dan/dotfiles
1
0
Fork 0
mirror of https://github.com/danbulant/dotfiles synced 2026-06-19 14:41:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
dotfiles/analysis/low-star-network-path-packages.md
Daniel Bulant 847fe42a9c
docs
2026-05-31 23:20:36 +02:00

222 lines
12 KiB
Markdown
Raw Blame History

# Low-Star Packages On Plausible Network/Data Paths
Generated from `analysis/network-library-review.csv` and GitHub metadata on 2026-05-30. Star counts are GitHub stars at collection time. Dependency paths are Nix derivation/package paths, so they show that a package is reachable from the configured service package closure; they do not prove every library is loaded on every runtime request path.
Selection criteria: GitHub-backed dependency with relatively low stars, used by a network-facing root (`nix-serve`, `prowlarr`, `jellyfin`, `sonarr`, `radarr`), and plausibly involved in HTTP parsing, socket handling, JSON/XML/HTML parsing, remote metadata parsing, text normalization, database access, or similar externally influenced data handling.
## Highest Priority
| Project | Stars | Used by | Version in use | Latest seen | Why it may matter |
| --- | ---: | --- | --- | --- | --- |
| [kazeburo/HTTP-Entity-Parser](https://github.com/kazeburo/HTTP-Entity-Parser) | 5 | `nix-serve` | `0.25` | `0.25` | PSGI-compliant HTTP entity/body parser, directly adjacent to HTTP request handling. |
| [kazuho/p5-http-parser-xs](https://github.com/kazuho/p5-http-parser-xs) | 30 | `nix-serve` | `0.17` | `0.17` | Fast C/XS HTTP parser used through the Perl web stack; low-level parser code is a high-value review target. |
| [shlomif/perl-io-socket-inet6](https://github.com/shlomif/perl-io-socket-inet6) | 0 | `nix-serve` | `2.73` | `2.73` | IPv6 socket support library in the `nix-serve` Perl closure. Socket plumbing is network-path relevant. |
| [AngleSharp/AngleSharp.Xml](https://github.com/AngleSharp/AngleSharp.Xml) | 20 | `prowlarr` | `1.0.0` | `1.0.0` | XML and DTD parser extension for AngleSharp. Prowlarr handles indexer feeds/pages from remote sources. |
| [p5sagit/JSON-MaybeXS](https://github.com/p5sagit/JSON-MaybeXS) | 4 | `nix-serve` | `1.004005` | `1.004008` | JSON backend selection/compatibility module in the HTTP service closure. JSON parsing often receives externally supplied data. |
## Medium Priority
| Project | Stars | Used by | Version in use | Latest seen | Notes |
| --- | ---: | --- | --- | --- | --- |
| [madsen/io-html](https://github.com/madsen/io-html) | 3 | `nix-serve` | `1.004` | `1.004` | Perl module for opening files with automatic charset detection. Less directly exposed than HTTP parsers, but charset detection can be input-sensitive. |
| [Zastai/MetaBrainz.MusicBrainz](https://github.com/Zastai/MetaBrainz.MusicBrainz) | 41 | `jellyfin` | `6.1.0` | `v8.0.1` | Native .NET implementation of MusicBrainz client/data model. Jellyfin can ingest remote metadata responses. |
| [Zastai/MetaBrainz.Common.Json](https://github.com/Zastai/MetaBrainz.Common.Json) | 1 | `jellyfin` | `6.0.2` | `v7.2.0` | JSON helper classes for MetaBrainz packages. Relevant to parsing remote metadata. |
| [Zastai/MetaBrainz.Common](https://github.com/Zastai/MetaBrainz.Common) | 0 | `jellyfin` | `3.0.0` | `v4.1.1` | Shared classes for MetaBrainz packages. Low stars and in the metadata path, but not itself a parser entry point. |
| [NightOwl888/ICU4N](https://github.com/NightOwl888/ICU4N) | 44 | `jellyfin` | `60.1.0-alpha.356` | `60.1.0-alpha.439` | Unicode/text normalization and transliteration library. Useful to review because media metadata and filenames are attacker-influenced in many deployments. |
## Lower Priority But Network-Adjacent
| Project | Stars | Used by | Version in use | Latest seen | Notes |
| --- | ---: | --- | --- | --- | --- |
| [ericsink/SQLitePCL.raw](https://github.com/ericsink/SQLitePCL.raw) | 609 | `jellyfin` | `2.1.10` | `v3.0.3` | Low-level SQLite access layer. Not a network parser, but stores/query data derived from remote/user-controlled metadata. |
| [dotnet/SqlClient](https://github.com/dotnet/SqlClient) | 974 | `sonarr`, `radarr` | `2.1.7`, `6.1.1`, SNI runtime `2.1.1`, `6.0.2` | `v7.0.1` | SQL Server connectivity. Relevant if these apps are configured to use SQL Server or process DB connection data, but less relevant for the default SQLite-style local deployment path. |
## Candidate Details
### kazeburo/HTTP-Entity-Parser
Project: [https://github.com/kazeburo/HTTP-Entity-Parser](https://github.com/kazeburo/HTTP-Entity-Parser)
Description: PSGI compliant HTTP Entity Parser.
Used by: `nix-serve`
Dependency path: `nix-serve -> perl-5.42.0-env -> HTTP-Entity-Parser`
Version in use: `0.25`
Latest/release data: latest `0.25`, latest release date `2020-11-28T02:35:43`
Other data: Perl, 5 stars, 8 forks, 2 open issues, not archived, last pushed `2020-11-28T02:35:43Z`, license `NOASSERTION`
Assessment: Directly relevant to HTTP body parsing for `nix-serve`; worth manual review if `nix-serve` is publicly exposed through Caddy.
### kazuho/p5-http-parser-xs
Project: [https://github.com/kazuho/p5-http-parser-xs](https://github.com/kazuho/p5-http-parser-xs)
Description: Fast HTTP parser.
Used by: `nix-serve`
Dependency path: `nix-serve -> perl-5.42.0-env -> HTTP-Parser-XS`
Version in use: `0.17`
Latest/release data: latest `0.17`, latest release date `2014-12-15T07:53:06`
Other data: C, 30 stars, 11 forks, 9 open issues, not archived, last pushed `2024-06-13T04:08:54Z`
Assessment: Highest-value low-star item because it is C parser code close to HTTP request parsing.
### shlomif/perl-io-socket-inet6
Project: [https://github.com/shlomif/perl-io-socket-inet6](https://github.com/shlomif/perl-io-socket-inet6)
Description: CPAN IPv6 socket module mirror/repository.
Used by: `nix-serve`
Dependency path: `nix-serve -> perl-5.42.0-env -> IO-Socket-INET6`
Version in use: `2.73`
Latest/release data: latest `2.73`, latest release date `2021-12-10T07:31:35`
Other data: Perl, 0 stars, 1 fork, 0 open issues, not archived, last pushed `2021-12-10T07:31:26Z`, license `NOASSERTION`
Assessment: Network plumbing dependency. Lower parser risk than HTTP parsers, but the star count is effectively zero.
### AngleSharp/AngleSharp.Xml
Project: [https://github.com/AngleSharp/AngleSharp.Xml](https://github.com/AngleSharp/AngleSharp.Xml)
Description: Library adding XML and DTD parsing capabilities to AngleSharp.
Used by: `prowlarr`
Dependency path: `prowlarr -> AngleSharp.Xml`
Version in use: `1.0.0`
Latest/release data: latest `1.0.0`, release date `2023-01-15T12:45:03.84Z`, latest release date `2023-01-15T12:45:04Z`
Other data: C#, 20 stars, 6 forks, 5 open issues, not archived, last pushed `2025-01-26T20:54:26Z`, license `MIT`
Assessment: XML/DTD parsing in an indexer-facing service is plausibly exposed to remote feed/page content. Worth checking DTD/external entity behavior and parser limits.
### p5sagit/JSON-MaybeXS
Project: [https://github.com/p5sagit/JSON-MaybeXS](https://github.com/p5sagit/JSON-MaybeXS)
Description: JSON backend compatibility/selecting module for Perl.
Used by: `nix-serve`
Dependency path: `nix-serve -> perl-5.42.0-env -> JSON-MaybeXS`
Version in use: `1.004005`
Latest/release data: latest `1.004008`, latest release date `2024-08-10T20:23:23`
Other data: Perl, 4 stars, 6 forks, 1 open issue, not archived, last pushed `2024-12-27T11:55:18Z`
Assessment: Probably a wrapper rather than the parser implementation itself, but it is in a web service closure and touches JSON handling.
### madsen/io-html
Project: [https://github.com/madsen/io-html](https://github.com/madsen/io-html)
Description: Perl module that opens a file and performs automatic charset detection.
Used by: `nix-serve`
Dependency path: `nix-serve -> perl-5.42.0-env -> IO-HTML`
Version in use: `1.004`
Latest/release data: latest `1.004`, latest release date `2020-09-26T16:52:29`
Other data: Perl, 3 stars, 1 fork, 0 open issues, not archived, last pushed `2020-09-26T16:51:31Z`
Assessment: Charset detection can be input-sensitive, but this is lower priority unless `nix-serve` uses it on request-supplied content.
### Zastai MetaBrainz packages
Projects: [MetaBrainz.Common](https://github.com/Zastai/MetaBrainz.Common), [MetaBrainz.Common.Json](https://github.com/Zastai/MetaBrainz.Common.Json), [MetaBrainz.MusicBrainz](https://github.com/Zastai/MetaBrainz.MusicBrainz)
Descriptions: Shared classes, JSON helpers, and native .NET implementation of libmusicbrainz.
Used by: `jellyfin`
Dependency paths: `jellyfin -> MetaBrainz.Common`, `jellyfin -> MetaBrainz.Common.Json`, `jellyfin -> MetaBrainz.MusicBrainz`
Versions in use: `3.0.0`, `6.0.2`, `6.1.0`
Latest/release data: latest `v4.1.1`, `v7.2.0`, `v8.0.1`; latest release dates in 2026 for all three
Other data: C#, 0/1/41 stars, 0/0/10 forks, not archived, MIT license
Assessment: These are in Jellyfin metadata handling. They are not direct socket parsers, but they process metadata structures that can originate from remote services or media tags.
### NightOwl888/ICU4N
Project: [https://github.com/NightOwl888/ICU4N](https://github.com/NightOwl888/ICU4N)
Description: International Components for Unicode for .NET.
Used by: `jellyfin`
Dependency paths: `jellyfin -> ICU4N`, `jellyfin -> ICU4N.Transliterator`
Version in use: `60.1.0-alpha.356`
Latest/release data: latest `60.1.0-alpha.439` for `ICU4N`; latest `60.1.0-alpha.356` for `ICU4N.Transliterator`; NuGet release dates were not exposed in the cached data
Other data: C#, 44 stars, 8 forks, 22 open issues, not archived, last pushed `2026-05-08T23:25:53Z`, license `Apache-2.0`
Assessment: Text normalization/transliteration libraries can receive untrusted metadata, filenames, subtitles, and tags. Alpha-version package in use is notable.
### ericsink/SQLitePCL.raw
Project: [https://github.com/ericsink/SQLitePCL.raw](https://github.com/ericsink/SQLitePCL.raw)
Description: Portable Class Library for low-level raw access to SQLite.
Used by: `jellyfin`
Dependency paths: `jellyfin -> SQLitePCLRaw.core`, `jellyfin -> SQLitePCLRaw.bundle_e_sqlite3`, `jellyfin -> SQLitePCLRaw.lib.e_sqlite3`, `jellyfin -> SQLitePCLRaw.provider.e_sqlite3`
Version in use: `2.1.10`
Latest/release data: latest `v3.0.3`, release dates around `2024-09-11`, latest release date `2026-05-07T17:28:57Z`
Other data: C#, 609 stars, 134 forks, 36 open issues, not archived, last pushed `2026-05-07T17:23:42Z`, license `Apache-2.0`
Assessment: Not a network parser, but stores and queries data derived from network/media metadata. Lower priority than parser/socket libraries.
### dotnet/SqlClient
Project: [https://github.com/dotnet/SqlClient](https://github.com/dotnet/SqlClient)
Description: Microsoft.Data.SqlClient provides database connectivity to SQL Server for .NET applications.
Used by: `sonarr`, `radarr`
Dependency paths: `sonarr -> Microsoft.Data.SqlClient`, `radarr -> Microsoft.Data.SqlClient`, and corresponding `Microsoft.Data.SqlClient.SNI.runtime` rows
Versions in use: `2.1.7`, `6.1.1`, SNI runtime `2.1.1`, `6.0.2`
Latest/release data: latest `v7.0.1`, latest release date `2026-04-24T19:34:24Z`
Other data: C#, 974 stars, 330 forks, 276 open issues, not archived, last pushed `2026-05-30T11:30:25Z`, license `MIT`
Assessment: Network-adjacent database client. Relevant mainly if Sonarr/Radarr are configured to use SQL Server or expose database connection handling.
## Low-Star Items Not Prioritized
These appeared in the low-star scan but are less plausibly on a network/data parsing path: [garu/data-dump](https://github.com/garu/data-dump), [garu/Clone](https://github.com/garu/Clone), Serilog extension/sink packages, NUnit test adapters, and `buildcatrust`. They may still matter for build integrity or diagnostics, but they are not obvious request/response parser or socket-facing dependencies from the current dependency paths.
## Suggested Follow-Up
Review `nix-serve` first because it is exposed through Caddy and has several very low-star Perl HTTP/socket parser dependencies. Then check `prowlarr` XML/HTML parsing behavior, especially external entity handling and parser size/time limits. Finally, decide whether Jellyfin remote metadata providers are enabled and exposed enough to justify deeper review of the MetaBrainz and ICU4N paths.
Reference in a new issue View git blame Copy permalink