Yt-dlp: Upcoming new requirements for YouTube downloads

Original Article ↗ Hacker News Discussion ↗

New YouTube Technical Barriers

  • YouTube has introduced several mechanisms that break traditional “URL scraping”:
    • nsig/sig tokens: per-request tokens now generated by logic scattered across the large base.js player, no longer a small extractable function.
    • PoToken (Proof-of-Origin): a JS “challenge” that must be executed client-side; missing or invalid PoTokens yield 403s. Android/iOS use platform integrity APIs; web now requires running YouTube’s JS.
    • SABR (Server-Side Adaptive Bitrate): a new streaming protocol with short-lived, changing chunk URLs and server‑side ad insertion. For many clients this prevents non‑SABR downloads above 360p unless alternative clients (e.g. TV endpoints) are used, and those may be phased out.

yt-dlp’s Move to Deno

  • yt-dlp’s custom Python JS “interpreter” was a targeted hack handling only a subset of JS and simple patterns; newer obfuscated, intertwined player code made that approach untenable.
  • QuickJS and similar embedded engines were tested but were orders of magnitude too slow (reports of ~20 minutes per video).
  • Deno was chosen as an external JS runtime:
    • Single static binary, easy to ship alongside yt-dlp.
    • Uses V8 with much better performance and can execute the full player bundle to derive tokens and PoTokens.

Security, Sandboxing, and JS Runtimes

  • A major reason for Deno over Node/Bun is permission-based sandboxing (no file/network/env access by default).
  • Several commenters stress this is still only V8-level isolation, without Chrome-style OS sandboxing; V8 bugs can still lead to escapes, so Deno should not be treated as a strong untrusted-code boundary in general.
  • Others argue “better than nothing” is appropriate here, since yt-dlp must run untrusted JS from many sketchy video sites, not just YouTube.

Impact on Users and Third-Party Apps

  • Many users report YouTube Premium’s own download feature is unreliable or DRM‑locked (e.g. fails to start, can’t play over HDMI, poor resolutions, app re‑auth issues), and still resort to yt-dlp or NewPipe/ReVanced/Plex workflows—sometimes just to listen offline or archive their own uploads.
  • Some users now hit login/IP-based blocks even in browsers or yt-dlp, especially when using VPNs or Invidious/other frontends.
  • F-Droid/Android apps that wrap yt-dlp and similar tools will need to integrate a JS runtime as well, further complicating lightweight clients.

Scraping, AI Training, and Bot Arms Race

  • There is debate over YouTube’s motives:
    • Some frame the changes as anti-bot / anti-viewbot and anti–mass scraping (for AI training or competitor migration tools).
    • Others see primary intent as ad enforcement and moat protection, with anti-bot arguments as convenient cover.
  • Commenters describe an escalating arms race: sites add integrity checks, DOM/Canvas fingerprinting, and JS challenges; scrapers respond with headless browsers, proxies, and now embedded runtimes.

Platform Power, DRM, and Alternatives

  • Strong sentiment that YouTube’s near‑monopoly on video and creators’ dependence gives it wide latitude to “enshittify” UX (aggressive ads, broken clients, auto-dub/auto-translate, throttling ad‑blockers).
  • Some argue small creators also push for stronger controls/DRM to prevent “theft” and AI training, while others counter that DRM and locked clients mainly entrench large platforms, not independents.
  • Alternatives like PeerTube, Odysee, Rumble, Vimeo, Nebula, self‑hosted CDNs, and P2P systems are discussed, but:
    • Network effects, monetization, moderation cost, and legal risk (CSAM, piracy, terrorism) are cited as serious barriers.
    • Many believe YouTube will remain dominant for a long time.

Archiving and Self‑Hosting Responses

  • Multiple commenters suggest archiving now (“writing is on the wall”):
    • Tools like TubeArchivist, Pinchflat, TubeSync, and custom yt-dlp scripts feeding Jellyfin/Plex are used to mirror favorite channels or playlists.
  • There’s concern that if YouTube fully DRMs all content (as it already does for some TV/Movies and some TV clients), large parts of today’s cultural record will become hard to preserve outside the platform.