, on who knows how many possible ways things can go wrong in this new condition.
Only guaranty is 99% tests passed, and the engineer who is paid by the same LLM company.
How in the world, any sane engineer would agree, this would be remotely a good idea to continue using this tool, for a chance that such a expensive change won't actually land in production?
> feeling like worse software
Politics ;)
and yet...
> If Bun starts having more bugs and feeling like worse software, I'll stop using it.
Is it not possible to judge that certain approach is more likely to bring unforseen controlable problems than another by analyzing how it works without assessing it's output? No "feeling" is needed
I see lots of ground for that claim.
You are 100% right. This is a decision made on VIBES and not evidence. The proof is here:
> Bun was recently rewritten in Rust using Claude, and its development seems to have taken a turn towards being fully vibe-coded. This is alarming and disappointing for a number of reasons, and frankly it seems like a future headache that we'd prefer to avoid.
They haven't tested it, they haven't found a single problem. They just don't like AI code and they're clearly saying "the fact that the project tested every line of code and it passes all tests doesn't matter to us. The fact that it's vide coded by people who literally make coding LLMs also doesn't matter."
Pure ego, no data.
So an OSS project now owes testing to hyperscalers? Lol!
primeagen's view
He may not be Don Knuth, Linus Torvalds, John Carmack or Fabrice Bellard. But he is definitely a serious programmer. That he livestreams doesn't make him less of a programmer.
It’s just someone quoting someone to help ground their position.
What if it was a journalist writing about a security vulnerability then a programmer quoting them, would that count then?
Which defeats the purpose of having it in rust.
Identifying where code is unsafe, is a qualitative improvement. Not guaranteed to be complete, but more complete than a language that does not focus on that concern. Moving forward, the benefits of Rust compound. The concern about AI is orthogonal to the concern about moving to Rust.
Now there are 2 versions[1] that can be instrumented, regardless of the misgivings about AI.
[1] Bun v1.3.14, released on May 13, 2026 (commit 0d9b296af) and current.
First they essentially wrote a translator that preserved the C idioms (so it wasn't idiomatic go) until they had byte for byte output.
Then they started changing code one by one to be more Go-based.
Bun is doing the same. Right now it is mostly a one for one translation of the zig code. Over time they'll make it more idiomatic Rust.
On one hand, it seems very scary to me, having most of your codebase unreviewed.
On the other hand, it passes their tests with few regressions from what I heard.
Maybe it's just because I don't have enough experience there, but I wouldn't trust my tests to this degree and completely rely on them without reading the code.
depending on the environment of choice, these runtimes are only used to bypass certain blockers. it is not that deep.
The test suites passed so it's all good.
In the post the maintainer says that an older version of bun "results in the ejs lockfile being ignored".
The reason is that they never committed the necessary lockfile despite listing "support" for that bun version.
They have separate lockfiles for other package manager versions: bun.lock, deno.lock, package-lock.json, pnpm-lock.yaml.
This part of the comment is also interesting: "which is a significant security concern for users when considering all of the recent npm supply chain attacks".
If you would set up a proper build for the JS artifact instead of committing four lockfiles to your repository, users would not be as exposed to npm supply chain attacks.
And to be honest bun's zig codebase (especially in the early days) was neither "clean" nor "idiomatic" but the tool worked and people used it.
You trust for someones expertice.
It’s not the same obviously, but here’s why I can’t help but view it analogously:
The only truth in software is whether it works or not for whatever your use case is. Even before AI, we couldn’t have known if the author of a piece of software was proceeding with rigor or just trying random stuff until it seemed to work.
In other words, we didn’t judge someone’s software by inspecting their methodology or what tools they used. Heck, we often ended up using software that had no test suite or where the test suite was junk! And so many of us who are fans of memory safety use tools written in C, and vice versa (I’m no Rust fan but I use plenty of tools written in Rust).
So yeah, the logic that goes, “I won’t use your stuff because I don’t approve of your use of AI” is about as believable to me as if you stopped using something because you didn’t like the authors choice of editor
That's wild. You should read it as being nowhere in the same ballpark nor adjacent ballparks as that.
So let's say they up the ante and set up a cron job to rewrite the entire codebase in a new language on the first Monday of every month: from Rust to C++ to Go to Swift and back again.
For customers using the product, that's basically the same as a maintainer switching editors? Irrelevant detail?
I don't think many would say the same for LLMs.
Maybe vibe bun is just as good or better than old bun, but how would we know at this point?
> ...we couldn’t have known if the author of a piece of software was proceeding with rigor...we didn’t judge someone’s software by inspecting their methodology...
That's not true. First, some people do directly check whether a project has a level of rigor they are comfortable with before adopting it (or when deciding whether to continue using it). I personally do it, where it matters. Many more use reputation signals, which, while certainly not perfect, correlate, may be good enough, and are a lot easier than direct, manual reviews.
By considering objective facts like efficiency, performance, error rates, security vulns etc. like we always do?
Deno and Bun have decent Node compatibility, so couldn't Node APIs be used as the generic runtime interface?
--js-runtimes [deno|node|bun|quickjs]Obviously the JS build should happen outside of Python and use one package manager instead of attempting to support them all.
To be fair, I'm not quite sure why it would prefer either Deno or Bun when it's far more likely that a user has Node on their system.
Read the "Notes" sections for details.
I don't use Bun, but we (and many others) depend heavily on numpy. It's been around for decades and heavily battle tested. If someone came out with a new version of numpy vibe-code rewritten in a week, with assurances that "all tests pass", do you think we would adopt it? Absolutely not. We would have no confidence that there aren't some latent bugs or that we can fully trust the results.
It has nothing to do with AI having rewritten it, it has to do with being battle tested over time. If a team of humans had rewritten it in a week, I wouldn't trust or use it either. Maybe after a year of it being widely adopted. Not before.
Bun’s source code rewrite from Zig to Rust was executed primarily through AI-assisted development using Anthropic’s Claude agents, specifically within a branch named claude/phase-a-port. The project creator, Jarred Sumner, merged the massive pull request (PR #30412) on May 14, 2026, which involved over 1 million lines of code added and 6,755 commits completed in roughly one week.
"Well, why don't you install and only then resolve issues if you have those difficulties?" most comments here are asking, in effect
Cause you're sane, that's why!
Same here. yt-dlp does not owe it to anyone to beta test things. Maybe this bun rewrite will be the best thing since sex, and maybe it won't be. Not wanting to alpha test someone else's shit is sane. And the bugs (if any) would go to yt-dlp, forcing them to debug someone else's alpha software. This is a sane response.
There's the "what it achieves" today; software x works as intended as of right now.
And then there's "what it achieves" long term.
Those with significant experience with sprawling, LLM-generated, codebases, often built by those who don't understand the code produced, can attest to things being good today, unworkable tomorrow.
While this isn't true across the board, and my own experience should be considered anecdotal at best, those who consider "what it achieves" to also include long term viability as a success metric, are skeptical of these types of changes.
Personally, success for dependencies isn't just "does it work today" but "can I trust it to work long term."
I don't use Bun. I don't care about Bun. But my opinion is that how code is produced will have some effect on what it achieves, if the goalpost includes more than "it works today."
And yet none have offered to volunteer their time to maintain a downstream fork or otherwise rectify the perceived problem.
Strange.
Technical debt was a reality before vibe coding. Someone was writing all that trash by hand.
> Someone was writing all that trash by hand.
And reading code written by AI isn't the same as reading code written by a real expert person.
There still exists the difference of quality of the written code and people who use AIs are lazy enough to accept code with vulnerabilities - see https://news.ycombinator.com/item?id=45034496
Zig bad, rust good
You bad, ai good
and then some random posts in between that try to create some hot takes for upvotes. What is the internet at this point?
https://jxself.org/shifting-the-trap.shtml
You can run a BF and, soon, subleq.
What a nonsense generalization.
In this case, the speculation ostensibly is that in future, there will be a release version of Bun that has is buggier or otherwise lower quality than the current stable version.
There's literally no basis for believing that. The actual basis is "I don't like how they're approaching the development of their next version."
If that's a valid basis for "dependency management", then using a Ouija board would be just as valid.
I disagree. It seems to be an emotional reaction borne of ignorance and uncharitable assumptions. There's no "reason" involved.
I don't know any bad stories about ai-translated apps. Partially because it's a relatively new trend, but also because a big amount of usual vibe code fail modes are not applicable here.
There's something really satisfying about a go binary with minimal dependencies running in a busybox docker container.
Most complexity is unnecessary. Adding dependencies to your project exponentially increases your project's surface area, which in turn increases its regulatory/cybersecurity burden, especially if your software is a medical device, munition, etc. Why is Echo/Gin/Gorilla/etc better/more secure than vanilla Go's mux? Just anecdotal, but we use the Echo web framework for Go and it's caused nothing but headaches. It does magical XML parsing by default even though we don't deal with XML which gets us flagged in pen tests. Updating from v4 to v5 broke production for us because they made an undocumented server config change that makes all requests have a 30 second timeout. Meanwhile vanilla go has the ability to register routes and middlewares, so what value is Echo bringing to the table? Ditto for lots of other unnecessary dependencies. A lot of times we just need one little thing out of the whole package, and in those cases a little copying (or a little AI generation) is better than a little dependency.
A static go binary with minimal dependencies running in a busybox container has a tiny CVE footprint when run through grype/snyk, etc. Do the same for a NodeJS app with zillions of dependencies running in an ubuntu container and you'll spend all day triaging CVEs.
I'm not saying "roll your own crypto" but I am saying "axios-like packages don't make sense to use any more in a world where AI+vanilla accomplishes the same thing"
Go binaries are immensely satisfying, but I don't follow your logic here. The vast vast majority of dependencies in Go do not depend on the outside world, so the binary would remain self-contained whether it has 1 or 100 dependencies, no?
The "self contained" part is only important in that it lets you use busybox or "from scratch" as your container runtime environment which has a very tiny cybersecurity surface area compared to, say, ubuntu or even alpine which has a bunch of system libraries your go binary isn't using, but which could still get flagged for having vulnerabilities.
Minimizing dependencies of the go binary is a separate, but equally important task that reduces the cybersecurity surface area of your go binary itself to just "the go standard library" instead of "go stdlib + a dozen github packages"
Whenever I am working with a NodeJS project I pity the fool who has to do SCA because the CVE surface area is enormous compared to go, which has a fairly batteries-included stdlib
I'm quite liking how good Claude Code Opus is at Rust + sqlx (raw SQL with type safety) + actix-web.