This fixes a security vulnerability in this project where the `pom.xml`
files were configuring Maven to resolve dependencies over HTTP instead of
HTTPS.
Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSSS: 8.1
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8
Co-authored-by: Moderne <team@moderne.io>
The log4j bugs weren't an issue as log4j wasn't included in the plugin directly
but simply depended on the version the server provided. This just syncs it with
the commonly used server version again. (And shuts up dependabot)
This also removes the deprecated methods which might interact with the
changed methods in unintended ways from the NameManager and the
PreTransactionEvent.
Reasoning why this is part of the core and not a separate addon:
The impact of this function is extremely lightweight when (almost) no
aliases are defined so someone who isn't using this should not have a
worse experience.
Additionally including it in the core (similarly to the discounts,
taxes and restrictions) promotes it's availability while not massively
increasing the maintainability.
As for the OddItem removal:
That plugin hasn't been developed for over 7 years and such unique
plugin support should really be added via separate addon using the
events system which, with the new ItemStringQueryEvent, now actually
supports doing that from an external plugin.
If someone really managed to run their own private fork of OddItem for
all those years then they should be able to also provide such a simple
addon.
Message configs are now selected based on the client's language (can be
toggled in the config) and will use MineDown formatting to allow
display of component messages as well as usage of RGB colors in 1.16.
If found the legacy local.yml will be used instead of the per-language
files. Move your local.yml to the correct lang config to if you want to
use the per-client language option.
Version was also changed to 3.11 due to the many internal changes that
have accumulated over time
This adds some more logging to the metrics for some interesting plugin
settings as well as player account and transaction counts. This data
about account count and average transaction and item counts is also
exposed ingame via the /csmetrics command.
This also removes the outdated mcstats metrics as that site is long dead
now, the last data is from two years ago...
This adds a new OTHER_BREAK PreShopCreationEvent outcome to indicate
that the sign should get broken. To keep it backwards compatible with
other plugins setCancelled still sets OTHER and will not lead to a sign
break. The breaking logic is also moved out of the ErrorMessageSender
as it didn't make sense to have there. (It also wasted a tiny bit of CPU
by getting the block of the state again)
Do do this it now fully depend on LWCX, it's the only active version anways.
Also fixed a possible out of index error with the sign lines.
Instead of using different modules we use a bukkit profile to test backwards compatibility with pure-Bukkit servers and use the paper-api in the default profile. This should really be done with modules in the future. The actual selection which listener to use is handled by checking if the event class exists on event registration.
This also uses the Bukkit API again instead of spigot (it doesn't use anything from spigot) and also makes sure to exclude any other Bukkit version from the dependency tree
