MrSphay/Modrinth-plus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2dc0e17a54c392fe8e01a75b0416675fd23559e8
Modrinth-plus/docs/security-review.md
MrSphay c02413813b
Some checks failed
Build / verify (push) Failing after 12m49s
Details
Codex Template Compliance / template-compliance (push) Failing after 6s
Details
Apply updated Codex repository kit
2026-05-03 22:22:57 +02:00

1.1 KiB
Raw Blame History

Security Review

Scope

Project:

Modrinth Plus

Reviewed version or commit:

main

Code Patterns Checked

  • No eval.
  • No dynamic Function constructor.
  • No unsafe HTML injection.
  • No unexpected shell execution.
  • External network calls documented for Connected Library.
  • No private Connected Library credentials are persisted in v1.
  • Connected Library requires HTTPS manifest and .mrpack URLs.

Dependency Review

Command:

pnpm --filter @modrinth/app-frontend run lint
cargo clippy --package theseus

Result:

Pending successful Gitea Actions run.

Runtime Review

  • Connected Library manifests are stored locally in SQLite.
  • Connected Library auto-update is disabled by default.
  • GITEA_TOKEN is only for local agent API checks, not runtime app use.
  • Full Tauri runtime permission review pending.

Release Notes

Known residual risks:

Connected Library update behavior is conservative and does not yet implement strict removed-file sync.
Reference in New Issue View Git Blame Copy Permalink