JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues Pull Requests Actions Releases 28 Activity
Files
53952717c0838ec470f425ad226a60615a588519
HellionChat/docs/THIRD_PARTY_NOTICES.md
T
JonKazama-Hellion 8db3eca46c chore(fontmanager): drop unused Lodestone font download 
The FontManager constructor downloaded FFXIV_Lodestone_SSF.ttf from
img.finalfantasyxiv.com on first start (or read it from a local
cache) into a GameSymFont byte array. Both historical readers of
that field are gone:

- BuildFonts() used to feed the bytes into AddFontFromMemory; that
  path was replaced by the Dalamud-provided AddGameSymbol helper.
- The upstream webinterface server wrote the bytes through a
  BinaryWriter to serve them to the Svelte frontend; the entire
  webinterface was intentionally removed in HellionChat.

With no live consumer left, the field, the constructor block, the
HttpClient call and the disk cache are all dead code. Removing them:

- eliminates the synchronous HTTP request on the plugin-load thread
  (no more multi-second startup hang on slow networks)
- closes the implicit "no timeout, no size guard" exposure on that
  request
- removes one outbound network endpoint (Square Enix Lodestone CDN)
  from the privacy footprint

PRIVACY.md and THIRD_PARTY_NOTICES.md updated to reflect that
HellionChat now talks to BetterTTV only (opt-out via setting). Cached
TTF files left over from earlier versions stay in pluginConfigs/
HellionChat/ until a user removes them; they are simply no longer
read.

Build: 0 warnings, 0 errors. No behavioural change for users — symbol
glyphs (job icons, item glyphs, status effects) keep rendering through
Dalamud's built-in symbol font.
2026-05-05 07:37:35 +02:00

96 lines
4.4 KiB
Markdown
Raw Blame History

# Third-party notices
HellionChat ships and depends on a number of third-party components.
This document lists them, their licences and which of them touch the
network. It is the inventory referenced by `PRIVACY.md`.
Last reviewed: 2026-05-05 (HellionChat v1.0.3).
---
## Direct NuGet dependencies
Pinned in `HellionChat/HellionChat.csproj`. Versions reflect the v1.0.3 build.
| Package | Version | Licence | Network | Purpose |
| --- | --- | --- | --- | --- |
| [MessagePack](https://github.com/MessagePack-CSharp/MessagePack-CSharp) | 3.1.4 | MIT | no | Binary serialisation for the SQLite message store. |
| [Microsoft.Data.Sqlite](https://learn.microsoft.com/dotnet/standard/data/sqlite/) | 10.0.7 | MIT | no | Local SQLite access for the message database. |
| [morelinq](https://github.com/morelinq/MoreLINQ) | 4.4.0 | Apache-2.0 | no | LINQ helper extensions. |
| [Pidgin](https://github.com/benjamin-hodgson/Pidgin) | 3.5.1 | MIT | no | Parser combinator library used for chat-input parsing. CIString Unicode fix relevant for non-ASCII channel/tab names. |
| [SixLabors.ImageSharp](https://github.com/SixLabors/ImageSharp) | 3.1.12 | [Six Labors Split License 1.0](https://github.com/SixLabors/ImageSharp/blob/main/LICENSE) (OSI-approved; free for open-source / non-commercial use, commercial licence required for closed-source commercial use) | no | Image decoding for cached emotes. |
| [SQLitePCLRaw.lib.e_sqlite3](https://github.com/ericsink/SQLitePCL.raw) | 3.50.3 | MIT | no | Native SQLite binary, explicitly pinned to override the transitive default for CVE-2025-6965 (memory corruption from aggregate-term overflow) and CVE-2025-7709. |
Six Labors note: HellionChat is an EUPL-1.2-licensed open-source
project distributed at no cost. Use of ImageSharp 3.x under the
Six Labors Split License 1.0 is permitted on that basis. Anyone
forking HellionChat for closed-source or commercial redistribution
should review the
[Six Labors licence terms](https://github.com/SixLabors/ImageSharp/blob/main/LICENSE)
and obtain a commercial licence if required.
## SDK and tooling
| Component | Licence | Notes |
| --- | --- | --- |
| [Dalamud.NET.Sdk](https://github.com/goatcorp/Dalamud) 15.0.0 | AGPL-3.0 (Dalamud) / SDK terms per goatcorp | Plugin SDK; pulls in DalamudPackager 15.0.0. |
| [.NET 10 SDK](https://dotnet.microsoft.com/) | MIT | Build toolchain. |
## Bundled assets
| Asset | Licence | Source |
| --- | --- | --- |
| Exo 2 (`HellionFont.ttf`) | SIL Open Font License 1.1 | [Google Fonts / Natanael Gama](https://fonts.google.com/specimen/Exo+2). The OFL licence text travels embedded next to the font (`HellionFont-OFL.txt`) to satisfy the "licence must be distributed with the font" clause. |
| Hellion plugin icon (`images/icon.png`) | © Hellion Media, included under the project licence (EUPL-1.2). | Original artwork. |
---
## Upstream code
HellionChat is a fork of [Chat 2](https://github.com/Infiziert90/ChatTwo)
by Infiziert90 (Infi) and Anna Clemens, also licensed under EUPL-1.2.
The bulk of the code, including the message store architecture, the
channel logic, the hook system and the ImGui chat window, originates
from upstream. See `../NOTICE.md` and `UPSTREAM_SYNC.md` for the
attribution and the cherry-pick policy.
---
## Components that touch the network
Of everything listed above, **none** of the bundled or NuGet
components opens network connections on their own. All outbound
traffic is initiated explicitly by HellionChat's own source files
and is documented in `PRIVACY.md` under "Outbound network calls":
- `HellionChat/EmoteCache.cs` → BetterTTV API + CDN (opt-out via setting)
The earlier Square Enix Lodestone font download (`FontManager.cs`)
was removed in v1.0.4 — it was a leftover from upstream's removed
webinterface feature and was no longer consumed.
---
## Verifying this list
To regenerate the dependency inventory after a version bump:
```bash
dotnet list HellionChat.sln package --include-transitive
```
The "direct NuGet dependencies" table above only lists direct
references. Transitive dependencies pulled in by Dalamud SDK or by
the listed packages are covered by the SDK / package licences and
documented by their respective maintainers.
To re-audit the network-call inventory:
```bash
grep -rn -E "HttpClient|HttpRequest|new Uri\(|https?://" \
--include="*.cs" HellionChat/
```
Any new hit that is not a click-through (`Util.OpenLink`) or a
payload-parsing call must be added to `PRIVACY.md` before release.
Reference in New Issue View Git Blame Copy Permalink