MrSphay/Modrinth-plus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Modrinth-plus/docs/security-review.md
MrSphay e66aa3d128
Some checks failed
Codex Template Compliance / template-compliance (push) Successful in 8s
Details
Build / build-windows (push) Failing after 10m58s
Details
Sign Windows releases with MrTrust certificate
2026-05-16 01:15:02 +02:00

1.3 KiB
Raw Permalink Blame History

Security Review

Scope

Project:

Modrinth Plus

Reviewed version or commit:

main

Code Patterns Checked

  • No eval.
  • No dynamic Function constructor.
  • No unsafe HTML injection.
  • No unexpected shell execution.
  • External network calls documented for Connected Library.
  • No private Connected Library credentials are persisted in v1.
  • Connected Library requires HTTPS manifest and .mrpack URLs.
  • MrTrust signing secrets are expected only as Gitea Actions secrets.

Dependency Review

Command:

pnpm --filter @modrinth/app-frontend run lint
cargo clippy --package theseus

Result:

Pending successful Gitea Actions run.

Runtime Review

  • Connected Library manifests are stored locally in SQLite.
  • Connected Library auto-update is disabled by default.
  • GITEA_TOKEN is only for local agent API checks, not runtime app use.
  • MrTrust signing does not bypass Defender, SmartScreen, UAC, or enterprise policy.
  • Full Tauri runtime permission review pending.

Release Notes

Known residual risks:

Connected Library update behavior is conservative and does not yet implement strict removed-file sync.
Windows trust depends on publishing artifacts signed with the same certificate chain installed by MrTrust.
Reference in New Issue View Git Blame Copy Permalink