▶️ ЗАБЕРИ СВОИ 8 ПОДАРКОВ 🎁 ПРИ СОЗДАНИИ СВОЕГО МАЙНКРАФТ СЕРВЕРА
Плагины/StormtrooperX
StormtrooperX

StormtrooperX

Make ranged mobs miss more - reduce accuracy of Skeletons, Strays, Pillagers, and Piglins

Оцените первым
79
1
Все версииStormtrooperX 1.10.0

StormtrooperX 1.10.0

Release15.05.2026

Список изменений

What's New

Added

  • Permission-aware tab completion for /stormtrooperx. The first argument completes to only the subcommands the sender may actually run; for optout/optin, the second argument completes to online player names — but only for admins holding stormtrooperx.optout.others. Tab-completion pools are pre-sorted and computed once at startup.
  • /stormtrooperx help lists only the commands the sender has permission to run, so a regular player no longer sees admin-only subcommands they can't use.
  • Idempotent optout and new optin. optout no longer toggles — it always sets opted-out (reporting "already opted out" instead of silently flipping). optin is the symmetric counterpart. toggle is retained for the flip behavior.
  • Admin opt-out management. /stormtrooperx optout|optin <player> lets admins manage opt-out state for any online player, gated by the new stormtrooperx.optout.others permission. The target receives a chat notification of the change.
  • stormtrooperx.admin permission, required for /stormtrooperx reload and granting stormtrooperx.optout.others via permission children. The previous setup had no clean "give one player everything" knob.
  • Join-time opt-out reminder. When an opted-out player's state finishes loading from the database, they get a one-shot chat message confirming the status.
  • PlaceholderAPI soft dependency. When PlaceholderAPI is present, %stormtrooperx_optout% resolves to true/false for the requesting player. The expansion persists across /papi reload. PAPI is a soft dependency only — the plugin loads and runs identically without it.

Changed

  • Projectile math extracted. The speed-preserving direction perturbation now lives in a package-private ProjectileNerf.perturb(Vector, double, Supplier<Vector>) with an injectable random source, making the pure-math invariants directly unit-testable without event mocking. Runtime behavior is unchanged.
  • stormtrooperx.use default flipped from op to true so non-op players can actually reach /stormtrooperx optout (itself default: true). The old default made the public opt-out command unreachable for the audience it was meant for.
  • Ignores cancelled EntityShootBowEvent. onBowShoot now declares @EventHandler(ignoreCancelled = true) — if an upstream plugin cancels the shoot event, we no longer perturb the (cancelled) projectile's velocity.
  • HikariCP MySQL pool sets the Connector/J performance properties from the HikariCP wiki: useServerPrepStmts, useLocalSessionState, rewriteBatchedStatements, cacheResultSetMetadata, cacheServerConfiguration, elideSetAutoCommits, maintainTimeStats=false. No config change needed.
  • Hot-path micro-optimizations in onBowShoot: lengthSquared() for the zero-velocity guard, cached projectile and isH2 references, pattern-matching instanceof.

Fixed

  • Folia regional-thread safety on /stormtrooperx reload. entityConfigs and debug are now volatile, and loadConfiguration publishes a freshly-built EnumMap in a single reference write instead of mutating the live map. The old code could expose a partially populated map to a regional EntityShootBowEvent thread during a reload.

Security

  • CWE-117 log injection — release tags. Closed log-injection vectors in UpdateChecker. GitHub release tags pass a validateReleaseTag barrier (^v?\d+(\.\d+){0,3}(-++)?$) before reaching any logger or version compare; malformed tags are dropped at the source.
  • CWE-117 log injection — sink-side allowlist. A new sanitizeForLog helper reduces logged version strings at the sink to [A-Za-z0-9._+-] via a negated-character-class replaceAll — the form CodeQL recognizes as a sanitizer (a [\r\n] denylist does not satisfy java/log-injection).
  • JDBC parameter smuggling. DatabaseManager now validates the MySQL properties map against an explicit allowlist (SAFE_MYSQL_PROPERTY_KEYS) and URL-encodes values. Unsupported keys throw IllegalArgumentException at initialize(). This closes a parameter-smuggling vector that could otherwise enable high-risk Connector/J flags (allowLoadLocalInfile, autoDeserialize, queryInterceptors, …) with RCE / file-read history.
  • Defense-in-depth Connector/J defaults. Even with the allowlist, dataSourceProperties forces allowLoadLocalInfile=false, allowUrlInLocalInfile=false, autoDeserialize=false, and allowPublicKeyRetrieval=false at the HikariCP layer.
  • Chat-injection echo. Player names echoed by the offline branch of /stormtrooperx optout|optin <player> are run through a new sanitizeNameForEcho (strips control chars and §, caps at 16 chars), closing a low-severity chat-injection vector on offline-mode servers.
  • AssertJ pinned to 3.27.7 (test-scope), clear of CVE-2026-24400 (GHSA-rqfh-9r24-8c9r — XXE in the unused isXmlEqualTo).

Build

  • CycloneDX SBOM. Added cyclonedx-maven-plugin on the verify phase; release.yml uploads bom.xml/bom.json alongside the JAR.
  • release.yml actions pinned to commit SHAs (with # vX.Y.Z trailers) instead of mutable major tags — the release job holds id-token / attestations: write scope. Dependabot keeps the pins current.

Tests

  • AssertJ added. Migrated assertions to fluent assertThat(...) style for richer failure messages. Mockito 5.x + JUnit Jupiter 6.x stack is unchanged.
  • Branch-coverage gate. Jacoco now enforces BRANCH COVEREDRATIO >= 0.50 per package alongside the existing 0.60 line-coverage rule. Current: 72% line / 75% branch.
  • CI runs mvn clean verify instead of package, so the Jacoco gate (bound to verify) is enforced in CI — not just locally.
  • Shared test infrastructure. New support/ test package: TestSupport (reflective field/method access) and InlinePluginScheduler (shared inline scheduler), replacing duplicated boilerplate across test classes.
  • YAML fixtures under src/test/resources/fixtures/ (config-v2.yml, config-v3.yml); ConfigMigrationTest exercises real-load → migrate → assert instead of synthetic YamlConfiguration objects.
  • New ProjectileNerfTest for the extracted pure function — speed preservation, zero-velocity guard, mutation semantics, accuracy clamping. Plus expanded UpdateCheckerTest covering validateReleaseTag accept/reject sets.

Dependencies

  • Bumped me.clip:placeholderapi from 2.11.6 to 2.12.2 (provided scope, soft dependency — not shaded into the JAR).

Documentation

  • OptOutManager#isOptedOut, StormtrooperXExpansion, and the README PlaceholderAPI section all document the online-only semantics of %stormtrooperx_optout%: offline players resolve to false regardless of persisted state.
  • DatabaseManager.initializeH2 Javadoc now warns against enabling AUTO_SERVER=TRUE / H2 server mode without revisiting the hardcoded sa/empty credentials.

Upgrade Notes

If upgrading from 1.9.x:

  • Behavior change — /stormtrooperx optout. Previously toggled; now it always sets opted-out. Use /stormtrooperx toggle for the old flip behavior. If you bind macros or scripts to the command, this is a one-line update.
  • Permission default change — stormtrooperx.use. Default flipped from op to true so the optout subcommand (always default: true) is reachable for the intended audience. Servers using a permissions plugin that explicitly granted stormtrooperx.use to non-ops are unaffected; servers relying on the old default should explicitly deny stormtrooperx.use to revert.
  • New permissions to wire up (admins): stormtrooperx.admin (grants reload and optout.others via children) and stormtrooperx.optout.others (grants admin opt-out commands for other players). Both default to op.
  • PlaceholderAPI is optional. To use %stormtrooperx_optout%, install PlaceholderAPI; no config change required.
  • Config: No schema change. config-version: 3 continues to apply, no migration runs on upgrade.

Server compatibility: Unchanged — Spigot, Paper, Purpur, and Folia 1.20.4+, on Minecraft 1.18 through 26.1.x, Java 17+.

JAR verification: Built and attested via GitHub Actions with Sigstore. Verify with gh attestation verify StormtrooperX-1.10.0.jar --repo GooberCraft/StormtrooperX (requires gh 2.43.0+).

Файлы

StormtrooperX-1.10.0.jar(7.35 MiB)
Основной
Скачать

Метаданные

Канал релиза

Release

Номер версии

1.10.0

Загрузчики

Bukkit
Paper
Purpur
Spigot

Версии игры

1.18–26.1.2

Загрузок

17

Дата публикации

15.05.2026

Загрузил

ID версии

Главная