Release

[github-actions]

PR was created automatically by the release workflow, hope you release it as soon as possible!

---

Note

Introduce sky light calculation module and waypoint maxDistance, centralize connection options, and optimize player skin loading while enabling safer server-driven settings.

• Renderer:
  • Sky Light: Add renderer/viewer/lib/skyLight.ts and use calculateSkyLightSimple in worldrendererCommon.getMesherConfig().
  • Waypoints: Support maxDistance visibility and option in renderer/viewer/three/waypoints.ts; pass via custom channel metadata.
  • Entities: Cache current skin URLs to skip redundant loads, set skin.isCustom, and clear per-entity caches on removal; minor originalEntity handling for player.
• Core/Settings:
  • Connection State: Move lastConnectOptions to src/appStatus.ts; update imports across app.
  • Custom Channels: Default options.customChannels to 'websocket' and auto-enable for ws servers.
  • Server Settings: Track server-applied settings via serverChangedSettings and expand serverSafeSettings (e.g., remoteContentNotSameOrigin, rendering/UI prefs).
• Gameplay/UI:
  • Simplify skin updates using entity IDs; update multiple components to new lastConnectOptions import.

^{Written by Cursor Bugbot for commit 2d34ac1. This will update automatically on new commits. Configure here.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on January 29

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Bug: Server can override client cross-origin security policy

Adding remoteContentNotSameOrigin to serverSafeSettings allows remote servers to modify the client's cross-origin resource policy via the settings channel. This contradicts the documented intent where "security-related options are excluded" from server-controlled settings. A malicious server could set this to true to enable loading media from any origin, potentially enabling phishing attacks through arbitrary external content displayed in-game.

 

[cursor]

Bug: Server-changed settings never cleared preventing user persistence

The serverChangedSettings set is populated when a server modifies client settings, but it's never cleared on disconnect. This prevents user-initiated changes to those settings from being persisted to local storage, even after leaving the server. The user's manual changes work in the current session but are lost on page reload, as resetStateAfterDisconnect doesn't reset this tracking state.

Additional Locations (1)

• src/customChannels.ts#L581-L582

 

[cursor]

Bug: Skin cache not cleared when applying default skin

The currentSkinUrls cache is only updated when applying custom skins, not when applying the default steve skin. When a player's skin changes to steve, the cache retains the previous custom skin URL. If that same custom skin URL is subsequently requested, the cache comparison on line 525 incorrectly indicates the skin is already loaded, causing the update to be skipped even though the entity is currently displaying the steve skin. The cache entry needs to be cleared (e.g., delete this.currentSkinUrls[...]) when applying the steve skin to prevent stale cache entries from causing incorrect skip behavior.

Additional Locations (1)

• renderer/viewer/three/entities.ts#L524-L538