Update outdated dependencies

[antonio-orionus]

Summary

• update all direct outdated dependencies with exact pins
• add the new ytdlp-errors missingDependency i18n key across catalogs and runtime locale JSON
• update Knip binary ignores for msgmerge and Windows taskkill under Knip 6.16

Validation

• bun outdated
• bunx vitest run --project node tests/unit/clean-url.test.ts tests/unit/i18n-contract.test.ts tests/unit/schemas.test.ts
• bun run check
• bun run build
• bun run dist:linux:dir
• ELECTRON_DISABLE_SANDBOX=1 bunx electron --version

User-Facing Changes

• Added a new localized error key errors.ytdlp.missingDependency across i18n catalogs and runtime locale JSON (≈20+ languages). Shown when yt-dlp cannot find ffmpeg or ffprobe; message instructs users to repair bundled binaries or set an FFmpeg location before retrying.

Internal / Refactor Changes

• Dependency updates: exact-pinned bumps to many runtime and dev dependencies (notable: ytdlp-errors, @tanstack/react-virtual, @url-sanitize/*, electron-updater, i18next, react/react-dom, shadcn; dev: electron, electron-builder, knip 6.16.x, @types/node, @types/react, concurrently, oxlint). Removed @types/extract-zip. overrides["@types/react"] 19.2.15 → 19.2.17.
• Binary downloader (src/main/services/binary/BinaryDownloader.ts):
  • downloadFile signature now accepts boolean | DownloadFileOptions; DownloadFileOptions becomes part of the API.
  • Introduces separate max-duration timer (configurable via ARROXY_BINARY_DOWNLOAD_MAX_MS), improved stall/max-duration handling and richer DownloadStalledError, pipeline refactor to stream/promises, and more robust timer cleanup and logging.
• ZippedBinaryInstaller (src/main/services/binary/ZippedBinaryInstaller.ts):
  • Replace extract-zip filesystem extraction with streamed per-entry extraction using yauzl, per-step timeouts, unified abort handling, inflate support, verification of uncompressed size, and explicit executable permission handling.
• Tests:
  • Updated/added tests for downloader and ZIP installer (tests/unit/binary-downloader.test.ts, tests/unit/zipped-binary-installer.test.ts). Binary downloader test adds cleanup handling for ephemeral server/test artifacts.
• Config/CI/metadata:
  • knip.json: ignoreBinaries extended to include msgmerge and Windows taskkill.
  • .gitattributes: mark i18n artifacts as linguist-generated.
  • .coderabbit.yaml: auto_review disabled.
  • CI workflow e2e-cold-start adds ARROXY_BINARY_DOWNLOAD_MAX_MS='120000'.

Risk Areas

• Electron and packaging: bumped electron/electron-builder and related tooling may change startup/sandbox behavior, native module compatibility, packaging/signing, and IPC surface; validate across target OSes.
• Public API / typing changes: downloadFile signature change and exported DownloadFileOptions can break callers and types — audit all call sites and the public typings.
• Error semantics: DownloadStalledError now includes richer state; consumers that inspect error shapes/messages must be updated.
• ZippedBinaryInstaller behavior: streaming extraction changes failure modes and permission semantics; verify correctness on Windows, macOS, and Linux (executable permissions, path handling).
• Dependency changes: new ytdlp-errors key (missingDependency) requires consumers (error mapping, probes, UI) to handle it; other dependency bumps can affect runtime behavior and build outputs.
• i18n tooling & generated files: marking catalogs as generated may affect localization workflows (msgmerge, catalog generation) and reviewer diffs.
• Knip ignores: expanded binary ignores may suppress warnings; ensure intended.

Tests / Checks to Run

• Run full unit test suite (including tests/unit/i18n-contract.test.ts, tests/unit/clean-url.test.ts, tests/unit/schemas.test.ts) and new/modified tests: tests/unit/binary-downloader.test.ts, tests/unit/zipped-binary-installer.test.ts.
• i18n validation: verify runtime JSON catalogs include errors.ytdlp.missingDependency and CI localization steps still pass.
• Type & lint: bun run check (typecheck, lint, knip analysis); verify exported DownloadFileOptions typings and @types/react override.
• Build & packaging: bun run build; bun run dist:linux:dir; run platform packaging (Windows/macOS) in CI.
• Electron runtime/smoke: ELECTRON_DISABLE_SANDBOX=1 bunx electron --version and smoke-start the app to validate startup, sandbox/IPC behavior, and native module loading.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 7f13589d-f4d0-4bf6-a732-1d474489038b

📥 Commits

Reviewing files that changed from the base of the PR and between 238d6ff and 1961ee9.

📒 Files selected for processing (1)

• tests/unit/binary-downloader.test.ts

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Favor strict typing, exhaustive checks, and discriminated unions. Use any and unknown as escape hatches only — if you reach for one, justify it.
Use type inference from Zod schemas: define z.enum([...]) → type Foo = z.infer<…> → const FOOS = fooSchema.options instead of redeclaring as TypeScript union literals.

Files:

• tests/unit/binary-downloader.test.ts

tests/unit/**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Pure helpers with no I/O must live in their own module with a fixture-driven test alongside. Pattern: tests/fixtures/yt-dlp-stderr/<kind>/*.txt + tests/unit/yt-dlp-errors.test.ts.

Files:

• tests/unit/binary-downloader.test.ts

tests/**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

When adding idempotent IPC registration (ipcMain.removeHandler(), autoUpdater.removeAllListeners()), add the method as vi.fn() to matching vi.mock('electron') blocks — otherwise tests fail at module-load.

Files:

• tests/unit/binary-downloader.test.ts

tests/**

⚙️ CodeRabbit configuration file

Prioritize meaningful coverage, determinism, and whether tests validate behavior. Do not nitpick formatting or implementation style unless it makes the test unreliable.

Files:

• tests/unit/binary-downloader.test.ts

🔇 Additional comments (4)

tests/unit/binary-downloader.test.ts (4)

1-6: LGTM!

---

8-23: LGTM!

---

25-30: LGTM!

---

32-54: LGTM!

---

📝 Walkthrough

Walkthrough

Adds errors.ytdlp.missingDependency translations across locales, updates ops/config/dependency files and E2E env, extends BinaryDownloader with options, max-duration timer, and pipeline-based streaming plus tests, and replaces ZIP-extract logic with ZIP-entry streaming and tests.

Changes

Error message localization and maintenance updates

Layer / File(s)	Summary
Multi-locale error message for missing FFmpeg i18n/locales/*.po (am, ar, bn, de, el, es, fr, hi, ja, my, om, ps, ru, sr, sw, uk, ur, uz, vi, zh)`	Adds errors.ytdlp.missingDependency msgctxt/msgid/msgstr in each locale file to convey that yt-dlp could not find ffmpeg or ffprobe and advise repair or setting an FFmpeg location before retrying.
Config and dependency updates knip.json, package.json, .coderabbit.yaml, .gitattributes	knip.json expands ignoreBinaries; package.json bumps multiple runtime and dev dependencies and updates an @types/react override; .coderabbit.yaml disables auto_review; .gitattributes marks i18n artifacts as linguist-generated.
E2E workflow env var .github/workflows/e2e-cold-start.yml	Adds ARROXY_BINARY_DOWNLOAD_MAX_MS: '120000' to the cold-start E2E step environment.
Binary downloader implementation src/main/services/binary/BinaryDownloader.ts	Introduce DownloadFileOptions and normalization, add stall and overall max-duration timers (env-backed), switch to stream/promises pipeline, refine timeout/error state and stale-part retry behavior, and improve logging.
Downloader tests tests/unit/binary-downloader.test.ts	Add withServer test helper and a test asserting downloadFile times out (rejects with DownloadStalledError) under tight duration/stall thresholds while bytes continue arriving.
Zipped binary installer implementation src/main/services/binary/ZippedBinaryInstaller.ts	Replace extract-then-search approach with yauzl entry-stream extraction, per-step timeouts and abort handling, inflate support, uncompressed-size validation, and direct executable install with proper permissions.
Zipped installer tests tests/unit/zipped-binary-installer.test.ts	Add in-memory ZIP builders, CRC32/sha256 helpers, withServer helper, and tests for stored/deflated extraction and missing-entry error behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

dependencies

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update outdated dependencies' is vague and generic. While dependency updates are part of the changeset, the PR also includes significant code changes (binary downloader refactoring, ZIP installer updates, i18n additions) that the title doesn't capture.	Consider a more specific title that reflects the main changes, such as 'Update dependencies and refactor binary handling' or 'Update dependencies and enhance binary downloader with timeout controls'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description covers the main objectives (dependency updates, i18n additions, Knip configuration), includes validation steps, and mostly follows the template structure with Summary and Validation sections completed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-outdated-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/unit/binary-downloader.test.ts`:
- Around line 32-51: The test can leak the temporary directory if an expectation
throws; wrap the server/test block and subsequent assertions in a try/finally so
dir is always removed: create dir via fs.mkdtemp as now, run withServer and the
expect(downloadFile(...)) and fs.stat expectations inside the try, and call
await fs.rm(dir, {recursive: true, force: true}) in the finally block; reference
the local vars dir and destination and the helpers withServer and downloadFile
to locate where to add the try/finally and ensure cleanup always runs on
failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3f246043-ded9-4914-b875-8edc751988bc

📥 Commits

Reviewing files that changed from the base of the PR and between 0cbf1f6 and 30558a7.

📒 Files selected for processing (5)

• .coderabbit.yaml
• .gitattributes
• .github/workflows/e2e-cold-start.yml
• src/main/services/binary/BinaryDownloader.ts
• tests/unit/binary-downloader.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Cold start (windows)
• GitHub Check: Cold start (macos-arm64)
• GitHub Check: Cold start (linux)
• GitHub Check: Build Windows installer
• GitHub Check: check

🧰 Additional context used

📓 Path-based instructions (9)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Favor strict typing, exhaustive checks, and discriminated unions. Use any and unknown as escape hatches only — if you reach for one, justify it.
Use type inference from Zod schemas: define z.enum([...]) → type Foo = z.infer<…> → const FOOS = fooSchema.options instead of redeclaring as TypeScript union literals.

Files:

• tests/unit/binary-downloader.test.ts
• src/main/services/binary/BinaryDownloader.ts

tests/unit/**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Pure helpers with no I/O must live in their own module with a fixture-driven test alongside. Pattern: tests/fixtures/yt-dlp-stderr/<kind>/*.txt + tests/unit/yt-dlp-errors.test.ts.

Files:

• tests/unit/binary-downloader.test.ts

tests/**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

When adding idempotent IPC registration (ipcMain.removeHandler(), autoUpdater.removeAllListeners()), add the method as vi.fn() to matching vi.mock('electron') blocks — otherwise tests fail at module-load.

Files:

• tests/unit/binary-downloader.test.ts

tests/**

⚙️ CodeRabbit configuration file

Prioritize meaningful coverage, determinism, and whether tests validate behavior. Do not nitpick formatting or implementation style unless it makes the test unreliable.

Files:

• tests/unit/binary-downloader.test.ts

.github/workflows/**

⚙️ CodeRabbit configuration file

Review GitHub Actions for least-privilege permissions, unsafe secret exposure, untrusted PR execution, shell quoting, release/tag correctness, artifact handling, and whether commands can fail silently.

Files:

• .github/workflows/e2e-cold-start.yml

src/main/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

src/main/**/*.ts: Two-phase subtitle download: (1) video+audio with --no-write-subs --no-write-auto-subs; (2) subs only if phase 1 succeeds and subtitleLanguages non-empty with --skip-download --write-subs --sub-langs <langs>. Phase 2 failure is soft.
Filter automatic_captions to -orig keys only (actual cached auto-captions) via FormatProbeService.sanitizeSubtitleMap() to avoid hitting rate limits on live-translation-request keys.
Container format is NOT a subtitle concern: subtitleMode === 'embed' passes --merge-output-format mkv; sidecar/subfolder pass nothing.
Use process.resourcesPath/ffmpeg(.exe) in prod for embedded binaries, build/embedded/<host>/ffmpeg(.exe) in dev. Branch on app.isPackaged.
On Linux, inject LD_LIBRARY_PATH=<dir> at spawn time for BtbN ffmpeg to locate shared library siblings (libav*.so.*). No rpath patching needed.

Files:

• src/main/services/binary/BinaryDownloader.ts

src/{shared,main,renderer}/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

New shared modules go under src/shared/ so renderer + main both import without IPC. Modules with electron/node-only deps stay in src/main/services/ or src/renderer/... and surface their seam via re-exports of pure helpers.

Files:

• src/main/services/binary/BinaryDownloader.ts

src/{main,renderer}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Emit updater:available with { version, currentVersion, installChannel } IPC payload 5s after launch. Renderer shows <UpdateBanner> between title bar and content; per-platform UX from resolveAction(channel, platform).

Files:

• src/main/services/binary/BinaryDownloader.ts

src/main/**

⚙️ CodeRabbit configuration file

This is Electron main-process code. Prioritize security, IPC boundaries, filesystem access, updater/download behavior, child process usage, path handling, and validation of renderer-provided input.

Files:

• src/main/services/binary/BinaryDownloader.ts

🪛 ast-grep (0.43.0)

tests/unit/binary-downloader.test.ts

[info] 8-8: Make sure your server uses the https protocol
Context: http.createServer(handler)
Note: Security best practice.

(https-protocol-missing-typescript)

🔇 Additional comments (5)

.coderabbit.yaml (1)

4-5: LGTM!

.gitattributes (1)

1-5: LGTM!

.github/workflows/e2e-cold-start.yml (1)

114-114: LGTM!

src/main/services/binary/BinaryDownloader.ts (1)

105-294: LGTM!

tests/unit/binary-downloader.test.ts (1)

8-23: LGTM!