JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 28 Wiki Activity
Files
main
HellionChat/docs/THIRD_PARTY_NOTICES.md
T
JonKazama-Hellion 9a8a014795 docs: close active upstream cherry-pick pipeline 
Chat 2 has entered a major rework that Infi confirmed makes selective
patches no longer portable. The cherry-pick pipeline as a routine
workflow stops with the v1.4.x cycle. Documentation reflects the new
state across all touchpoints.

UPSTREAM_SYNC.md rewritten: replaces the "How I Cherry-Pick" /
"Reviewing What Is New Upstream" / "Conflict Handling" sections with
"Why Cherry-Picking Stopped", "What Closing the Pipeline Means in
Practice", "What Does Not Change", "What Could Re-Open Later".
Existing cherry-pick trails in the git history stay intact, EUPL-1.2
anchor lines and NOTICE.md remain canonical.

README.md, CONTRIBUTING.md, ROADMAP.md, THIRD_PARTY_NOTICES.md and
the PR template updated to match: cherry-pick references reframed as
historical or pointed at UPSTREAM_SYNC.md for the current state.
NOTICE.md keeps the BetterTTV cherry-pick example as a concrete past
case but adds a paragraph that the pipeline is closed and clarifies
the attribution standard is preserved unchanged.

PULL_REQUEST_TEMPLATE.md drops the "Upstream cherry-pick from Chat 2"
checkbox and the cherry-pick-path compatibility prompt. The upstream
git remote was already removed locally on 2026-05-08 (separate change,
not in this commit).

No source-file edits, no manifest version bump, no changelog entry —
this is documentation-only and ships with the next release.
2026-05-08 15:00:30 +02:00

4.5 KiB
Raw Permalink Blame History

Third-party notices

HellionChat ships and depends on a number of third-party components. This document lists them, their licences and which of them touch the network. It is the inventory referenced by PRIVACY.md.

Last reviewed: 2026-05-05 (HellionChat v1.1.0).

Direct NuGet dependencies

Pinned in HellionChat/HellionChat.csproj. Versions reflect the v1.1.0 build.

Package Version Licence Network Purpose
MessagePack 3.1.4 MIT no Binary serialisation for the SQLite message store.
Microsoft.Data.Sqlite 10.0.7 MIT no Local SQLite access for the message database.
morelinq 4.4.0 Apache-2.0 no LINQ helper extensions.
Pidgin 3.5.1 MIT no Parser combinator library used for chat-input parsing. CIString Unicode fix relevant for non-ASCII channel/tab names.
SixLabors.ImageSharp 3.1.12 Six Labors Split License 1.0 (OSI-approved; free for open-source / non-commercial use, commercial licence required for closed-source commercial use) no Image decoding for cached emotes.
SQLitePCLRaw.lib.e_sqlite3 3.50.3 MIT no Native SQLite binary, explicitly pinned to override the transitive default for CVE-2025-6965 (memory corruption from aggregate-term overflow) and CVE-2025-7709.

Six Labors note: HellionChat is an EUPL-1.2-licensed open-source project distributed at no cost. Use of ImageSharp 3.x under the Six Labors Split License 1.0 is permitted on that basis. Anyone forking HellionChat for closed-source or commercial redistribution should review the Six Labors licence terms and obtain a commercial licence if required.

SDK and tooling

Component Licence Notes
Dalamud.NET.Sdk 15.0.0 AGPL-3.0 (Dalamud) / SDK terms per goatcorp Plugin SDK; pulls in DalamudPackager 15.0.0.
.NET 10 SDK MIT Build toolchain.

Bundled assets

Asset Licence Source
Exo 2 (HellionFont.ttf) SIL Open Font License 1.1 Google Fonts / Natanael Gama. The OFL licence text travels embedded next to the font (HellionFont-OFL.txt) to satisfy the "licence must be distributed with the font" clause.
Hellion plugin icon (images/icon.png) © Hellion Media, included under the project licence (EUPL-1.2). Original artwork.

Upstream code

HellionChat is a fork of Chat 2 by Infiziert90 (Infi) and Anna Clemens, also licensed under EUPL-1.2. The bulk of the code, including the message store architecture, the channel logic, the hook system and the ImGui chat window, originates from upstream. See ../NOTICE.md for the attribution; UPSTREAM_SYNC.md documents the upstream-sync history, including the close of active cherry-picking in the v1.4.x cycle.

Components that touch the network

Of everything listed above, none of the bundled or NuGet components opens network connections on their own. All outbound traffic is initiated explicitly by HellionChat's own source files and is documented in PRIVACY.md under "Outbound network calls":

  • HellionChat/EmoteCache.cs → BetterTTV API + CDN (opt-out via setting)

The earlier Square Enix Lodestone font download (FontManager.cs) was removed in v1.0.4 — it was a leftover from upstream's removed webinterface feature and was no longer consumed.

Verifying this list

To regenerate the dependency inventory after a version bump:

dotnet list HellionChat.sln package --include-transitive

The "direct NuGet dependencies" table above only lists direct references. Transitive dependencies pulled in by Dalamud SDK or by the listed packages are covered by the SDK / package licences and documented by their respective maintainers.

To re-audit the network-call inventory:

grep -rn -E "HttpClient|HttpRequest|new Uri\(|https?://" \
  --include="*.cs" HellionChat/

Any new hit that is not a click-through (Util.OpenLink) or a payload-parsing call must be added to PRIVACY.md before release.

Reference in New Issue View Git Blame Copy Permalink