JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues 1 Pull Requests Actions Releases 28 Activity
Files
4d54eabdacab2149f607776a6f111500810cd9b4
HellionChat/docs/THIRD_PARTY_NOTICES.md
T
JonKazama-Hellion 4d54eabdac chore: code quality sweep 2026-05-04 / 2026-05-05 
General code-quality and robustness pass across the plugin: thread-
safety on IPC state, resource-disposal cleanups, input validation,
defensive null-checks and a few small UX glitches. Compliance docs
(THIRD_PARTY_NOTICES, PRIVACY, COPYRIGHT) refreshed to v1.0.3.

Highlights
- ExtraChat IPC state synchronised across threads
- ChatLogWindow autocomplete no longer leaks the unmanaged
  ImGuiListClipper allocation
- ChatLogWindow + Popout style stack stays balanced when config
  toggles mid-frame
- Retention sweep and privacy cleanup wait for the actual filter
  pass instead of the fire-and-forget Task that started it
- Configuration.LatestVersion bumped to 13 to match the active
  migration path
- GameFunctions placeholder buffer guarded against oversized
  replacement names
- TellTarget.IsSet, ResolveTempInputChannel, InputPreview, IconUtil,
  Lender, Payloads, ExtraPayload all hardened against null / empty /
  EOF / cycle inputs
- FontManager Lodestone download stays in scope for a follow-up
  (timeout + lazy init pending)
- AutoTranslate replaced the msvcrt.dll memcmp P/Invoke with a
  managed Span comparison
- Privacy cleanup worker thread marked IsBackground = true
- Database cleanup now removes both legacy files in one click
- Tell-target name redacted in the verbose debug log

Compliance
- THIRD_PARTY_NOTICES: last-reviewed bumped to v1.0.3, Pidgin 3.5.1,
  SQLitePCLRaw.lib.e_sqlite3 3.50.3 listed as direct dependency with
  CVE-2025-6965 / CVE-2025-7709 rationale
- PRIVACY: last-reviewed bumped to v1.0.3, BetterTTV trigger wording
  clarified (list fetch at startup vs. on-demand image fetch)
- COPYRIGHT: upstream attribution range widened

Build: 0 warnings, 0 errors. No behavioural changes that would alter
existing user configuration or stored chat history.
2026-05-05 07:28:12 +02:00

4.3 KiB
Raw Blame History

Third-party notices

HellionChat ships and depends on a number of third-party components. This document lists them, their licences and which of them touch the network. It is the inventory referenced by PRIVACY.md.

Last reviewed: 2026-05-05 (HellionChat v1.0.3).

Direct NuGet dependencies

Pinned in HellionChat/HellionChat.csproj. Versions reflect the v1.0.3 build.

Package Version Licence Network Purpose
MessagePack 3.1.4 MIT no Binary serialisation for the SQLite message store.
Microsoft.Data.Sqlite 10.0.7 MIT no Local SQLite access for the message database.
morelinq 4.4.0 Apache-2.0 no LINQ helper extensions.
Pidgin 3.5.1 MIT no Parser combinator library used for chat-input parsing. CIString Unicode fix relevant for non-ASCII channel/tab names.
SixLabors.ImageSharp 3.1.12 Six Labors Split License 1.0 (OSI-approved; free for open-source / non-commercial use, commercial licence required for closed-source commercial use) no Image decoding for cached emotes.
SQLitePCLRaw.lib.e_sqlite3 3.50.3 MIT no Native SQLite binary, explicitly pinned to override the transitive default for CVE-2025-6965 (memory corruption from aggregate-term overflow) and CVE-2025-7709.

Six Labors note: HellionChat is an EUPL-1.2-licensed open-source project distributed at no cost. Use of ImageSharp 3.x under the Six Labors Split License 1.0 is permitted on that basis. Anyone forking HellionChat for closed-source or commercial redistribution should review the Six Labors licence terms and obtain a commercial licence if required.

SDK and tooling

Component Licence Notes
Dalamud.NET.Sdk 15.0.0 AGPL-3.0 (Dalamud) / SDK terms per goatcorp Plugin SDK; pulls in DalamudPackager 15.0.0.
.NET 10 SDK MIT Build toolchain.

Bundled assets

Asset Licence Source
Exo 2 (HellionFont.ttf) SIL Open Font License 1.1 Google Fonts / Natanael Gama. The OFL licence text travels embedded next to the font (HellionFont-OFL.txt) to satisfy the "licence must be distributed with the font" clause.
Hellion plugin icon (images/icon.png) © Hellion Media, included under the project licence (EUPL-1.2). Original artwork.

Upstream code

HellionChat is a fork of Chat 2 by Infiziert90 (Infi) and Anna Clemens, also licensed under EUPL-1.2. The bulk of the code, including the message store architecture, the channel logic, the hook system and the ImGui chat window, originates from upstream. See ../NOTICE.md and UPSTREAM_SYNC.md for the attribution and the cherry-pick policy.

Components that touch the network

Of everything listed above, none of the bundled or NuGet components opens network connections on their own. All outbound traffic is initiated explicitly by HellionChat's own source files and is documented in PRIVACY.md under "Outbound network calls":

  • HellionChat/EmoteCache.cs → BetterTTV API + CDN (opt-out via setting)
  • HellionChat/FontManager.cs → Square Enix Lodestone font CDN (one-time download)

Verifying this list

To regenerate the dependency inventory after a version bump:

dotnet list HellionChat.sln package --include-transitive

The "direct NuGet dependencies" table above only lists direct references. Transitive dependencies pulled in by Dalamud SDK or by the listed packages are covered by the SDK / package licences and documented by their respective maintainers.

To re-audit the network-call inventory:

grep -rn -E "HttpClient|HttpRequest|new Uri\(|https?://" \
  --include="*.cs" HellionChat/

Any new hit that is not a click-through (Util.OpenLink) or a payload-parsing call must be added to PRIVACY.md before release.

Reference in New Issue View Git Blame Copy Permalink