Merge v7.50.3 into 1.21.4

Author: Alexander01998

.github/workflows/auto_snapshot_update.yml

@@ -51,7 +51,7 @@ jobs:
       run: chmod +x gradlew
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4
+      uses: gradle/actions/setup-gradle@v5
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"

.github/workflows/dependency_graph.yml

@@ -34,7 +34,7 @@ jobs:
       run: chmod +x gradlew
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v4
+      uses: gradle/actions/dependency-submission@v5
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"

.github/workflows/gradle.yml

@@ -47,7 +47,7 @@ jobs:
       run: chmod +x gradlew
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4
+      uses: gradle/actions/setup-gradle@v5
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"

.github/workflows/publish.yml

@@ -57,7 +57,7 @@ jobs:
       run: chmod +x gradlew
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4
+      uses: gradle/actions/setup-gradle@v5
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"

build.gradle

@@ -29,20 +29,22 @@ repositories {
 // Override vulnerable dependencies until Minecraft updates to newer versions
 configurations.all {
 	resolutionStrategy {
-		// v2.5.1, used by Minecraft 1.21.4 - 1.21.8, is vulnerable to CVE-2024-57699
+		// v2.5.1, used by Minecraft 1.21.4 - 1.21.10, is vulnerable to CVE-2024-57699
 		force "net.minidev:json-smart:2.5.2"
-		// v2.13.4, used by Minecraft 1.21.4 - 1.21.8, is vulnerable to CVE-2025-52999
+		// v2.13.4, used by Minecraft 1.21.4 - 1.21.10, is vulnerable to CVE-2025-52999
 		force "com.fasterxml.jackson.core:jackson-core:2.15.0"
-		// v3.17.0, used by Minecraft 1.21.4 - 1.21.8, is vulnerable to CVE-2025-48924
+		// v3.17.0, used by Minecraft 1.21.4 - 1.21.10, is vulnerable to CVE-2025-48924
 		force "org.apache.commons:commons-lang3:3.18.0"
-		// v9.40, used by Minecraft 1.21.4 - 1.21.8, is vulnerable to CVE-2025-53864
+		// v9.40, used by Minecraft 1.21.4 - 1.21.10, is vulnerable to CVE-2025-53864
 		force "com.nimbusds:nimbus-jose-jwt:10.0.2"
 		// v4.1.115.Final, used by Minecraft 1.21.4, is vulnerable to CVE-2025-25193
 		force "io.netty:netty-common:4.1.118.Final"
 		// v4.1.115.Final, used by Minecraft 1.21.4, is vulnerable to CVE-2025-24970
 		force "io.netty:netty-handler:4.1.118.Final"
 		// v4.1.115.Final, used by Minecraft 1.21.4, is vulnerable to CVE-2025-58057
 		force "io.netty:netty-codec:4.1.125.Final"
+		// v4.1.115.Final, used by Minecraft 1.21.4, is vulnerable to CVE-2025-58056
+		force "io.netty:netty-codec-http:4.1.125.Final"
 	}
 }
 
@@ -143,7 +145,7 @@ jar {
 	inputs.property("archivesName", archivesName)
 
 	from("LICENSE.txt") {
-		rename { "LICENSE-${archivesName}.txt" }
+		rename { "LICENSE-${archivesName.get()}.txt" }
 	}
 
 	exclude("intentionally_untranslated.json")

gradle.properties

@@ -8,14 +8,14 @@ org.gradle.configuration-cache=true
 # https://modrinth.com/mod/fabric-api/versions
 minecraft_version=1.21.4
 yarn_mappings=1.21.4+build.8
-loader_version=0.17.2
-loom_version=1.11-SNAPSHOT
+loader_version=0.17.3
+loom_version=1.11-SNAPSHOT
 
 # Fabric API
 fabric_version=0.119.4+1.21.4
 
 # Mod Properties
-mod_version=v7.50.2-MC1.21.4
+mod_version=v7.50.3-MC1.21.4
 maven_group=net.wurstclient
 archives_base_name=Wurst-Client
 mod_loader=Fabric

src/main/java/net/wurstclient/WurstClient.java

@@ -50,7 +50,7 @@ public enum WurstClient
 	public static MinecraftClient MC;
 	public static IMinecraftClient IMC;
 
-	public static final String VERSION = "7.50.2";
+	public static final String VERSION = "7.50.3";
 	public static final String MC_VERSION = "1.21.4";
 
 	private PlausibleAnalytics plausible;

src/main/java/net/wurstclient/hacks/NoLevitationHack.java

@@ -20,5 +20,6 @@ public NoLevitationHack()
 		setCategory(Category.MOVEMENT);
 	}
 
-	// See ClientPlayerEntityMixin.hasStatusEffect()
+	// See ClientPlayerEntityMixin.hasStatusEffect() and
+	// ClientPlayerEntityMixin.getStatusEffect()
 }

src/main/java/net/wurstclient/mixin/ClientPlayerEntityMixin.java

@@ -28,6 +28,7 @@
 import net.minecraft.client.world.ClientWorld;
 import net.minecraft.entity.MovementType;
 import net.minecraft.entity.effect.StatusEffect;
+import net.minecraft.entity.effect.StatusEffectInstance;
 import net.minecraft.entity.effect.StatusEffects;
 import net.minecraft.registry.entry.RegistryEntry;
 import net.minecraft.util.math.Vec3d;
@@ -281,6 +282,19 @@ public boolean hasStatusEffect(RegistryEntry<StatusEffect> effect)
 		return super.hasStatusEffect(effect);
 	}
 
+	@Override
+	public StatusEffectInstance getStatusEffect(
+		RegistryEntry<StatusEffect> effect)
+	{
+		HackList hax = WurstClient.INSTANCE.getHax();
+		
+		if(effect == StatusEffects.LEVITATION
+			&& hax.noLevitationHack.isEnabled())
+			return null;
+		
+		return super.getStatusEffect(effect);
+	}
+	
 	@Override
 	public float getStepHeight()
 	{

src/main/java/net/wurstclient/mixin/DownloaderMixin.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2014-2025 Wurst-Imperium and contributors.
+ *
+ * This source code is subject to the terms of the GNU General Public
+ * License, version 3. If a copy of the GPL was not distributed with this
+ * file, You can obtain one at: https://www.gnu.org/licenses/gpl-3.0.txt
+ */
+package net.wurstclient.mixin;
+
+import java.nio.file.Path;
+import java.util.UUID;
+
+import org.spongepowered.asm.mixin.Final;
+import org.spongepowered.asm.mixin.Mixin;
+import org.spongepowered.asm.mixin.Shadow;
+import org.spongepowered.asm.mixin.injection.At;
+
+import com.llamalad7.mixinextras.injector.wrapoperation.Operation;
+import com.llamalad7.mixinextras.injector.wrapoperation.WrapOperation;
+
+import net.minecraft.client.session.Session;
+import net.minecraft.util.Downloader;
+import net.minecraft.util.Uuids;
+import net.wurstclient.WurstClient;
+
+@Mixin(Downloader.class)
+public abstract class DownloaderMixin implements AutoCloseable
+{
+	@Shadow
+	@Final
+	private Path directory;
+	
+	/**
+	 * Patches a fingerprinting vulnerability by creating a separate cache
+	 * folder for each Minecraft account.
+	 *
+	 * <p>
+	 * This mixin targets the <code>entries.forEach()</code> lambda in
+	 * <code>download(Config, Map)</code>.
+	 *
+	 * @see https://github.com/Wurst-Imperium/Wurst7/issues/1226
+	 */
+	@WrapOperation(at = @At(value = "INVOKE",
+		target = "Ljava/nio/file/Path;resolve(Ljava/lang/String;)Ljava/nio/file/Path;",
+		ordinal = 0,
+		remap = false), method = "method_55485")
+	private Path wrapResolve(Path instance, String filename,
+		Operation<Path> original)
+	{
+		Path result = original.call(instance, filename);
+		
+		// If the path has already been modified by another mod (likely trying
+		// to patch the same exploit), don't modify it further.
+		if(result == null || !result.getParent().equals(directory))
+			return result;
+			
+		// "getUuidOrNull" seems to be an outdated Yarn name, as Minecraft
+		// 1.21.10 treats this like a non-null method. Just in case, we manually
+		// fallback to the offline UUID if it ever does return null.
+		Session session = WurstClient.MC.getSession();
+		UUID uuid = session.getUuidOrNull();
+		if(uuid == null)
+			uuid = Uuids.getOfflinePlayerUuid(session.getUsername());
+		
+		return result.getParent().resolve(uuid.toString())
+			.resolve(result.getFileName());
+	}
+}