WAIT — Mixed signals — read the receipts

• Last commit 3w ago
• 43+ active contributors
• Distributed ownership (top contributor 34% of recent commits)
• GPL-3.0 licensed
• CI configured
• ⚠ GPL-3.0 is copyleft — check downstream compatibility
• ⚠ No test directory detected
• ⚠ Scorecard: default branch unprotected (0/10)

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests + OpenSSF Scorecard}

Return YouTube Dislike is a browser extension (Chrome, Firefox, and userscript) that restores YouTube's dislike count display after Google removed it in December 2021. It fetches dislike data from a community-maintained API (returnyoutubedislikeapi.com) and injects the count back into YouTube's UI, letting users judge content quality before watching. Multi-part architecture: core extension code in JavaScript/TypeScript with Vue components for UI (47KB Vue), CSS styling (31KB), manifest-based structure for content and background scripts. The repository also includes a separate Nuxt-based website (package.json suggests nuxt v2.15.7, Vuetify for Material Design). Build workflow managed by Babel and GitHub Actions (build.yaml, commentcommands.yml, weblint.yml).

YouTube viewers who want transparency on video quality and engagement metrics, and open-source contributors interested in building cross-browser extensions that interact with third-party APIs and DOM manipulation. Also relevant for developers concerned about data privacy and platform accountability.

Actively developed and production-ready: 331KB+ of JavaScript, 155KB+ of TypeScript, multi-language support (15+ locales), 2+ million users across Chrome and Firefox, frequent commits, and established CI/CD via GitHub Actions. The extension is published on both official web stores and has a Discord community of 909K+ members.

Standard open source risks apply.

Active development with Dependabot automation (dependabot.yml configured), multi-language documentation maintenance (15 localized CONTRIBUTING and FAQ files), linting enforcement via weblint.yml, and ongoing API integration. The .nvmrc file indicates Node version pinning for consistency. Workflow files suggest automated testing and comment-driven CI commands.

Clone the repository, install Node (check .nvmrc for pinned version), and install dependencies:

git clone https://github.com/Anarios/return-youtube-dislike.git
cd return-youtube-dislike
node --version  # verify .nvmrc version
npm install
npm run dev

For the extension, load the built output into Chrome/Firefox as an unpacked extension.

Daily commands: For extension development:

npm run dev

For the website (Nuxt):

npm run dev         # Development server
npm run build       # Production build
npm run start       # Run built app
npm run generate    # Static export

Note: Windows users may need set NODE_OPTIONS=--openssl-legacy-provider (already in package.json scripts).

• Extensions/combined/manifest.json — Defines extension permissions, content scripts, and background service worker entry points—fundamental to how the extension intercepts and modifies YouTube page behavior
• Extensions/combined/background.js — Core background service worker that fetches dislike data from the API and communicates with content scripts; central to the extension's data pipeline
• Extensions/combined/content.js — Injects dislike UI elements into YouTube pages and handles DOM manipulation; directly responsible for user-facing feature delivery
• .github/workflows/build.yaml — Automated build and release pipeline that packages extension artifacts for Chrome Web Store and Firefox—required for understanding deployment process
• package.json — Lists build tooling, Nuxt framework, and Vue dependencies; defines npm scripts for development and linting
• Extensions/combined/_locales/en/messages.json — English localization strings for UI text; template for multilingual message structure used across 20+ language variants
• CONTRIBUTING.md — Explains how to contribute and includes references to localized contribution guides; essential onboarding for new developers

• Content Script (content.js) (JavaScript DOM API, chrome.runtime.sendMessage()) — Injects dislike button and count into YouTube's DOM; listens for user votes and forwards them to background worker
  • Failure mode: If DOM selectors change in YouTube update, dislike button injection fails silently; no visual indication to user
• Background Service Worker (background.js) (JavaScript fetch API, chrome.runtime.onMessage, chrome.storage) — Fetches dislike data from Return Dislike API; routes messages between content scripts and API; manages caching
  • Failure mode: If API endpoint is down or returns

Add a new localization language

1. Copy Extensions/combined/_locales/en/messages.json to Extensions/combined/_locales/{lang_code}/messages.json (Extensions/combined/_locales/en/messages.json)
2. Translate all message values in the new language file while keeping keys unchanged (Extensions/combined/_locales/{lang_code}/messages.json)
3. Create a localized CONTRIBUTING document (e.g., CONTRIBUTINGde.md for German) by copying and translating CONTRIBUTING.md (CONTRIBUTING.md)

Modify the dislike UI display on YouTube

1. Edit content.js to identify where DOM elements are created and injected into the page (Extensions/combined/content.js)
2. Update the CSS styling for the dislike button and count display (Extensions/combined/css)
3. If adding new text labels, add message keys to _locales/en/messages.json and all language variants (Extensions/combined/_locales/en/messages.json)

Change the API endpoint or data-fetching logic

1. Modify the fetch URL and request/response handling in background.js (Extensions/combined/background.js)
2. Ensure the message format sent to content.js remains compatible; update content.js if message schema changes (Extensions/combined/content.js)
3. Test the build using npm scripts defined in package.json (package.json)

Build and release a new version

1. Update version in package.json and manifest.json (package.json)
2. Run build and verify the output artifacts are created (.github/workflows/build.yaml)
3. GitHub Actions workflow automatically triggers; review build.yaml to understand release flow to Chrome Web Store and Mozilla Add-ons (.github/workflows/build.yaml)

• Chrome Extension (Manifest V3 compatible) — Enables deep integration with YouTube's DOM and enables the core feature of injecting dislike counts without modifying YouTube's source code
• Background Service Worker — Persistent agent that fetches API data and routes messages between content scripts and backend, decoupling API calls from page lifecycle
• Content Script — Executes in the page's JavaScript context, allowing direct DOM manipulation to inject dislike UI elements
• Return Dislike API (backend not in this repo) — Centralized backend aggregates crowdsourced dislike data and serves it to extension instances

• Crowdsourced dislike data instead of official YouTube API

  • Why: YouTube removed public dislike counts in late 2021; crowdsourced approach enables community-driven alternative
  • Consequence: Data accuracy depends on vote volume and user honesty; may show misleading counts on low-traffic videos

• Content script directly manipulates DOM instead of using YouTube's own UI APIs

  • Why: YouTube does not expose a public API for custom vote displays; injection is the only way to integrate visually
  • Consequence: Extension breaks when YouTube changes DOM structure; requires ongoing maintenance to match page changes

• No persistent local database; all data fetched from backend API

  • Why: Keeps extension lightweight and ensures fresh dislike counts across sessions
  • Consequence: Depends on backend availability and network latency; no offline functionality

• Support for 20+ languages via _locales JSON files

  • Why: Extension has global user base across Chrome Web Store and Mozilla Add-ons; localization increases accessibility
  • Consequence: Requires translation community; adding new strings means coordinating updates across all language files

• Does not implement authentication or user accounts—all dislike voting is anonymous and identified by IP/fingerprint only
• Does not replace YouTube's like/view functionality—only adds the dislike counts that YouTube removed
• Does not work on private/unlisted videos or non-video pages (e.g., channel pages, playlists)
• Does not validate or prevent spam votes—relies on backend moderation and statistical filtering
• Not a real-time database—dislike counts update periodically, not on every vote

1. OpenSSL legacy provider: Windows/some Node versions require NODE_OPTIONS=--openssl-legacy-provider (hardcoded in package.json dev scripts). Breaks silently without it. 2. API dependency: Extension is entirely dependent on returnyoutubedislikeapi.com availability; no fallback if API is down. 3. YouTube DOM changes: YouTube frequently updates its DOM structure; content script selectors must be maintained or the extension breaks (not visible in file list but evident from the use case). 4. Manifest version transitions: Chrome/Firefox may be on different manifest versions (v2 vs v3); build system must handle both. 5. Rate limiting: No mention of rate-limiting strategy in visible files; the extension could hit API quotas if many users vote simultaneously.

• Content Scripts & Background Scripts — The extension architecture relies on content scripts running in YouTube's page context to manipulate the DOM, and background scripts to communicate with the external API—understanding the message-passing protocol between them is essential for modifying any extension functionality.
• Manifest V2 vs V3 — Chrome is deprecating Manifest V2; the project must support both versions for compatibility with older Chrome installations and Firefox. The build system needs conditional logic to generate both variants.
• DOM Mutation & Selectors — YouTube's UI changes frequently; content scripts must detect and inject dislike counts into dynamically generated DOM elements without breaking when selectors change. Fragility here is a common source of bugs.
• Cross-Origin Requests & CORS — The extension fetches from returnyoutubedislikeapi.com from YouTube's origin; requires careful handling of CORS, credentials, and manifest permissions (host_permissions).
• Vue Component Lifecycle & Reactivity — The popup and injected UI elements are Vue components; understanding computed properties, watchers, and mounted hooks is critical for correctly displaying and updating dislike counts in real-time.
• Internationalization (i18n) Patterns — The project maintains 15 language variants; contributors need to understand how locale files map to UI strings and how the build system generates language-specific extension bundles.
• Babel & Transpilation — The codebase uses modern JavaScript features (async/await, arrow functions, classes) but must run on older browsers; Babel's configuration in .babelrc controls what gets polyfilled and how target browsers are specified.

• yt-dlp/yt-dlp — YouTube interaction tool; shares the problem domain of working around YouTube's API limitations and DOM changes.
• violentmonkey/violentmonkey — Userscript manager that many users run Return YouTube Dislike as a script through; complementary tool for the same audience.
• uBlockOrigin/uBlock0 — Popular browser extension with similar multi-browser support, manifest handling, and community-driven rule updates; excellent reference for extension architecture.
• return-youtube-dislike/return-youtube-dislike-api — The backend API server (returnyoutubedislikeapi.com) that this extension depends on; essential companion repository for understanding data flow.
• tannerlinsley/react-query — Not directly used here, but a reference for managing async API state in browser extensions; useful pattern for the extension's API integration.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add ESLint v9 compatibility fixes and modernize babel-eslint configuration

The package.json shows ESLint v9.31.0 with babel-eslint v10.1.0, which is deprecated. Babel-eslint stopped maintenance and ESLint v9 requires @babel/eslint-parser. This causes potential linting failures and security issues. The .babelrc file exists but likely needs updates for ESLint v9 compatibility. This is blocking the lint workflow defined in .github/workflows/weblint.yml.

• [ ] Replace babel-eslint with @babel/eslint-parser in package.json dependencies
• [ ] Update .babelrc to include required Babel plugins for Vue/Nuxt parsing
• [ ] Update .eslintignore (referenced in package.json but not in file structure)
• [ ] Run 'npm run lint' to verify weblint.yml workflow will pass
• [ ] Test against .vue and .js files in the extension code

Create comprehensive CONTRIBUTING guide consolidation and contributor workflow automation

The repo has 15+ language-specific CONTRIBUTING files (CONTRIBUTINGar.md, CONTRIBUTINGde.md, etc.) but the base CONTRIBUTING.md is not visible in structure. There's no CI workflow enforcing contributor guidelines. Add automated checks for PRs (commit message format, branch naming) via the existing .github/workflows infrastructure and consolidate translation metadata.

• [ ] Audit the base CONTRIBUTING.md for completeness and Chrome extension specific guidance
• [ ] Create .github/workflows/contributor-guidelines.yml to validate commit messages and PR titles
• [ ] Add a CONTRIBUTING-TRANSLATIONS.md explaining how multilingual files are maintained
• [ ] Implement a workflow to ensure translated CONTRIBUTING files stay in sync with base version
• [ ] Document the extension architecture (content scripts, background scripts, manifest structure)

Add missing test infrastructure and update build.yaml CI/CD workflow

The .github/workflows/build.yaml exists but there are no test files visible in the structure. For a Nuxt-based site component, unit tests for API integration, dislike data fetching, and UI components are critical. The build workflow should run tests and generate coverage reports before deployment.

• [ ] Add Jest configuration to package.json with @vue/test-utils for Vue component testing
• [ ] Create tests/unit/api.test.js for API client methods (likely in Extension API calls)
• [ ] Create tests/unit/components.test.js for key Nuxt/Vuetify components
• [ ] Update .github/workflows/build.yaml to run 'npm test' and upload coverage to Codecov
• [ ] Add test script to package.json and configure coverage thresholds

• Add unit tests for API response parsing: The codebase likely has no test directory (not in top 60 files). Create Jest/Mocha tests for the returnyoutubedislikeapi.com response handler to validate data transformation and error cases.
• Implement offline fallback UI: When the API is unreachable, the dislike count disappears silently. Add a cached data layer or 'data unavailable' placeholder that gracefully degrades instead of breaking the UI.
• Expand localization coverage: The project has 15 language variants of docs but may lack full translation of in-extension strings. Add i18n framework (vue-i18n) and extract all hardcoded UI strings from Vue components into locale JSON files.

The Return YouTube Dislike extension has moderate security concerns primarily stemming from significantly outdated dependencies and legacy configuration practices. The use of Nuxt 2.15.7 (EOL), outd

• High · Outdated Nuxt Version with Known Vulnerabilities — package.json - nuxt dependency. The project uses Nuxt 2.15.7, which is an older version. Nuxt 2 reached end-of-life in June 2024. This version may contain unpatched security vulnerabilities, particularly in dependency resolution and server-side rendering contexts. Fix: Upgrade to Nuxt 3.x or the latest Nuxt 2 patch version. Review the Nuxt security advisories and migration guide.
• High · Legacy OpenSSL Provider Configuration — package.json - dev and generate scripts. The build scripts use 'NODE_OPTIONS=--openssl-legacy-provider' which indicates the project relies on deprecated OpenSSL behavior. This is a security anti-pattern that suggests compatibility issues with modern Node.js versions and may bypass important security defaults. Fix: Update dependencies (particularly Nuxt, Babel, and webpack) to versions compatible with modern Node.js OpenSSL. Remove the legacy provider flag and resolve underlying compatibility issues.
• Medium · Outdated Babel-ESLint — package.json - devDependencies. babel-eslint 10.1.0 is no longer maintained. The project should migrate to @babel/eslint-parser which is the modern replacement with active security updates. Fix: Replace babel-eslint with @babel/eslint-parser and update @babel/* dependencies to latest versions.
• Medium · Transitive Dependency Vulnerabilities — package.json - dependencies and devDependencies. The project uses core-js 3.44.0 which is often a source of transitive vulnerabilities. Additionally, Vuetify 2.5.5 and @nuxtjs/vuetify 1.12.3 are outdated and may have unpatched vulnerabilities in their dependency trees. Fix: Run 'npm audit' to identify specific vulnerabilities. Update all dependencies to latest versions or at minimum those with security patches. Consider using npm audit fix.
• Medium · Axios Without Security Best Practices Enforced — package.json - @nuxtjs/axios dependency. @nuxtjs/axios 5.13.6 is outdated. The codebase structure suggests this is a browser extension making external API calls. Without visible security headers configuration or request validation, there's risk of CSRF attacks or insecure data transmission. Fix: Upgrade @nuxtjs/axios to latest version. Implement CSRF protection, validate all API responses, use HTTPS only, and implement Content Security Policy headers.
• Medium · Missing Security Configuration Files — Repository root and .github/. No visible security configuration files (security.txt, SECURITY.md policy, or security headers configuration) despite the extension's widespread use (Chrome/Firefox users). The project has a SECURITY-FAQ but lacks formal vulnerability disclosure policy. Fix: Create a SECURITY.md file with vulnerability disclosure policy. Add security headers configuration. Implement a responsible disclosure process.
• Low · ESLint Configuration with Loose Settings — Missing .eslintrc configuration file. While ESLint is configured, the presence of eslint-loader with eslint-plugin-vue suggests build-time linting. No visible .eslintrc configuration file to confirm security-focused rules are enabled (e.g., no-eval, no-dangerouslySetInnerHTML detection in Vue). Fix: Create a comprehensive .eslintrc configuration with security-focused rules enabled. Include rules for detecting potential XSS vulnerabilities and dangerous patterns.
• Low · Prettier Formatting Without Security Focus — package.json and build pipeline. The project uses Prettier for code formatting but lacks a code security scanner. Prettier ensures consistency but doesn't catch security issues like hardcoded secrets or insecure patterns. Fix: Integrate SAST tools like ESLint security plugins, npm audit, or dedicated tools (e.g., Snyk, CodeQL). Run security checks in CI/CD pipeline.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/Anarios/return-youtube-dislike shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live Anarios/return-youtube-dislike repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/Anarios/return-youtube-dislike.

What it runs against: a local clone of Anarios/return-youtube-dislike — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in Anarios/return-youtube-dislike | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 50 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of Anarios/return-youtube-dislike. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/Anarios/return-youtube-dislike.git
#   cd return-youtube-dislike
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of Anarios/return-youtube-dislike and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "Anarios/return-youtube-dislike(\\.git)?\\b" \\
  && ok "origin remote is Anarios/return-youtube-dislike" \\
  || miss "origin remote is not Anarios/return-youtube-dislike (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "Extensions/combined/manifest.json" \\
  && ok "Extensions/combined/manifest.json" \\
  || miss "missing critical file: Extensions/combined/manifest.json"
test -f "Extensions/combined/background.js" \\
  && ok "Extensions/combined/background.js" \\
  || miss "missing critical file: Extensions/combined/background.js"
test -f "Extensions/combined/content.js" \\
  && ok "Extensions/combined/content.js" \\
  || miss "missing critical file: Extensions/combined/content.js"
test -f ".github/workflows/build.yaml" \\
  && ok ".github/workflows/build.yaml" \\
  || miss "missing critical file: .github/workflows/build.yaml"
test -f "package.json" \\
  && ok "package.json" \\
  || miss "missing critical file: package.json"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 50 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~20d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/Anarios/return-youtube-dislike"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.