AttackIndicator v2.4
Reliability, performance, and security pass over the 2.3 codebase. Drop-in upgrade — no config migration required (new keys fall back to safe defaults).
✨ New
- Active-indicator cap — new
performance.max-active-indicators(default200,0= unlimited). Bounds spawned entities and per-tick animation tasks during heavy damage bursts (e.g. AoE) to protect server TPS. The cap is enforced at spawn time, so even a same-tick burst cannot overshoot it. random-offset.yis now exposed inconfig.yml(the value was already used internally; it is now documented and editable).
🛡️ Reliability & Security
- Crash-safe indicators — indicator entities are now spawned with
setPersistent(false)on 1.13+, so a server crash or chunk unload can no longer leave orphaned armor stands / text displays behind. Gracefully degrades on 1.8–1.12 where the API is absent. - Hardened MiniMessage (1.19.4+) — only formatting tags (colors, hex, gradients, decorations) are honored in
indicator-format. Interactive tags (<click>,<hover>,<insertion>) are disabled so a format string can never inject clickable links or hover payloads. - Update checker hardening — the Modrinth response is now size-bounded (1 MB) and the
User-Agentcorrectly reports the running version. - Safer language loading — the
languageconfig value is sanitized (no path traversal), and an unknown/un-bundled code falls back to English instead of failing plugin startup.
🧹 Internal
- Null-guarded command registration.
- Aligned config defaults with
config.yml; renamed internal Y-offset accessor for axis symmetry; minor cleanups. - README rewritten: technical overview, version/renderer matrix, command & permission tables, full config reference, architecture diagram, and build instructions.
Compatibility: Paper / Spigot, Minecraft 1.8 → 1.21+ (renderer auto-selected per version).
Build: mvn clean package (JDK 17+ toolchain; output targets Java 8 bytecode).