You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reject unsafe PAK stem values in imported and P2P-received profiles, closing a path traversal (zip slip) that could write arbitrary files outside the mods folder.
Contain every materialized mod write to its target directory with a lexical containment guard, so no mod field can escape the Paks or UE4SS Mods folder.
Bound P2P handshake and manifest frame sizes before authentication, preventing unauthenticated peers from triggering huge allocations.
Cap received file sizes on the P2P transfer path.
All downloads are now HTTPS-only, including across redirects, preventing on-path downgrade attacks.
Verify the downloaded UE4SS archive against the SHA-256 digest GitHub reports before installing.
Cap the multithreaded LZMA decoder's memory at 1 GiB so a crafted stream cannot exhaust memory.
Only open http and https URLs in the browser; never hand other schemes to the shell.
Reject NTFS alternate-data-stream paths in shared profile file names.
Changed
HTTP and download requests now abort after 30 seconds of stalled transfer instead of hanging.
Duplicating a profile now copies compressed blobs directly instead of decompressing and recompressing, making large profile duplication much faster.
VFS commit reuses a single file handle for all on-disk reads instead of reopening per entry.
Toggling multiple mods at once now batches all toggles in a single frame.
SN2ModSettings dependency scan skips non-Lua mods and searches bytes in place, reducing startup time.
VFS entry lookup uses a hash map instead of a sorted tree.
Per-frame search, conflict detection, and row-key formatting are cached or allocation-free.
Deduplicated trim, lowerExt, and isPakSibling utilities into core/Paths.
Unified BundleModKind and ModType into a single ModKind enum.
Extracted shared PAK renumbering logic into ProfileStore::shiftPaksDown.
Config values are clamped and normalized on load.
Read-only string parameters across core and platform layers now take std::string_view instead of const std::string&, eliminating unnecessary heap allocations for callers passing literals or substrings.
Fixed
Fix an integer-overflow in the Data.dat index bounds check that a crafted store could slip past.
Make the Data.dat commit key its rewritten offsets by entry path instead of iteration position, removing a latent index-corruption hazard.
The Delete-key "Confirm Uninstall" dialog now actually opens (it was created in the wrong UI scope).
Generating a connection key no longer freezes the window while the firewall rule is created.
Warn when a PAK mod's companion files could not be copied during install.
Install PAK and UE4SS mods in a stable, sorted order so load-order numbering no longer varies by machine.
Warn when enabled PAK mods share the same pak name or enabled UE4SS mods target the same Mods folder.
Reject out-of-range octets when validating a typed or detected IPv4 address.
Serialize all profile-store access with a recursive mutex so a P2P receive or import worker can no longer race the UI thread and corrupt the in-memory library.