Yt-Dlp: Upcoming New Requirements for Youtube Downloads
Posted3 months agoActive3 months ago
github.comTechstoryHigh profile
heatedmixed
Debate
80/100
YoutubeYt-DlpJavascriptDeno
Key topics
Youtube
Yt-Dlp
Javascript
Deno
The yt-dlp project is moving to use Deno runtime to execute YouTube's JavaScript code, sparking discussion about YouTube's efforts to restrict video downloading and the implications for open-source projects.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
142
Day 1
Avg / period
40
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 24, 2025 at 7:41 AM EDT
3 months ago
Step 01 - 02First comment
Sep 24, 2025 at 8:47 AM EDT
1h after posting
Step 02 - 03Peak activity
142 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 6, 2025 at 12:54 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45358980Type: storyLast synced: 11/27/2025, 3:36:14 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://wiki.archiveteam.org/index.php/YouTube/Technical_det...
Is it just a lot of CPU-bound code and the modern JIT runtimes are simply that much faster, or is it doing some trickery that deno optimizes well?
> Currently, a new style of player JS is beginning to be sent where the challenge code is no longer modular but is hooked into other code throughout the player JS.
So it's no longer a standalone script that can be interpreted but it depends on all the other code on the site? Which could still be interpreted maybe but is a lot more complex and might need DOM etc?
Just guessing here, if anyone knows the details would love to hear more.
I mean, running some unknown highly obfuscated CPU-demanding JS code on your machine - and using its results to decide whether to permit or deny video downloads.
The enshittification will continue until user morale improves.
It's their application, yt-dlp can use whatever it wants. But they made their choices for stylistic/aesthetic reasons.
Scripts use V8 isolation, identical to Chrome. What comes to rest, we can only trust or review by ourself, but it is certainly better than nothing in this context.
But the usage of V8 means that Deno must explicitly provide the access (for V8) for networking and filesystem - the foundations for sandboxing are there.
It being a checkbox feature is a weird way to frame it too, because that typically implies you’re just adding a feature to match your competitors, but their main competitors don’t have that feature.
In what ways does it fall short? If there are major gaps, I’d like to know because I’ve been relying on it (for personal projects only myself, but I’ve recommended it to others for commercial projects).
Trusting Deno's sandboxing by itself isn't a great idea. An attacker only has to wait for the next V8 exploit to drop, probably a question of a few months at worse.
Now like I mentioned above it's probably ok in yt-dlp context, Google isn't going to target it with an exploit. It's still important that folks reading this don't takeaway "deno sandbox safe" and use it the next time they need to run user-supplied JS.
To me this is a bit alarming as IIRC most app runtime libraries that also have this in-runtime-only sandboxing approach are moving away from that idea precisely because it is not resistant to attackers exploiting vulnerabilities in the runtime itself, pushing platform developers instead toward process-level system kernel-enforced sandboxing (Docker containers or other Linux cgroups, Windows AppContainer, macOS sandboxing, etc.).
So for example, .NET dropped its Code Access Security and AppDomain features in recent versions, and Java has now done the same with its SecurityManager. Perl still has taint mode but I wonder if it too will eventually go away.
[1] https://docs.deno.com/runtime/fundamentals/security/
This plus what you mentioned is why I would never trust it to run arbitrary code.
Now in the context of yt-dlp it might fine, google isn't going to target them with exploits. I would still prefer if they didn't continue to propagate "DeNo iS SaFe BeCauSe It HaS sAnDbOxInG" because I've seen projets that were actually executing arbitrary JS rely on it thinking it was safe.
You're welcome
Maybe, for watching "recommended" stream without any subscriptions there are alternatives (which? I cannot name good ones, anyway), but if you watch your subscription you are bound to platform which contain this subscription. And no, content creators are not interchangeable.
Awaiting their “premium cannot be shared with people outside household” policy so I can finally cancel. Family members make good use of ad-free.
I was also a holdover from a paying Play Music subscriber, and this was shortly after the pita music switchover to youtube, so it was a last straw.
When they recently insisted by email I download any videos before they sunset the feature, their option only gave me the SD version (and it took a while to perform the data export).
While it doesn’t totally remove it, it lets me choose if I want to watch or not, and gets me past it in a single button press. All using the native app. I was surprised the first time this happened. I assume the creators hate it.
We still need competition in the browser space or Google gets to have a disproportionate say in how the Internet is structured. I promise you, Firefox and Safari aren't that bad. Maybe Firefox is a little different but I doubt it's meaningfully different for most people [0]. So at least get your non techie family and friends onto them and install an ad blocker while you're at it.
[0] the fact that you're an individual may mean you're not like most people. You being different doesn't invalidate the claim.
https://data.firefox.com/dashboard/user-activity
https://brave.com/transparency/
The point is that if everyone is using a single browser (not just Chrome/Chromium) then that actor gets disproportionate control over the internet. That's not good for anyone.
The specific gripe to Chromium is that _Google_ gets that say, and I think they are less trustworthy than other actors. I'm not asking anyone to trust Mozilla, but anyone suggesting Mozilla is less trustworthy than Google probably has a bridge to sell you. Remember that being Chromium still means that Brave is reliant upon Google. That leads to things like this[0,1]. Remember, the chromium source code is quite large, which is why things like [0] aren't so easily found. I also want to quote a quote from [0.1]
That wouldn't be the first time people have found Google preferencing their browser and it is pretty known this happens with YouTube. Do we really want ANY company having such control over the internet? Do we really want Google to? I'm not sure what you're trying to tell me here. That Brave has 64% of the number of users as Firefox? That Brave users really like Gemini, Coinbase, and Uphold? That Brave users are linking their Brave account to sites like Twitter, YouTube, Reddit, GitHub, Vimeo, and Twitch? That Brave Ads is tracking via the state level? Honestly I have more questions looking at the Brave "transparency" report, as it seems to have more information about users than Firefox...If you're extra concerned about privacy and that's your reason for Brave, then may I suggest the Mullvad browser[2]? It is a fork of Firefox and they work with Tor to minimize tracking and fingerprinting. You get your security, privacy, and out from under the boot of Google.
[0] https://github.com/brave/brave-browser/issues/39660
[0.1] https://simonwillison.net/2024/Jul/9/hangout_servicesthunkjs...
[1] https://www.bleepingcomputer.com/news/google/google-to-kill-...
[2] https://mullvad.net/en/browser
I'm telling you that Firefox is going to be out of business soon because users favor ad blocking and blocking trackers. That is the trend. Firefox isn't growing anymore.
> Honestly I have more questions looking at the Brave "transparency" report, as it seems to have more information about users than Firefox...
Metrics can be transmitted without revealing the user. This is well known.
You can't suggest anything. I am done with this conversation.
Regardless, I think you've ignored the root of my argument. I'm not trying to be a Firefox fanboy here but it's not like there's many options. The playing field is Chrome, Firefox, Safari. So only one of these is not "big tech".
This is not well known and I think you've kinda "told on yourself" here. It is fairly well known in the privacy community that it is difficult to transmit user data without accidentally revealing other information. Here's a rather famous example[0,1]. I'd encourage you to read it and think carefully about how deanonymization might be possible after just reading a description of the datasets they deanonymize. If you wish to disengage then that is your choice. I am really trying to engage with you faithfully here. I'm not even really attacking Brave here, as my critique is over the Chromium ecosystem. I think if you look at my points again you can see how they would dramatically shift if Brave were based off of Gecko or Webkit. Honestly, I would be encouraging Brave usage were it under those umbrella. Or even better, if it had its own engine! Because my point is about monopolization.[0] https://courses.csail.mit.edu/6.857/2018/project/Archie-Gers...
[1] https://arxiv.org/abs/cs/0610105
But I do think it is a far bigger problem that we let a single actor have so much control over the fundamental structure of the internet. The problem isn't Brave so much as it is Chromium. But criticizing Brave (and Opera, Edge, etc) is a consequence of this.
You must ask yourself which is the bigger concern?
I think the latter is far more damning and honestly is an upstream issue to the concern Brave is trying to address. That's why I say I would encourage Brave to move away from Chromium. I actually would encourage them to develop their own engine since I think 3 choices is far from sufficient, but I'll take a Gecko or WebKit version as a major victory.But this is my opinion. There is no right answer here. It has to come down to you.
If you agree with me then I'd encourage you to look at Firefox. It is good by default and with a few easy to find options you can have strong privacy and installing uBlock is a trivial task. If you are more privacy conscious, I encourage you to look at the Mullvad Browser, which is a Firefox fork with strong privacy defaults (maintained by the Tor and Mullvad teams). If you want a WebKit then check out Orion. I use this on both my iPhone and iPad (my Macbook and linux desktop are still Firefox), as Orion allows add-ons, so you can get ad blocking on your phone (when I was on Android I just used Firefox mobile which supports extensions). If you really want to encourage a 4th player I believe LadyBird is the popular kid on the block, but I honestly don't know too much and last I knew it was not quite to a stable state.
You don't have to agree with me, but I just want to make people aware that they do have a say in the future. There's no solution that doesn't have drawbacks, but I think on a techie form we should be able to have a more complex discussion and recognize that there are consequences to our choices. I think it is also important to recognize our choices multiply as we tend to be the ones who inform our non-techie peers. If you've ever installed software for a friend or family member, then realize how our choices multiply.
I'd also encourage you to promote more conversations among techie groups so we can hear the diverse set of opinions and concerns. It's a complex world and it is easy to miss something critical.
Reddit has the answer for you: https://www.reddit.com/r/browsers/comments/1j1pq7b/list_of_b...
We're both programmers so we're both know we're talking about a one line regex...
I know quite a number of people like this and they're in high positions at big tech companies... doesn't take a genius to figure out why everything has such shitty user experiences and why all the software is so poorly written. No one even seems to care about the actual product they'll only correct you to tell you the product is the stock and the customer is the shareholder, not the user.
We fucked up...
So, after estimating the number of ping pong balls that fit on a 747, the thing to do is to go write the regexp and put that on your promo packet. Half a trillion dollars!
On my iPhone[0] calendar I imported my Microsoft (work) and Google (personal) calendars, also having the iPhone calendar. If we take last Labor day as an example, if I don't disable the Holiday calendars in Microsoft and Google, I have 3 entries for Labor Day. Holidays sit at the top of the day so if I'm on my phone I basically won't see any other events. If I'm on my macbook and my Calendar is using 60% of my vertical space I see "Labor Day +3 more". Full screen I can see 4 maybe 5 entries....
So I can save a large chunk of real estate by doing a simple fucking 1 line regex. At the same time I can effectively merge the calendars, so I get to see the holidays that are in one but not the others.
Effectively, I can ACTUALLY SEE WHAT I HAVE SCHEDULED FOR THE DAY[1]
This, of course, also affects other things. Sometimes Google will add an event because I got an email later. Fuck, now I have dupes... Same thing happens with birthdays... Or you can hit that fun bug where you have for some god damn reason duplicate contacts with the same name, phone number, and birthday, you get triplicate calendar entries and merging[2] and results in quadruple entries!
I have missed so many fucking things because I didn't see it on my calendar[3]. And someone has the audacity to ask how much money would be saved? We've spent longer discussing the problem than it would take to fix it! These aren't junior people I'm talking to (who ask dumb things like "but I can't control or merge the other calendars" not recognizing it's a display issue), but like a L6 at Amazon.[4]
I swear, the problem is no one realizes the point of leetcode questions was never to get the answers right, but to just have some problem for an interviewee work on and see how they go about solving it. I'd rather an engineer get the wrong answer with a good thought process than get the right answer with shitty code that was obviously memorized. It's much harder to teach people how to think than it is to teach them some specific thing to remember.[0] I've almost immediately regretted this decision...
[1] General frustration yelling, not yelling at you
[2] No, the "find duplicate contacts" option does not in fact find duplicate contacts (what fucking data are they looking for? Because it sure as hell isn't identical names. Why isn't it even trying to do similar names?!)
[3] I've also missed so many fucking things because that little scroll wheel wasn't completely finished with its animation and so saved the wrong day or switched AM to PM. I've missed so many things because I have so little control over notifications and they disappear not if I dismiss them, but if I just unlock my god damn phone. So not just that one liner needs to be done, but it would do a lot and these other one-liners would also greatly help.
[4] Dude was complaining about candidates using GPT to do leetcode problems and how he had a hard time figuring out if they were cheating or not. One of my many suggestions was "why not do in person interviews?" which was answered with how expensive plane tickets were (his interviewees were local) and contradicted his prior and later statements about how costly it is to hire/interview someone. I'm sorry, what percentage of 6 engineer's salaries to do 6 interviews for an hour is a single round trip ticket for a domestic flight? Or to have someone... drive in...
If it is free, then, what's the profile worth for a year... there's the value.
User retention is a thing.
That's what they're directly or indirectly being graded on. Even if they don't have to show how their work impacted the company's bottom line, their managers or their managers' managers have to, and poop just rolls downhill.
> The idea of engineers needing to justify monetary value is just... ill conceived. They should be concerned with engineering problems. Let the engineering manager worry about the imaginary money numbers.
If this was only possible in this industry. If you're in a small company, you're wearing multiple hats anyway. If you're in a big corp, well, my wife hates that I see this in everything, but - hidden inflation is a thing. As roles are eliminated (er, "streamlined"), everyone is forced to be responsible for things they're not really supposed to care about (my favorite example is filing expense reports).
As you aptly put it upthread: we fucked up...
We need firewalls. One group's primary concern needs to be on the product. Another group's primary concern needs to be on keeping the business alive and profitable.
Too much of the former and you fail to prioritize the right work. Too much of the latter and you build vaporware. The downsides of biasing in one direction is certainly worse than the other...
Lol, your wife might have a field day with mine...I have a fundamental belief that there's far more complexity than we let on. That as we advance complexity only increases. What was once rounding errors end up becoming major roadblocks. It's the double edged nature of success: the more you improve the harder it is to improve. I truly will never understand how everyone (including niche experts) thinks things are so simple.
But my partner is doing her PhD in economics, so she also thinks about opportunity costs quite a lot but I think she (and a lot of her friends) were quite unaware of how a lot of stuff operates in tech[0].
Probably doesn't help that, as you know, I'm not great at brevity :/
[0] My favorite thing to at her department get togethers (alcohol is always involved) is to introduce them to open source software. Quite a number of them find it difficult to understand how much of the world is based on this type of work and how little money it makes. Not to mention the motivations behind it. The xz hack led to some interesting discussions...
Don't worry, people didn't go completely brain dead lol. And most of the economists know about it but not the scale or how it fits in the larger ecosystem. They really just know it as "there's sometimes tools on GitHub".
I suspect they aren't losing users over duplicated holidays in the calendar.
You can't just switch calendar/video streaming when everything else is integrated with it/everyone is exclusively posting on this network.
As a big tech programmer, it's almost never that simple...
Small edges cases not covered by a one line regex can mean big issues at scale, especially when we're talking about removing things from a calendar.
I did purposefully limit to holiday calendars as an example because this very narrow scope vastly simplifies the problem, yet is a real world example you yourself can verify.
You're right that edge cases can add immense complexities but can you really think of a reason it should be difficult to dedupe an event with identical naming and identical time entries, especially with the strong hint that these are holidays? Let's even just limit ourselves to holidays that exclusively fall over full day periods (such as Labor Day).
Do you really think we cannot write a quick solution that will cover these cases? The cases that dominate the problem? A solution whose failure mode results in the existing issue (having dupes)? Am I really missing edge cases which require significantly more complex solutions that would interfere with the handling of these exceptionally common cases? Because honestly, this appears like a standard table union problem. With the current result my choices are having triplicate entries, which has major consequences to usability, or the disabling of several calendars, which fails to generalize the problem and also results in missing some minor holidays. Honestly, the problem is so bad I'd be grateful even if I had to manually approve all such dedupes...
If not, I'd really like to hear. Because it really means I've greatly mischaracterized the problem and I should not be using this example. Nor the example of a failure to FIND contacts with identical names, nicknames, phone numbers, birthdays, and differ only on an email address and note entry. Because I have really been under the strong impression that the latter is a simple database query where we should return any entry containing matches (failure mode being presenting the user with too many matches rather than a lack of matches. We can sort by number of duplicate fields and display matches in batches if necessary. A cumbersome solution is better than the current state of things...).
I'm serious in my request but if I have made a gross mischaracterization then I think you'd understand how silly this all looks. I really do want to know because this is just baffling to me.
If I truly am being an idiot, please, I encourage you to treat me like one. But don't make me take it on your word.
- Maybe you want to separately invite people to the same thing and have different descriptions, now you're increasing the number of things to equate.
- Maybe a user creates one event that is simply a title and a time, and they then want to create a second one for another purpose. However, it keeps getting deduped and they don't know why. Now you have a user education problem that you have to solve.
- Now you might think: well just make it a toggle in the settings! Okay well now you have to add a new setting and that expands the scope of the project. Do you make it opt-in or opt-out? If it's opt-in, what if no one uses it? Do you maintain the feature if there's a migration? If it's opt-out, you still have the above problems.
I could go on. And this is mostly an exercise of not underestimating a "simple" change. Calendars (and anything involving time) in particular can get very complicated.
So what's your answer? Keep the bullshit and do not provide an option to allow merges or dedupes? Literally all the problems you've brought up can be resolved by prompting the user with a request to merge OR just giving them the ability to do so. You really think triplicate entries is a better result than allowing a user to select three entries, right click, "merge entries"? Come on...
My answer is simply: It's not a 5 minute regex change.
I'm not even saying it shouldn't be prioritized or isn't worth the effort. Just that you should give the problem a bit more respect.
The very idealized trivial cases we're discussing and I've stressed we're discussing? I'm unconvinced.
I'm in a Spanish speaking country, but I want to watch English videos in English.
Auto-generated subtitles for other languages are ok, but I want to listen to the original voices!
I'd rather use auto-generated subtitles (even if flawed), but I want to hear the original voices!
Sames languages as you. It drives me nuts because the translations are almost always wrong.
If not, I wonder why I can still watch most videos in their original language (even though I'm in a Spanish-speaking country), and I only encountered this once so far.
The first time I saw this feature, it was on a cover of some pop song in a foreign language. Why on Earth... ?
So instead of "stolen software" they distribute "patches" and a patching framework.
Legally distinct and modding is a much grayer area.
It's code you run locally to company the file, change the bytecode and repack it.
I was using the browser feature that disables the mobile mode on smartphones.
The autodub feature should be disabled asap. Or at least have a way to disable globally on all my devices.
That's been a policy for a while, the sign up page prominently says "Plan members must be in the same household".
No idea if its enforced though.
I finally got so fed up, I bought a Samsung Galaxy Tab A7 off ebay for $50 and flashed it with LineageOS. I can now load whatever media I want onto the 1 TB sdcard I've installed in it. The 5 year old hardware plays videos just fine with the VLC app. And, as a bonus, I discovered that NewPipe, an alternative YouTube client I installed through the F-Droid store, is actually much more reliable at downloading videos than the official client. I was planning on using yt-dlp to load up the sdcard, but now I don't even need to do that.
The TIDAL app is absolute trash, it has this same issue all the time; not just that, but also, if a download fails it just hangs there and does not download the rest of the album/playlist.
Also, why would you want to download things in the first place? To watch them offline, right? Well, guess what happens when you open the app w/o an internet connection ... it asks you to login, so you cannot even access your music. 900k/year TOC genius work there.
The only reason why I haven't canceled is because I'm too lazy to reset my password in order to login and cancel, lol. Might do it soon, though.
There is no way to remove the stuck item if it's been pull from streaming library or you in country that -- such traveling etc -- does not have r ights to it. You simply cannot open the track to undownload it
I do wish they'd improve their CarPlay search results though. I hate asking for a well known song and getting some obscure EDM remix.
It was founded by Jay-Z and then bought by the Twitter dopey guy.
https://github.com/holzschu/a-shell
Google is doing what Apple does and implementing Gatekeeper-like signature checks to ensure only apps by Google-approved developers can run on Android.
Microsoft does something similar with Windows Defender: you need to buy a developer certificate that can be revoked at any time if you want to distribute your app and have users be able to run it.
We're at a point where we need permission from trillion dollar companies to run the apps we want on the hardware we own.
Clarifying: you CAN run an unsigned app just fine on Windows. A lot of freeware/"indie" (for lack of a better term for small software) programs run just fine, the only thing that happens is the user recieves a warning they have to press "Yes" on (which 95% of people do, because That's The Windows UX[patent pending]).
https://cdn.advancedinstaller.com/img/prevent-smartscreen-fr...
In order to run, you have to click on "More info", and then a second "Run anyway" button appears.
There's way more than 5% of the Windows userbase that gets confused and can't get past this warning.
[1] https://news.ycombinator.com/item?id=40815488
I also haven't seen any specifics on how that system is supposed to work, but have seen a lot of speculation and (perhaps not unwarranted) fearmongering.
https://f-droid.org/en/packages/free.rm.skytube.oss/
https://f-droid.org/en/packages/free.rm.skytube.legacy.oss/
Is this another way of saying, "I will keep using it until it stops working"
It's time to milk the entire userbase for every cent they can get out of them by any means necessary. The future is bleak.
My point was that the threat of prohibiting libre Linux isn't from all manufacturers deciding to lock out installing Linux on their devices. But rather from remote attestation making it so that Google (et al) are able to force you to run a locked down operating system as a technically-enforced condition of interacting with their servers.
Yes, Google is doing this; but I don't believe Google is doing it to squeeze an inconsequentially small boost in YT Premium subscriptions from former-account-sharers - I believe they're doing it because they want to demonstrate that YouTube is a "secure" platform for large, Hollywood-like, production studios to feel comfortable publishing first-runs of new TV content directly to YouTube - and those production companies are famously paranoid, luddite, and comically ignorant of cryptography fundamentals (i.e. they believe DRM can simultaneously allow legal subscriber Alice but deny evil pirate Bob from watching protected content when Alice and Bob are in-reality the same person (it's you, me, us!).
..and if not Hollywood studios, then certainly the major sports leagues. [The NFL's lawyers seem like real fun at parties](https://publicknowledge.org/the-nfl-wants-you-to-think-these...).
Download feature on iOS always works flawlessly whenever I need to hop on a long haul flight (several times a year).
NewPipe is so good and so useful. It can even play 4K and watch livestreams now.
Then I have good news for you! https://lifehacker.com/tech/youtube-family-premium-crackdown
In fact, I've got an email from them about this already. My YT is still ad-free though, so not sure when it's going to kick in for real.
451 more comments available on Hacker News