(github.com)

798 points bertman | 5 comments | 12 Nov 25 10:12 UTC | HN request time: 0s | source

Show context

djoldman ◴[12 Nov 25 12:54 UTC] No.45899558[source]▶

>>45898407 (OP) #

From

https://github.com/yt-dlp/yt-dlp/wiki/EJS

it looks like deno is recommended for these reasons:

> Notes

> * Code is run with restricted permissions (e.g, no file system or network access)

> * Supports downloading EJS script dependencies from npm (--remote-components ejs:npm).

replies(2): >>45900422 #>>45900960 #

arbll ◴[12 Nov 25 14:11 UTC] No.45900422[source]▶

>>45899558 #

It's fine for this project since google is probably not in the business of triggering exploits in yt-dlp users but please do not use deno sandboxing as a your main security measure to execute untrusted code. Runtime-level sandboxing is always very weak. Relying on OS-level sandboxing or VMs (firecracker & co) is the right way for this.

replies(3): >>45900665 #>>45903690 #>>45907042 #

1. baobabKoodaa ◴[12 Nov 25 18:17 UTC] No.45903690[source]▶

>>45900422 #

> It's fine for this project since google is probably not in the business of triggering exploits in yt-dlp

yt-dlp supports a huge list of websites other than youtube

replies(2): >>45905509 #>>45907797 #

2. blackhaj7 ◴[12 Nov 25 19:56 UTC] No.45905509[source]▶

>>45903690 (TP) #

Is there a full list? I struggled to find one

replies(2): >>45907205 #>>45907591 #

3. dcassett ◴[12 Nov 25 21:45 UTC] No.45907205[source]▶

>>45905509 #