A description of the various files is in the README
The zipimport Unix executable contains code licensed under ISC and MIT. The PyInstaller-bundled executables are subject to these and other licenses, all of which are compiled in THIRD_PARTY_LICENSES.txt
Important changes
- The minimum supported versions of Deno, Node, and Bun have been raised.
The minimum required version of Deno is nowv2.3.0; supported Node versions arev22and up; Bun support has been deprecated and limited to versions1.2.11through1.3.14. - Security
- Usage of vulnerable conversions (e.g.
%()s) with the--execoption is an all-too-common pitfall. To remedy this,--execnow only allows safe conversions in its command templates.- Most users can simply replace
%(...)swith%(...)qin their--execargument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with--execposes a significant security risk. Read more
- Most users can simply replace
- [CVE-2026-50019] File Downloader cookie leak with curl
- Impact is limited to users of
--downloader curl; cookies are now properly passed to curl so that it respects their scope
- Impact is limited to users of
- [CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
- Writing files with the extensions
.desktop,.url, or.weblocis now only allowed in the context of--write-linkfunctionality
- Writing files with the extensions
- [CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
- Impact is limited to users of
--downloader aria2c - Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use
-Nfor concurrent fragment downloads via the native downloader
- Impact is limited to users of
- Usage of vulnerable conversions (e.g.
Changelog
Core changes
- Add lockfile and pinned extras (#16421) by bashonly, Grub4K (With fixes in 88c8a68 by bashonly)
- Fix
defaultextra foriosplatforms (#16376) by bashonly - Remove
url,desktopandweblocfrom safe extensions by Grub4K - update: Bump GitHub REST API version to
2026-03-10(#16435) by bashonly - utils
random_user_agent
Extractor changes
- Extract supplemental codecs from DASH manifests (#16827) by chrisellsworth
_resolve_nuxt_array: Handle PiniaskipHydrate(#16447) by doe1080- abematv: Extract subtitles (#16502) by garret1317
- ard: Support new
ardsoundsdomain (#16381) by evilpie - bandcamp: weekly: Fix extractor (#16373) by bashonly
- iwara: Fix extractors (#16014) by vpertys
- monstercat: Support older URLs (#16780) by AnAwesomGuy
- onsen: Fix extraction (#16830) by doe1080
- pornhub: Support browser impersonation (#16794) by 0xvd
- reddit: Fix unauthenticated extraction (#16839) by 0xvd, bashonly, jdesgats
- rtp: Support multi-part episodes and
--no-playlist(#16299) by bashonly - s4c: Extract more metadata (#16813) by Suntooth
- soop: Adapt extractors to new domain (#16436) by thematuu
- soundcloud
- thisoldhouse: Fix extractor (#16909) by bashonly, dirkf
- twitch
- Remove dead
rechatsubtitles (#16660) by kasper93 - clips: Fix extractor (#16466) by Ventriduct
- Remove dead
- twitter: Fix
view_countextraction (#16814) by MemoKing34 - wikimedia: Rework extractor (#15413) by seproDev
- youtube
- Drop support for
bun<1.2.11andbun>1.3.14(#16786) by bashonly - Drop support for
deno<2.3.0(#16788) by bashonly - Drop support for
node<22(#16787) by bashonly - Fix PO token sanitization for Python 3.15 (#16884) by Grub4K
- Fix PO token sanitization for Python>=3.14.4 (#16453) by syphyr
- Fix outdated quickjs-ng warning (#16437) by bashonly
- Drop support for
Downloader changes
- external
aria2c: Remove support for m3u8/dash protocols by bashonlycurl: Fix cookie leak on redirect by Grub4K
- ffmpeg: Use info dict
http_headersfor direct merge downloads (#15456) by bashonly
Postprocessor changes
- exec: Restrict
--exectemplate usage to safe conversions (#16883) by bashonly - ffmpegmetadata: Avoid erroneous ISO 639 conversions (#16046) by bashonly
Networking changes
- Request Handler
- curl_cffi
Misc. changes
- build
- Harden build/release workflows (#16358) by bashonly, Grub4K (With fixes in cdc465a by bashonly)
- Harden release workflow (#16444) by bashonly
- Rename requirements files to clean up dependency graph (#16740) by bashonly
- Update 12 dependencies (#16903) by dlp-bot
- Update 14 dependencies (#16589) by dlp-bot
- Update 28 dependencies (#16467) by bashonly
- Upgrade all Linux binaries to Python 3.14 (#16738) by bashonly
- ci
- Bump pytest to 9.x (#16470) by bashonly, Grub4K
- Test with Python 3.15 (#16896) by bashonly
- Update 2 actions in 2 workflows (#16743) by dlp-bot
- Update 3 actions in 9 workflows (#16782) by dlp-bot
- Update 8 actions in 7 workflows (#16384) by bashonly
- Update wiki via this repository (#16446) by bashonly (With fixes in 9f0fc9a)
- cleanup
- devscripts
- Handle
ejsupdates for requirements files (#16374) by bashonly, Grub4K update_requirements: Add reporting functionality (#16454) by bashonly, Grub4K
- Handle
- docs: Update badges (#14893) by seproDev
- test: Add default and curl-cffi extras to hatch-test env (#16397) by JSubelj