{"id":51024000,"url":"https://github.com/shik3i/koalapull","last_synced_at":"2026-06-21T18:00:58.836Z","repository":{"id":362090982,"uuid":"1257052225","full_name":"Shik3i/KoalaPull","owner":"Shik3i","description":"Yet Another yt-dlp GUI (but it's mine). Proving you don't need a massive Chromium instance, or a computer science degree, to use yt-dlp. Fast, clean, and resource-friendly.","archived":false,"fork":false,"pushed_at":"2026-06-10T19:20:50.000Z","size":14795,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-10T21:09:46.309Z","etag":null,"topics":["cross-platform","ffmpeg","golang","linux","macos","react","video-downloader","wails","windows","yt-dlp","yt-dlp-gui"],"latest_commit_sha":null,"homepage":"https://pull.koalastuff.net","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Shik3i.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-02T10:16:28.000Z","updated_at":"2026-06-10T19:21:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Shik3i/KoalaPull","commit_stats":null,"previous_names":["shik3i/koalapull"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Shik3i/KoalaPull","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shik3i%2FKoalaPull","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shik3i%2FKoalaPull/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shik3i%2FKoalaPull/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shik3i%2FKoalaPull/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Shik3i","download_url":"https://codeload.github.com/Shik3i/KoalaPull/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shik3i%2FKoalaPull/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34620358,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross-platform","ffmpeg","golang","linux","macos","react","video-downloader","wails","windows","yt-dlp","yt-dlp-gui"],"created_at":"2026-06-21T18:00:57.862Z","updated_at":"2026-06-21T18:00:58.827Z","avatar_url":"https://github.com/Shik3i.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# KoalaPull\n\nKoalaPull is a native desktop download manager for [yt-dlp](https://github.com/yt-dlp/yt-dlp).\nIt downloads videos, audio, playlists, subtitles, and metadata from hundreds of sites with a desktop UI instead of terminal commands.\n\n## Key Features\n\n- Zero-config setup: automatically downloads and configures `yt-dlp` and `ffmpeg` on first run.\n- Hardened dependency updates: downloads are size-limited, integrity-checked, archive-validated, and atomically replaced.\n- Direct engine updates: update or re-install `yt-dlp` and `ffmpeg` from the Settings tab.\n- Cross-platform UI: built with Go, React, and Wails for macOS, Windows, and Linux.\n- Metadata preview: inspect thumbnails, uploader data, duration, and formats before downloading.\n- Queue and presets: parallel downloads, presets, subtitle options, and history built in.\n- Privacy-first: local-first workflow, no telemetry, no tracking, no external CDN requirement.\n\n## Installation\n\nDownload the latest release from:\n\n- [GitHub Releases](https://github.com/Shik3i/KoalaPull/releases)\n\nCurrent packaged targets:\n\n- macOS arm64\n- macOS amd64\n- Windows amd64\n- Linux amd64\n\n## Building From Source\n\nRequirements:\n\n- Go 1.26.4 or newer\n- Node.js 22 or newer\n- Wails CLI v2.12.0 or newer\n- Linux only: `libgtk-3-dev`, `libwebkit2gtk-4.1-dev`, `pkg-config`\n\nBuild and run locally:\n\n```bash\ngo install github.com/wailsapp/wails/v2/cmd/wails@v2.12.0\ngit clone https://github.com/Shik3i/KoalaPull.git\ncd KoalaPull\nwails dev\n```\n\nProduction build:\n\n```bash\nwails build -clean -ldflags \"-X main.AppVersion=$(git describe --tags --always --dirty)\"\n```\n\n## Runtime Dependency Flow\n\nKoalaPull stores downloaded engine binaries here:\n\n- Linux: `~/.config/KoalaPull/bin/`\n- macOS: `~/Library/Application Support/KoalaPull/bin/`\n- Windows: `%APPDATA%/KoalaPull/bin/`\n\nDownloaded tools:\n\n- `yt-dlp`\n- `ffmpeg`\n\n### Hardened Download Flow\n\nWhen KoalaPull downloads or updates `yt-dlp` and `ffmpeg`, it now uses this flow:\n\n1. Download into temporary files with hard size limits.\n2. Verify integrity before install:\n   - `yt-dlp`: SHA-256 checksum verification.\n   - `ffmpeg` on Windows/Linux: upstream SHA-256 checksum verification.\n   - `ffmpeg` on macOS: detached signature verification against the embedded Evermeet signing key.\n3. Validate archive member paths and extract only the expected binaries with bounded extraction.\n4. Replace old binaries atomically so failed updates do not leave half-written executables behind.\n5. On Windows, keep `ffmpeg.exe` and `ffprobe.exe` together.\n\nResult:\n\n- broken downloads are rejected\n- oversized downloads are rejected\n- archive traversal is blocked\n- partial installs should not replace working binaries\n\n## Verification Workflow\n\nThere is now one canonical verifier:\n\n- `scripts/verify.mjs`\n\nLaunchers:\n\n- Unix: `./scripts/verify.sh`\n- Windows: `.\\scripts\\verify.bat`\n\nThe verifier runs:\n\n1. `frontend`: `npm ci --include=optional`\n2. `frontend`: `npm run test`\n3. `frontend`: `npx tsc --noEmit`\n4. `frontend`: `npm run build`\n5. `frontend`: `npm audit --audit-level=moderate`\n6. repository root: `npm ci --include=optional` for website tooling\n7. `website`: `node --test`\n8. Go tests: `go test -count=1 ./...`\n9. Go race tests: `go test -race -count=1 ./...`\n10. `go vet ./...`\n11. `govulncheck`\n12. `actionlint` for workflow validation\n\n## Project Layout\n\n```text\nKoalaPull/\n|- app.go\n|- app_test.go\n|- dependency_security.go\n|- process_other.go\n|- process_windows.go\n|- process_output.go\n|- replace_other.go\n|- replace_windows.go\n|- scripts/\n|  |- verify.mjs\n|  |- verify.sh\n|  |- verify.bat\n|- frontend/\n|- website/\n|- build/\n|- docs/\n`- wails.json\n```\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshik3i%2Fkoalapull","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshik3i%2Fkoalapull","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshik3i%2Fkoalapull/lists"}