Conversation
Fixes two findings from the loader audit: 1. Runtime-downloaded dependencies were loaded with no integrity check. DependencyDownloader now verifies every artifact against the strongest checksum the repository publishes (sha512 > sha256 > sha1) before it is written to the local cache and added to the classpath. Fails closed: a mismatch or the absence of any published checksum rejects that repository so resolution falls back to another source (and errors if none can vouch for the artifact). Adds a pure, unit-tested Checksum utility. 3. Jar, checksum, and POM fetches had no connect/read timeouts, so a slow or half-open repository could stall plugin startup. All three now set a 15s connect / 30s read timeout. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JrkLFxzmmn7BpB9y6vMTeg
Both /enchant execute overloads were gated only by the class-level @Permission("eternalcore.enchant"), so anyone allowed to enchant their own item could also modify other players' held items. Follow the FlyCommand convention: drop the class-level permission and gate each overload individually — eternalcore.enchant for the self variant and eternalcore.enchant.other for the "<player>" variant. Note: servers that previously granted eternalcore.enchant to allow enchanting others must now also grant eternalcore.enchant.other. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JrkLFxzmmn7BpB9y6vMTeg
…dow-gradle-plugin-9.x' into ver/26.2
…on-4.x' into ver/26.2
…-actions' into ver/26.2
There was a problem hiding this comment.
Code Review
This pull request introduces dependency checksum verification (supporting SHA-512, SHA-256, and SHA-1) during dependency downloads, sets connection and read timeouts for dependency and POM downloads, refactors permission checks in EnchantCommand, and updates several dependencies and plugins. Feedback highlights a potential denial-of-service vulnerability and downgrade attack risk in DependencyDownloader.downloadChecksum due to unbounded stream reading and over-broad exception handling, and suggests utilizing Java's built-in HexFormat in Checksum.java to replace the custom hexadecimal conversion.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Merges all dependency PRs (I think) and #1381 as well as #1382