chore 🤖(deps): bump yt-dlp from 2026.3.17 to 2026.6.9

[dependabot]

Bumps yt-dlp from 2026.3.17 to 2026.6.9.

Release notes

Sourced from yt-dlp's releases.

yt-dlp 2026.06.09

A description of the various files is in the README

The zipimport Unix executable contains code licensed under ISC and MIT. The PyInstaller-bundled executables are subject to these and other licenses, all of which are compiled in THIRD_PARTY_LICENSES.txt

---

Important changes

• The minimum supported versions of Deno, Node, and Bun have been raised. The minimum required version of Deno is now v2.3.0; supported Node versions are v22 and up; Bun support has been deprecated and limited to versions 1.2.11 through 1.3.14.
• Security
  • Usage of vulnerable conversions (e.g. %()s) with the --exec option is an all-too-common pitfall. To remedy this, --exec now only allows safe conversions in its command templates.
    • Most users can simply replace %(...)s with %(...)q in their --exec argument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with --exec poses a significant security risk. Read more
  • [CVE-2026-50019] File Downloader cookie leak with curl
    • Impact is limited to users of --downloader curl; cookies are now properly passed to curl so that it respects their scope
  • [CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
    • Writing files with the extensions .desktop, .url, or .webloc is now only allowed in the context of --write-link functionality
  • [CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
    • Impact is limited to users of --downloader aria2c
    • Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use -N for concurrent fragment downloads via the native downloader

Core changes

• Add lockfile and pinned extras (#16421) by bashonly, Grub4K (With fixes in 88c8a68 by bashonly)
• Fix default extra for ios platforms (#16376) by bashonly
• Remove url, desktop and webloc from safe extensions by Grub4K
• update: Bump GitHub REST API version to 2026-03-10 (#16435) by bashonly
• utils
  • random_user_agent
    • Bump version range 137-143 => 142-148 (#16588) by dlp-bot
    • Bump version range 142-148 => 143-149 (#16906) by dlp-bot

Extractor changes

• Extract supplemental codecs from DASH manifests (#16827) by chrisellsworth
• _resolve_nuxt_array: Handle Pinia skipHydrate (#16447) by doe1080
• abematv: Extract subtitles (#16502) by garret1317
• ard: Support new ardsounds domain (#16381) by evilpie
• bandcamp: weekly: Fix extractor (#16373) by bashonly
• iwara: Fix extractors (#16014) by vpertys
• monstercat: Support older URLs (#16780) by AnAwesomGuy
• onsen: Fix extraction (#16830) by doe1080
• pornhub: Support browser impersonation (#16794) by 0xvd
• reddit: Fix unauthenticated extraction (#16839) by 0xvd, bashonly, jdesgats
• rtp: Support multi-part episodes and --no-playlist (#16299) by bashonly
• s4c: Extract more metadata (#16813) by Suntooth
• soop: Adapt extractors to new domain (#16436) by thematuu

... (truncated)

Changelog

Sourced from yt-dlp's changelog.

Changelog

2026.06.09

Important changes

• The minimum supported versions of Deno, Node, and Bun have been raised. The minimum required version of Deno is now v2.3.0; supported Node versions are v22 and up; Bun support has been deprecated and limited to versions 1.2.11 through 1.3.14.
• Security
  • Usage of vulnerable conversions (e.g. %()s) with the --exec option is an all-too-common pitfall. To remedy this, --exec now only allows safe conversions in its command templates.
    • Most users can simply replace %(...)s with %(...)q in their --exec argument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with --exec poses a significant security risk. Read more
  • [CVE-2026-50019] File Downloader cookie leak with curl
    • Impact is limited to users of --downloader curl; cookies are now properly passed to curl so that it respects their scope
  • [CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
    • Writing files with the extensions .desktop, .url, or .webloc is now only allowed in the context of --write-link functionality
  • [CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
    • Impact is limited to users of --downloader aria2c
    • Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use -N for concurrent fragment downloads via the native downloader

Core changes

• Add lockfile and pinned extras (#16421) by bashonly, Grub4K (With fixes in 88c8a68 by bashonly)
• Fix default extra for ios platforms (#16376) by bashonly
• Remove url, desktop and webloc from safe extensions by Grub4K
• update: Bump GitHub REST API version to 2026-03-10 (#16435) by bashonly
• utils
  • random_user_agent
    • Bump version range 137-143 => 142-148 (#16588) by dlp-bot
    • Bump version range 142-148 => 143-149 (#16906) by dlp-bot

Extractor changes

• Extract supplemental codecs from DASH manifests (#16827) by chrisellsworth
• _resolve_nuxt_array: Handle Pinia skipHydrate (#16447) by doe1080
• abematv: Extract subtitles (#16502) by garret1317
• ard: Support new ardsounds domain (#16381) by evilpie
• bandcamp: weekly: Fix extractor (#16373) by bashonly
• iwara: Fix extractors (#16014) by vpertys
• monstercat: Support older URLs (#16780) by AnAwesomGuy
• onsen: Fix extraction (#16830) by doe1080
• pornhub: Support browser impersonation (#16794) by 0xvd
• reddit: Fix unauthenticated extraction (#16839) by 0xvd, bashonly, jdesgats
• rtp: Support multi-part episodes and --no-playlist (#16299) by bashonly
• s4c: Extract more metadata (#16813) by Suntooth
• soop: Adapt extractors to new domain (#16436) by thematuu
• soundcloud
  • Improve error handling (#16602) by bashonly
  • Support --extractor-retries for original formats (#16690) by HarmfulBreeze
• thisoldhouse: Fix extractor (#16909) by bashonly, dirkf

... (truncated)

Commits

• 7f7bdc9 Release 2026.06.09
• 821bef0 [cleanup] Misc (#16697)
• 25056f0 [fd/external] aria2c: Remove support for m3u8/dash protocols
• 2726572 [fd/external] curl: Fix cookie leak on redirect
• e578e26 Remove url, desktop and webloc from safe extensions
• 3ba1534 [cleanup] Remove dead extractors (#16137)
• e85da3b [pp/FFmpegMetadata] Avoid erroneous ISO 639 conversions (#16046)
• a679141 [fd/ffmpeg] Use info dict http_headers for direct merge downloads (#15456)
• 98c0bea [docs] Update badges (#14893)
• 3d1f8a4 [ie/wikimedia] Rework extractor (#15413)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)