security: harden code against command injection and path traversal

Core changes:

* enforce HTTPS URLs and remove shell usage in generate_release.py
* replace os.system calls with subprocess across the codebase
* validate external inputs (playlist names, video IDs)

Improvements and fixes:

* settings.py: fix typo (node.lineno → line_number); use isinstance() over type()
* youtube/get_app_version: improve git detection using subprocess.DEVNULL
* youtube/util.py: add cleanup helpers; use shutil.which for binary resolution

YouTube modules:

* watch.py: detect and flag HLS streams; remove unused audio_track_sources
* comments.py: return early when comments are disabled; add error handling
* local_playlist.py: validate playlist names to prevent path traversal
* subscriptions.py: replace asserts with proper error handling; validate video IDs

Cleanup:

* remove unused imports across modules (playlist, search, channel)
* reorganize package imports in youtube/**init**.py
* simplify test imports and fix cleanup_func in tests

Tests:

* tests/test_shorts.py: simplify imports
* tests/test_util.py: fix cleanup_func definition

tests/test_shorts.py

@@ -11,8 +11,7 @@ import pytest
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..'))
 import youtube.proto as proto
 from youtube.yt_data_extract.common import (
-    extract_item_info, extract_items, extract_shorts_lockup_view_model_info,
-    extract_approx_int,
+    extract_item_info, extract_items,
 )
 
 

tests/test_util.py

@@ -39,7 +39,8 @@ class NewIdentityState():
         self.new_identities_till_success -= 1
 
     def fetch_url_response(self, *args, **kwargs):
-        cleanup_func = (lambda r: None)
+        def cleanup_func(response):
+            return None
         if self.new_identities_till_success == 0:
             return MockResponse(), cleanup_func
         return MockResponse(body=html429, status=429), cleanup_func