Most active commenters
  • arbll(5)

←back to thread

Yt-dlp: External JavaScript runtime now required for full YouTube support

(github.com)
798 points bertman | 15 comments | 12 Nov 25 10:12 UTC | HN request time: 0.001s | source | bottom
1. djoldman ◴[12 Nov 25 12:54 UTC] No.45899558[source]
From

https://github.com/yt-dlp/yt-dlp/wiki/EJS

it looks like deno is recommended for these reasons:

> Notes

> * Code is run with restricted permissions (e.g, no file system or network access)

> * Supports downloading EJS script dependencies from npm (--remote-components ejs:npm).

replies(2): >>45900422 #>>45900960 #
2. arbll ◴[12 Nov 25 14:11 UTC] No.45900422[source]
It's fine for this project since google is probably not in the business of triggering exploits in yt-dlp users but please do not use deno sandboxing as a your main security measure to execute untrusted code. Runtime-level sandboxing is always very weak. Relying on OS-level sandboxing or VMs (firecracker & co) is the right way for this.
replies(3): >>45900665 #>>45903690 #>>45907042 #
3. jrochkind1 ◴[12 Nov 25 14:31 UTC] No.45900665[source]
i wonder if it would be legal if they did, as an anti-circumvention counter-measure.
4. jbreckmckye ◴[12 Nov 25 14:53 UTC] No.45900960[source]
For a long time, yt-dlp worked completely with Python. They implemented a lightweight JavaScript interpreter that could run basic scripts. But as the runtime requirements became more sophisticated it struggled to scale
5. baobabKoodaa ◴[12 Nov 25 18:17 UTC] No.45903690[source]
> It's fine for this project since google is probably not in the business of triggering exploits in yt-dlp

yt-dlp supports a huge list of websites other than youtube

replies(2): >>45905509 #>>45907797 #
6. blackhaj7 ◴[12 Nov 25 19:56 UTC] No.45905509{3}[source]
Is there a full list? I struggled to find one
replies(2): >>45907205 #>>45907591 #
7. zahlman ◴[12 Nov 25 21:32 UTC] No.45907042[source]
> Runtime-level sandboxing is always very weak. Relying on OS-level sandboxing or VMs (firecracker & co) is the right way for this.

... Isn't the web browser's sandboxing runtime-level?

replies(2): >>45907339 #>>45907618 #
8. dcassett ◴[12 Nov 25 21:45 UTC] No.45907205{4}[source]
https://github.com/yt-dlp/yt-dlp/blob/2025.09.23/supportedsi...
9. franga2000 ◴[12 Nov 25 21:56 UTC] No.45907339{3}[source]
Yes, and it's only reasonably secure because of years of exploits being found and fixed by some of the best (and very well-funded) software security engineers out there.
replies(2): >>45907609 #>>45907635 #
10. NoahZuniga ◴[12 Nov 25 22:16 UTC] No.45907591{4}[source]
There's a supportedsites.md file in the base directory of the git repo.
11. NoahZuniga ◴[12 Nov 25 22:17 UTC] No.45907609{4}[source]
Great news! Deno uses the same runtime as chrome, so you benefit from all those found exploits.
replies(1): >>45907707 #
12. arbll ◴[12 Nov 25 22:17 UTC] No.45907618{3}[source]
It used to be 100% runtime-level and it was the golden age of browser exploits. Each of your tabs are now a separate process that the OS sandboxes. They can only access a specific API over IPC for anything that goes beyond js/rendering (cookie management, etc...). An exploit in V8 today only gives access to this API. A second exploit is needed in this API to escape the sandbox and do anything meaningful on the target system.
13. arbll ◴[12 Nov 25 22:18 UTC] No.45907635{4}[source]
That's not true. It's secure because they are stacking OS-sandboxing on top, forcing attackers to find a chain of exploits instead of a single issue in V8
14. arbll ◴[12 Nov 25 22:24 UTC] No.45907707{5}[source]
While you benefit from the V8 fixes it lacks OS-level sandboxing (see above). Chrome is safe because it stacks security layers. Runtime sandboxing is just one of them and arguably the weakest one.
15. arbll ◴[12 Nov 25 22:32 UTC] No.45907797{3}[source]
I assumed they only use this setup for youtube, that might be wrong