search

bibanon / tubeup

Use yt-dlp to download video/metadata and upload to the Internet Archive.
https://pypi.python.org/pypi/tubeup/
GNU General Public License v3.0
424 stars 71 forks source link

Upgrade yt-dlp ASAP to at least 2023.07.06 #293

Closed vxbinaca closed 1 year ago

vxbinaca commented 1 year ago

CVE-2023-35934

It's unsafe to use --cookies below the version of yt-dlp cut yesterday.

brandongalbraith commented 1 year ago

Nothing for us to do here it looks like, more of a comms issue with users. Perhaps its time we build something that pops up a warning from a beacon or similar at each run when necessary?

vxbinaca commented 1 year ago

When users upgrade tubeup it should pull deps too.

vxbinaca commented 1 year ago

I've been thinking about switching yt-dlps downloader to curl, but then it's one more dep, and curls problems become our problems. Also theres no known benefit to measure against.

gamer191 commented 1 year ago

When users upgrade tubeup it should pull deps too.

I believe you can set a minimum versions for dependencies, and if a lower version is installed pip will automatically update that dependency

I'm not sure if you'd want that though, it could cause dependency hell, and it would also prevent python 3.6 users using this since yt-dlp's latest version requires python 3.7+ This program seems to require 3.8+ though, so that shouldn't be an issue I guess

vxbinaca commented 1 year ago

I'm not sure if you'd want that

Only for maintainability reasons would I not do it. It's the users responsibility to keep yt-dlp up to date.

python 3.6 users

they can perish