chore(whatsnew): announce fastly.jsdelivr.net mirror#599
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
rainxchzed has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (13)
✅ Files skipped from review due to trivial changes (10)
🚧 Files skipped from review as they are similar to previous changes (2)
WalkthroughAdds a second "NEW" bullet to version 18 changelog files across locales announcing fastly.jsdelivr.net as a community mirror to use when GitHub access is restricted. ChangesChangelog Localization Update
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
core/presentation/src/commonMain/composeResources/files/whatsnew/18.json (1)
10-11: ⚡ Quick winTerminology inconsistency across language files: English uses "throttled" while other variants use "limited/restricted".
The English version (lines 10-11) uses "throttled" to describe GitHub access issues, but the 12 language variants—Korean, Polish, Turkish, Simplified Chinese, Hindi, Russian, Japanese, Italian, French, Arabic, Spanish, and Bengali—use semantically similar but distinctly different terminology such as "limited," "restricted," or "constrained." While all convey that GitHub access is impaired, the inconsistency may create subtle differences in tone or specificity across locales. Consider standardizing to ensure consistent messaging for all users, whether by updating non-English files to match "throttled" (or its closest equivalent) or by aligning English with the more general "limited/restricted" terminology used elsewhere.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@core/presentation/src/commonMain/composeResources/files/whatsnew/18.json` around lines 10 - 11, The English whatsnew entry uses the term "throttled" in the second sentence ("Two new community mirrors — fastgit.cc and fastly.jsdelivr.net. Useful when GitHub is throttled."), while other locale variants use "limited/restricted"; pick a single standard term (either "throttled" or the more general "limited/restricted") and update all locale JSON entries to use that term consistently; locate the JSON entries containing the sentence about community mirrors (the string including "fastgit.cc" and "fastly.jsdelivr.net") and replace the differing translation of the final word with the chosen standardized equivalent, ensuring translators provide an accurate localized word for the chosen English term.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@core/presentation/src/commonMain/composeResources/files/whatsnew/18.json`:
- Line 11: Replace the unsafe mirror recommendation string "Two new community
mirrors — fastgit.cc and fastly.jsdelivr.net. Useful when GitHub is throttled."
in whatsnew/18.json with a verified, official recommendation: remove references
to fastgit.cc and fastly.jsdelivr.net and instead mention only officially
supported endpoints (e.g., use cdn.jsdelivr.net for jsDelivr) and add a short
note to verify mirrors against the upstream project before recommending them;
update the JSON entry accordingly.
In `@core/presentation/src/commonMain/composeResources/files/whatsnew/ko/18.json`:
- Line 11: Update the Korean copy string that currently reads "새 커뮤니티 미러 2 개 —
fastgit.cc 와 fastly.jsdelivr.net. GitHub 가 제한될 때 유용." by tightening Korean
spacing: change "2 개" to "2개" and "GitHub 가" to "GitHub가" so the final string
reads "새 커뮤니티 미러 2개 — fastgit.cc 와 fastly.jsdelivr.net. GitHub가 제한될 때 유용."
---
Nitpick comments:
In `@core/presentation/src/commonMain/composeResources/files/whatsnew/18.json`:
- Around line 10-11: The English whatsnew entry uses the term "throttled" in the
second sentence ("Two new community mirrors — fastgit.cc and
fastly.jsdelivr.net. Useful when GitHub is throttled."), while other locale
variants use "limited/restricted"; pick a single standard term (either
"throttled" or the more general "limited/restricted") and update all locale JSON
entries to use that term consistently; locate the JSON entries containing the
sentence about community mirrors (the string including "fastgit.cc" and
"fastly.jsdelivr.net") and replace the differing translation of the final word
with the chosen standardized equivalent, ensuring translators provide an
accurate localized word for the chosen English term.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: dd9b98c6-14bd-43ad-b1b2-d64596814d6a
📒 Files selected for processing (13)
core/presentation/src/commonMain/composeResources/files/whatsnew/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/ar/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/bn/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/es/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/fr/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/hi/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/it/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/ja/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/ko/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/pl/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/ru/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/tr/18.jsoncore/presentation/src/commonMain/composeResources/files/whatsnew/zh-CN/18.json
| "bullets": [ | ||
| "macOS install via Homebrew — `brew install --cask github-store` from our new tap." | ||
| "macOS install via Homebrew — `brew install --cask github-store` from our new tap.", | ||
| "Two new community mirrors — fastgit.cc and fastly.jsdelivr.net. Useful when GitHub is throttled." |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the mirror domains are accessible
echo "=== Checking fastgit.cc ==="
curl -I -L --connect-timeout 10 https://fastgit.cc 2>&1 | head -20
echo -e "\n=== Checking fastly.jsdelivr.net ==="
curl -I -L --connect-timeout 10 https://fastly.jsdelivr.net 2>&1 | head -20
echo -e "\n=== Checking GitHub for any official mirror documentation ==="
rg -i "fastgit|jsdelivr" README.md docs/ --type md -C 2 2>/dev/null || echo "No existing documentation found"Repository: OpenHub-Store/GitHub-Store
Length of output: 2716
🌐 Web query:
Are fastgit.cc and jsdelivr.net legitimate and trusted GitHub mirror services used by the developer community?
💡 Result:
Fastgit.cc: Not enough evidence to treat fastgit.cc as a widely trusted, “developer-community” standard mirror. Publicly, FastGit is referenced mainly via other domains (e.g., fastgit.org / fastgitorg repositories) and the fastgit “mirror acceleration” concept is described in third-party/community repos, not as an official GitHub-supported mirror. One community note also says the original FastGit domain became blocked/inaccessible and suggests alternate mirrors, which is a sign that reliability/trust is fragmented rather than centralized [1]. jsDelivr.net: “jsdelivr.net” (with the net TLD) is not the legitimate jsDelivr CDN domain. jsDelivr’s official root endpoint is https://cdn.jsdelivr.net per their documentation, and the jsDelivr codebase/docs are hosted under jsdelivr/jsdelivr with homepage https://www.jsdelivr.com (and related docs pages) [2][3][4]. In the jsdelivr/jsdelivr repository, maintainers explicitly discuss an impersonation of “cdn.jsdeliver.net” that appends malicious content, stating they don’t control that domain and that it was/was not the official jsDelivr-controlled domain [5]. This means using jsdelivr.net (or similar typos) is risky and should not be considered trusted by default. Bottom line: - fastgit.cc: There isn’t strong, source-backed evidence that fastgit.cc itself is a trusted, community-endorsed mirror; FastGit appears as a third-party mirror idea with varying domains/mirrors, including cases where domains become blocked [1][6]. - jsdelivr.net: Do not treat it as a trusted jsDelivr mirror. The trusted/official service is cdn.jsdelivr.net under the jsDelivr project, while jsdelivr.net (and even lookalike domains like cdn.jsdeliver.net) has been reported as impersonation/malicious in jsDelivr’s own issue tracker [2][5]. Recommendation: For safety, use the official endpoint cdn.jsdelivr.net for jsDelivr (not jsdelivr.net). For FastGit-like services, verify the exact domain against known project documentation/repos before using, and consider pinning/validating content hashes or using safer dependency retrieval paths.
Citations:
- 1: https://www.zhihu.com/en/answer/3009275955
- 2: https://github.com/jsdelivr/jsdelivr
- 3: https://github.com/jsdelivr/jsdelivr/blob/master/README.md
- 4: https://www.jsdelivr.com/about
- 5: cdn.jsdeliver.net (with an e) exactly mirrors cdn.jsdelivr.net, but appends malicious code to the end of every request jsdelivr/jsdelivr#18070
- 6: Hello from FastGit RC1844/FastGithub#1
Use only verified, official mirror endpoints; avoid fastly.jsdelivr.net and unconfirmed fastgit.cc.
Both domains are operational, but verification reveals trustworthiness issues:
- fastgit.cc is not established as a widely trusted community mirror; FastGit domains have varying availability and reliability
- fastly.jsdelivr.net is not the official jsDelivr CDN endpoint; the canonical URL is
cdn.jsdelivr.net. Non-official jsDelivr domain variants have documented security risks including impersonation attempts
Before recommending third-party mirrors in user documentation, verify against official project sources and document the security review. For jsDelivr, use the official endpoint only.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@core/presentation/src/commonMain/composeResources/files/whatsnew/18.json` at
line 11, Replace the unsafe mirror recommendation string "Two new community
mirrors — fastgit.cc and fastly.jsdelivr.net. Useful when GitHub is throttled."
in whatsnew/18.json with a verified, official recommendation: remove references
to fastgit.cc and fastly.jsdelivr.net and instead mention only officially
supported endpoints (e.g., use cdn.jsdelivr.net for jsDelivr) and add a short
note to verify mirrors against the upstream project before recommending them;
update the JSON entry accordingly.
There was a problem hiding this comment.
Partial — keeping the bullet, flagging caveats.
fastly.jsdelivr.net is legit. jsDelivr publishes per-CDN endpoints (cdn.jsdelivr.net = multi-CDN, fastly.jsdelivr.net = Fastly-only, gcore.jsdelivr.net = Gcore). The Fastly endpoint is specifically used in China to bypass Cloudflare blocking. CodeRabbit's web check conflated 'jsdelivr.net' with the typo-impersonator 'jsdeliver.net'. Different.
fastgit.cc trust isn't verified. Original FastGit was fastgit.org (since discontinued). fastgit.cc may be a successor or imposter. Source: vbidv email (Chinese user). Flagged for backend team — they'll do upstream pinning + status check before adding to /v1/mirrors/list. If fastgit.cc fails verification we'll drop it.
Whatsnew bullet only announces what the backend ships. Backend gates the actual trust.
There was a problem hiding this comment.
@rainxchzed — correction acknowledged on both counts.
fastly.jsdelivr.net: You're right, and my analysis was wrong. fastly.jsdelivr.net is referenced directly in jsDelivr's own issue tracker alongside cdn.jsdelivr.net as an official per-CDN endpoint. jsDelivr's network page confirms it uses Cloudflare, Fastly, Bunny, and Gcore as CDN providers via a Multi-CDN infrastructure. My web search returned results about the typo-squatter cdn.jsdeliver.net (missing an 'r') and I incorrectly carried that concern over to fastly.jsdelivr.net. That was an error on my part — no issue there.
fastgit.cc: The backend-gates-trust approach is reasonable. Announcing in the changelog what the backend ships, with the backend team performing upstream pinning and status-check verification before adding it to /v1/mirrors/list, is a solid safeguard. No action needed in this PR for that.
✏️ Learnings added
Learnt from: rainxchzed
Repo: OpenHub-Store/GitHub-Store PR: 599
File: core/presentation/src/commonMain/composeResources/files/whatsnew/18.json:11-11
Timestamp: 2026-05-14T14:05:47.265Z
Learning: In the OpenHub-Store/GitHub-Store project, fastly.jsdelivr.net is a legitimate, official jsDelivr per-CDN endpoint (Fastly-only). jsDelivr publishes per-CDN subdomain endpoints: cdn.jsdelivr.net (multi-CDN), fastly.jsdelivr.net (Fastly-only), gcore.jsdelivr.net (Gcore-only). The Fastly endpoint is specifically useful in China to bypass Cloudflare blocking. Do not flag fastly.jsdelivr.net as suspicious or conflate it with the typo-squatter domain jsdeliver.net (missing an 'r').
Learnt from: rainxchzed
Repo: OpenHub-Store/GitHub-Store PR: 599
File: core/presentation/src/commonMain/composeResources/files/whatsnew/18.json:11-11
Timestamp: 2026-05-14T14:05:47.265Z
Learning: In the OpenHub-Store/GitHub-Store project, the whatsnew JSON files (e.g. core/presentation/src/commonMain/composeResources/files/whatsnew/18.json) only announce mirrors that the backend ships via /v1/mirrors/list. The backend team is responsible for trust verification (upstream pinning, status checks) before adding any mirror to the API response. The client-side changelog bullet is not the trust gate.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
There was a problem hiding this comment.
rainxchzed has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
There was a problem hiding this comment.
rainxchzed has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
rainxchzed
changed the title
1 participant
Sprint 3 Task 13 — announce backend's new community mirror in 1.8.3 changelog (13 locales).
Originally scoped 2 mirrors. Backend dropped fastgit.cc — no public artifact ties it to FastGitORG (their .org domain is officially shut down); treated as supply-chain risk. Only fastly.jsdelivr.net ships.
Test plan
18.jsonvalidSource: vbidv email + backend agent verification.
Follow-up
traffic_kindsdispatch (REQUIRED before 1.8.3 release).Summary by CodeRabbit