dotfiles/analysis/low-star-network-path-packages.md

Low-Star Packages On Plausible Network/Data Paths

Generated from analysis/network-library-review.csv and GitHub metadata on 2026-05-30. Star counts are GitHub stars at collection time. Dependency paths are Nix derivation/package paths, so they show that a package is reachable from the configured service package closure; they do not prove every library is loaded on every runtime request path.

Selection criteria: GitHub-backed dependency with relatively low stars, used by a network-facing root (nix-serve, prowlarr, jellyfin, sonarr, radarr), and plausibly involved in HTTP parsing, socket handling, JSON/XML/HTML parsing, remote metadata parsing, text normalization, database access, or similar externally influenced data handling.

Highest Priority

Project	Stars	Used by	Version in use	Latest seen	Why it may matter
kazeburo/HTTP-Entity-Parser	5	nix-serve	0.25	0.25	PSGI-compliant HTTP entity/body parser, directly adjacent to HTTP request handling.
kazuho/p5-http-parser-xs	30	nix-serve	0.17	0.17	Fast C/XS HTTP parser used through the Perl web stack; low-level parser code is a high-value review target.
shlomif/perl-io-socket-inet6	0	nix-serve	2.73	2.73	IPv6 socket support library in the nix-serve Perl closure. Socket plumbing is network-path relevant.
AngleSharp/AngleSharp.Xml	20	prowlarr	1.0.0	1.0.0	XML and DTD parser extension for AngleSharp. Prowlarr handles indexer feeds/pages from remote sources.
p5sagit/JSON-MaybeXS	4	nix-serve	1.004005	1.004008	JSON backend selection/compatibility module in the HTTP service closure. JSON parsing often receives externally supplied data.

Medium Priority

Project	Stars	Used by	Version in use	Latest seen	Notes
madsen/io-html	3	nix-serve	1.004	1.004	Perl module for opening files with automatic charset detection. Less directly exposed than HTTP parsers, but charset detection can be input-sensitive.
Zastai/MetaBrainz.MusicBrainz	41	jellyfin	6.1.0	v8.0.1	Native .NET implementation of MusicBrainz client/data model. Jellyfin can ingest remote metadata responses.
Zastai/MetaBrainz.Common.Json	1	jellyfin	6.0.2	v7.2.0	JSON helper classes for MetaBrainz packages. Relevant to parsing remote metadata.
Zastai/MetaBrainz.Common	0	jellyfin	3.0.0	v4.1.1	Shared classes for MetaBrainz packages. Low stars and in the metadata path, but not itself a parser entry point.
NightOwl888/ICU4N	44	jellyfin	60.1.0-alpha.356	60.1.0-alpha.439	Unicode/text normalization and transliteration library. Useful to review because media metadata and filenames are attacker-influenced in many deployments.

Lower Priority But Network-Adjacent

Project	Stars	Used by	Version in use	Latest seen	Notes
ericsink/SQLitePCL.raw	609	jellyfin	2.1.10	v3.0.3	Low-level SQLite access layer. Not a network parser, but stores/query data derived from remote/user-controlled metadata.
dotnet/SqlClient	974	sonarr, radarr	2.1.7, 6.1.1, SNI runtime 2.1.1, 6.0.2	v7.0.1	SQL Server connectivity. Relevant if these apps are configured to use SQL Server or process DB connection data, but less relevant for the default SQLite-style local deployment path.

Candidate Details

kazeburo/HTTP-Entity-Parser

Project: https://github.com/kazeburo/HTTP-Entity-Parser

Description: PSGI compliant HTTP Entity Parser.

Used by: nix-serve

Dependency path: nix-serve -> perl-5.42.0-env -> HTTP-Entity-Parser

Version in use: 0.25

Latest/release data: latest 0.25, latest release date 2020-11-28T02:35:43

Other data: Perl, 5 stars, 8 forks, 2 open issues, not archived, last pushed 2020-11-28T02:35:43Z, license NOASSERTION

Assessment: Directly relevant to HTTP body parsing for nix-serve; worth manual review if nix-serve is publicly exposed through Caddy.

kazuho/p5-http-parser-xs

Project: https://github.com/kazuho/p5-http-parser-xs

Description: Fast HTTP parser.

Used by: nix-serve

Dependency path: nix-serve -> perl-5.42.0-env -> HTTP-Parser-XS

Version in use: 0.17

Latest/release data: latest 0.17, latest release date 2014-12-15T07:53:06

Other data: C, 30 stars, 11 forks, 9 open issues, not archived, last pushed 2024-06-13T04:08:54Z

Assessment: Highest-value low-star item because it is C parser code close to HTTP request parsing.

shlomif/perl-io-socket-inet6

Project: https://github.com/shlomif/perl-io-socket-inet6

Description: CPAN IPv6 socket module mirror/repository.

Used by: nix-serve

Dependency path: nix-serve -> perl-5.42.0-env -> IO-Socket-INET6

Version in use: 2.73

Latest/release data: latest 2.73, latest release date 2021-12-10T07:31:35

Other data: Perl, 0 stars, 1 fork, 0 open issues, not archived, last pushed 2021-12-10T07:31:26Z, license NOASSERTION

Assessment: Network plumbing dependency. Lower parser risk than HTTP parsers, but the star count is effectively zero.

AngleSharp/AngleSharp.Xml

Project: https://github.com/AngleSharp/AngleSharp.Xml

Description: Library adding XML and DTD parsing capabilities to AngleSharp.

Used by: prowlarr

Dependency path: prowlarr -> AngleSharp.Xml

Version in use: 1.0.0

Latest/release data: latest 1.0.0, release date 2023-01-15T12:45:03.84Z, latest release date 2023-01-15T12:45:04Z

Other data: C#, 20 stars, 6 forks, 5 open issues, not archived, last pushed 2025-01-26T20:54:26Z, license MIT

Assessment: XML/DTD parsing in an indexer-facing service is plausibly exposed to remote feed/page content. Worth checking DTD/external entity behavior and parser limits.

p5sagit/JSON-MaybeXS

Project: https://github.com/p5sagit/JSON-MaybeXS

Description: JSON backend compatibility/selecting module for Perl.

Used by: nix-serve

Dependency path: nix-serve -> perl-5.42.0-env -> JSON-MaybeXS

Version in use: 1.004005

Latest/release data: latest 1.004008, latest release date 2024-08-10T20:23:23

Other data: Perl, 4 stars, 6 forks, 1 open issue, not archived, last pushed 2024-12-27T11:55:18Z

Assessment: Probably a wrapper rather than the parser implementation itself, but it is in a web service closure and touches JSON handling.

madsen/io-html

Project: https://github.com/madsen/io-html

Description: Perl module that opens a file and performs automatic charset detection.

Used by: nix-serve

Dependency path: nix-serve -> perl-5.42.0-env -> IO-HTML

Version in use: 1.004

Latest/release data: latest 1.004, latest release date 2020-09-26T16:52:29

Other data: Perl, 3 stars, 1 fork, 0 open issues, not archived, last pushed 2020-09-26T16:51:31Z

Assessment: Charset detection can be input-sensitive, but this is lower priority unless nix-serve uses it on request-supplied content.

Zastai MetaBrainz packages

Projects: MetaBrainz.Common, MetaBrainz.Common.Json, MetaBrainz.MusicBrainz

Descriptions: Shared classes, JSON helpers, and native .NET implementation of libmusicbrainz.

Used by: jellyfin

Dependency paths: jellyfin -> MetaBrainz.Common, jellyfin -> MetaBrainz.Common.Json, jellyfin -> MetaBrainz.MusicBrainz

Versions in use: 3.0.0, 6.0.2, 6.1.0

Latest/release data: latest v4.1.1, v7.2.0, v8.0.1; latest release dates in 2026 for all three

Other data: C#, 0/1/41 stars, 0/0/10 forks, not archived, MIT license

Assessment: These are in Jellyfin metadata handling. They are not direct socket parsers, but they process metadata structures that can originate from remote services or media tags.

NightOwl888/ICU4N

Project: https://github.com/NightOwl888/ICU4N

Description: International Components for Unicode for .NET.

Used by: jellyfin

Dependency paths: jellyfin -> ICU4N, jellyfin -> ICU4N.Transliterator

Version in use: 60.1.0-alpha.356

Latest/release data: latest 60.1.0-alpha.439 for ICU4N; latest 60.1.0-alpha.356 for ICU4N.Transliterator; NuGet release dates were not exposed in the cached data

Other data: C#, 44 stars, 8 forks, 22 open issues, not archived, last pushed 2026-05-08T23:25:53Z, license Apache-2.0

Assessment: Text normalization/transliteration libraries can receive untrusted metadata, filenames, subtitles, and tags. Alpha-version package in use is notable.

ericsink/SQLitePCL.raw

Project: https://github.com/ericsink/SQLitePCL.raw

Description: Portable Class Library for low-level raw access to SQLite.

Used by: jellyfin

Dependency paths: jellyfin -> SQLitePCLRaw.core, jellyfin -> SQLitePCLRaw.bundle_e_sqlite3, jellyfin -> SQLitePCLRaw.lib.e_sqlite3, jellyfin -> SQLitePCLRaw.provider.e_sqlite3

Version in use: 2.1.10

Latest/release data: latest v3.0.3, release dates around 2024-09-11, latest release date 2026-05-07T17:28:57Z

Other data: C#, 609 stars, 134 forks, 36 open issues, not archived, last pushed 2026-05-07T17:23:42Z, license Apache-2.0

Assessment: Not a network parser, but stores and queries data derived from network/media metadata. Lower priority than parser/socket libraries.

dotnet/SqlClient

Project: https://github.com/dotnet/SqlClient

Description: Microsoft.Data.SqlClient provides database connectivity to SQL Server for .NET applications.

Used by: sonarr, radarr

Dependency paths: sonarr -> Microsoft.Data.SqlClient, radarr -> Microsoft.Data.SqlClient, and corresponding Microsoft.Data.SqlClient.SNI.runtime rows

Versions in use: 2.1.7, 6.1.1, SNI runtime 2.1.1, 6.0.2

Latest/release data: latest v7.0.1, latest release date 2026-04-24T19:34:24Z

Other data: C#, 974 stars, 330 forks, 276 open issues, not archived, last pushed 2026-05-30T11:30:25Z, license MIT

Assessment: Network-adjacent database client. Relevant mainly if Sonarr/Radarr are configured to use SQL Server or expose database connection handling.

Low-Star Items Not Prioritized

These appeared in the low-star scan but are less plausibly on a network/data parsing path: garu/data-dump, garu/Clone, Serilog extension/sink packages, NUnit test adapters, and buildcatrust. They may still matter for build integrity or diagnostics, but they are not obvious request/response parser or socket-facing dependencies from the current dependency paths.

Suggested Follow-Up

Review nix-serve first because it is exposed through Caddy and has several very low-star Perl HTTP/socket parser dependencies. Then check prowlarr XML/HTML parsing behavior, especially external entity handling and parser size/time limits. Finally, decide whether Jellyfin remote metadata providers are enabled and exposed enough to justify deeper review of the MetaBrainz and ICU4N paths.