Skip to content

Added tracking for online vs local sourced mods#2071

Open
ebkr wants to merge 1 commit intodevelopfrom
feature/unlisted-notifications/tracking
Open

Added tracking for online vs local sourced mods#2071
ebkr wants to merge 1 commit intodevelopfrom
feature/unlisted-notifications/tracking

Conversation

@ebkr
Copy link
Owner

@ebkr ebkr commented Feb 9, 2026
edited
Loading

Tracking Online Sources

Prerequisite to identifying if package versions no longer match listed packages on Thunderstore

What's covered?

Action In cache Online/Local tracked
Download, cache enabled No Online
Download, cache disabled No Online
Download, cache enabled Yes Based on last result
Download, cache disabled Yes Online
Import No Local
Import Yes Local

Functionality

The cache has a new untracked folder called "_state" (to mirror the profile's _state folder), which records a list of files and versions that were downloaded from an online source.

Upon download the state files are looked up and if previously in the cache (and caching is enabled), then pull from the cache and set the onlineSource property equivalent to if the state file exists.

If the file is not cached (or caching is disabled), then fetch it from Thunderstore, and write the appropriate state file to disk. Repeat the lookup as part of the previous step.

If a file is locally imported, do not write a state file.

Follow-up work for later PRs

  • Inform the user if the mod is already cached
  • If an onlineSource enabled mod isn't in the online cache, then inform the user that it is a potentially vulnerable package

@ebkr ebkr requested a review from x753 February 9, 2026 12:26
@anttimaki
Copy link
Collaborator

anttimaki commented Feb 11, 2026
edited
Loading

Should the local import explicitly check if _state/online exists in the zip file being imported and ignore it while extracting (or remove it after extraction, or something)? Theoretically malicious mods downloaded from external sources and imported locally could otherwise bypass this feature.

@ebkr
Copy link
Owner Author

ebkr commented Feb 11, 2026

Should the local import explicitly check if _state/online exists in the zip file being imported and ignore it while extracting (or remove it after extraction, or something)? Theoretically malicious mods downloaded from external sources and imported locally could otherwise bypass this feature.

I don't think we need to worry.

Cache items would be placed in:
/cache/Author-ModName/Version/...

These are tracked in /cache/_state/online/...

_state is an invalid team name.

If we wanted further safety, we could check if the secondary folder name is a version number or not, but I don't think it's particularly necessary.

@ebkr ebkr mentioned this pull request Feb 13, 2026
Open
@ebkr ebkr force-pushed the feature/unlisted-notifications/tracking branch from a9deede to 24486d5 Compare February 16, 2026 15:16
x753
x753 approved these changes Feb 24, 2026
View reviewed changes
Copy link
Collaborator

@x753 x753 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks sane, didn't build and test or anything though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@x753 x753 x753 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ebkr @anttimaki @x753