YouTube player, without ads, ideal for e-learning and also saves your progress locally, no account required. github.com/hotheadhacker/…

@GithubProjects This is a nice project but we have ad blockers, freetube app, brave....

@GithubProjects Firefox + uBlock Origin + Privacy Badger

Why would someone do this to themselves? ┌─[siraj@dtop] - [~/devel/df_yt-player/youtube-player] - [2025-02-23 12:17:02] └─[0] cd frontend ┌─[siraj@dtop] - [~/devel/df_yt-player/youtube-player/frontend] - [2025-02-23 12:17:05] └─[0] npm install npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported npm warn deprecated [email protected]: It is not compatible with newer versions of GA starting with v4, as long as you are using GAv3 it should be ok, but the package is not longer being maintained npm warn deprecated [email protected]: [email protected] npm warn deprecated [email protected]: Use your platform's native performance.now() and performance.timeOrigin. npm warn deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x. npm warn deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: developer.mozilla.org/en-US/docs/Web… npm warn deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead npm warn deprecated [email protected]: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported npm warn deprecated [email protected]: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other. npm warn deprecated npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp) npm warn deprecated [email protected]: Use your platform's native DOMException instead npm warn deprecated [email protected]: This version is no longer supported. Please see eslint.org/version-support for other options. npm warn deprecated [email protected]: Use your platform's native atob() and btoa() methods instead npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-methods instead. npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead. npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead. npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-numeric-separator instead. npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead. added 1475 packages, and audited 1476 packages in 13s 262 packages are looking for funding run `npm fund` for details 16 vulnerabilities (7 moderate, 9 high) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. npm notice npm notice New major version of npm available! 10.9.0 -> 11.1.0 npm notice Changelog: github.com/npm/cli/releas… npm notice To update run: npm install -g [email protected] npm notice ┌─[siraj@dtop] - [~/devel/df_yt-player/youtube-player/frontend] - [2025-02-23 12:17:22] └─[0] That's a lot of bad vulnerabilities. Looks like malware to me at first glance.

Reviewed by grok: Yes, this code does look sketchy to me, and here’s why: Major Concerns Use of eval(data.code): This is a huge red flag. The eval function executes any string as JavaScript code, which is extremely dangerous if data.code comes from an untrusted source, like an API or user input. This could allow malicious code to run, leading to security risks like code injection attacks. No Data Sanitization: There’s a comment in the code—// TODO: Sanitize data—which shows the developer knows the data needs to be cleaned but hasn’t implemented it yet. Without sanitization, any data from the API could contain harmful content, making the code vulnerable. Other Issues Polling with setInterval: The code uses setInterval to call getData every 5 seconds. This constant polling might be inefficient, especially if the API has rate limits or if real-time updates aren’t critical. It could overload the server or waste resources. Error Handling: While there’s a try...catch block to handle errors, it’s not clear if the error messages avoid exposing sensitive information. Poorly handled errors could leak details that attackers might exploit. Direct DOM Manipulation: The code seems to manipulate the DOM directly (e.g., creating UI elements). If this is part of a framework like React or Vue, this could cause problems, as those frameworks prefer managing the UI through their own methods. Even without a framework, it’s worth checking if this approach is safe and consistent. API Security Unknown: There’s no indication of whether the API uses HTTPS or authentication. If it doesn’t, data could be intercepted or tampered with during transit, adding another layer of risk. Suggested Fixes To make this code safer and more efficient, here are some recommendations: Replace eval: Avoid eval entirely. If data.code is meant to be configuration or structured data, use a safe method like JSON.parse. If it’s something else, strict validation should be applied to ensure it’s not executable code. Sanitize Data: Implement proper sanitization for all incoming data from the API to remove or neutralize potentially malicious content. Optimize Real-Time Updates: Instead of polling with setInterval, consider using WebSockets or another real-time method. This would reduce server load and improve responsiveness. Secure Error Handling: Ensure the catch block doesn’t expose sensitive details in error messages. Log errors securely and show users only generic messages. Framework-Friendly UI Updates: If this is part of a framework, use its built-in methods (e.g., state updates in React) instead of direct DOM manipulation. Secure the API: Confirm the API uses HTTPS and proper authentication to protect data in transit. Conclusion Yes, this code looks sketchy due to the dangerous use of eval, lack of sanitization, and other potential vulnerabilities. It needs significant improvements to be secure and reliable. Without seeing the full context, these issues alone are enough to raise serious concerns.

@GithubProjects @BrianRoemmele You could create a BrianTube, and use something like this for public access.

@GithubProjects Not sure if you even checked this before posting or this is paid tweet

@GithubProjects please test before posting 🙅‍♂️ it is not working

@GithubProjects You know you can just use @brave browser right? No ads or anything and install YouTube as a PWA Web App. So why do you need this?

@GithubProjects Your tool to speak to any cloud: x.com/chaouidz97/sta…

@GithubProjects Grayjay exists already, mobile and PC client, regular updates

@GithubProjects I feel liberated.

@GithubProjects This looks like a game-changer for distraction-free learning! A YouTube player without ads and local progress saving—perfect for focused study sessions.

@GithubProjects invidious does exist but nice work

@GithubProjects I'm questioning something.. The condition those guys post videos on youtube is that we pay the price of watching adds.. So, I'm questioning that myself.. in my daily day usage.. Feel free to disagree

@GithubProjects The UI is ass

@GithubProjects

@GithubProjects Ita not working 😔

@GithubProjects its dead project, 4 years for now.

@GithubProjects i need llm to help me manage my bookmarks

@GithubProjects @brave

🚀 Your Dream Resume, Made Easy! Say goodbye to boring templates and hello to a standout resume! With ResumeMaker by NyquistTech, you can: ✅ Create professional resumes in minutes ✅ Choose from stunning, ATS-friendly templates ✅ Customize colors, fonts, and layouts ✅ Download as PDF instantly ✨ Perfect for job seekers, students, and professionals! 👉 Try it now: resumemaker.nyquisttech.com #ResumeBuilder #CareerGrowth #JobSearch #NyquistTech