[Game Update] - 651414

[JesseB_Klei]

This is a hotfix meant to address concerns about the game's sandboxing and protection with regards to mods. It will break some mods from working as they were initially written for the time being until a better or alternative solution can be provided. We understand that this is an inconvenience for many mods that use these features in legitimate ways and we are open to hearing out potential solutions for allowing them to work again in a more defined way.

• Changes
  • io.open will no longer be able to write files and will always treat any file access as read only.
  • TheSim:QueryServer will no longer be able to send or get information from third party services or URLs.
  • TheSim:SetPersistentString and TheSim:SetPersistentStringInClusterSlot will be prevented from writing to certain auto-ran files for clients and server clusters.

View full update

[Pixil]

Yippee! Thank you

[Valase]

Oh is it related to that "Malicious mod" thread?

[O_Atoba_Azul]

Losing io.open write is a shame, but it is what it is.

[Electroely]

20 minutes ago, JesseB_Klei said:

TheSim:QueryServer will no longer be able to send or get information from third party services or URLs.

Can you allow the usage of localhost/127.0.0.1 with this? I don't see the risk in it, and it would allow some mods that use QueryServer to function assuming the user is hosting the HTTP server.

[Cliffford W.]

Just now, Electroely said:

Can you allow the usage of localhost/127.0.0.1 with this? I don't see the risk in it, and it would allow some mods that use QueryServer to function assuming the user is hosting the HTTP server.

and perhaps also sending to a discord webhook cuz i used that for log sending

[Well-met]

50 minutes ago, Valase said:

Oh is it related to that "Malicious mod" thread?

yep yep

[Kova_]

 I use io.write for recording and I planned using QueryServer to use some API endpoints to meow together API.  :/

[nimzowitsch10]

man this is going to break alot of good mods.

[Cliffford W.]

Yea Gemcore uses io.open apparently and a lot of mods do even the other functions

Major Concern.

The Beta MAY get postponed idk how many team DST have but if there is multiple.

One will have to work on beta and the other on making above mentioned functions work in a safe place

[Philip.]

Honestly, it's very sad that it had to end this way. I hope you soon find a better alternative solution that won't compromise the already poor backend possibilities for modders and their creativity any further. Most people probably don't care, but it has to be said, that those functions are the fundamental pillars for any reasonably sophisticated server backend mod.

[EatenCheetos]

Noooo! This is going to break everything! RIP Base Projection, sharing bases, and my dstbases.com project

Edited January 25, 2025 by EatenCheetos

[baixiaofei]

I hope we can add config for server type ,in this way ,the server owner can uses these functions ,and we can avoid that mod。

[Digi_056]

Hmmm.... can it be set up so that we can read from the places we could before, but only create files in isolated locations? That we could let mods read each other's files, but not write to them? Only writing in their own folder or an isolated document folder so they can't get accidentally deleted during mod updates. (I've seen that happen.)

Would something like that be possible?

[BB Goat]

No! We cannot lose TheSim:QueryServer!

[Philip.]

21 hours ago, baixiaofei said:

I hope we can add config for server type ,in this way ,the server owner can uses these functions ,and we can avoid that mod。

Yes, this! A server configuration (or command line option for dedicated servers) that will give the server owners a possibility to reject all those security measures under the condition that the owner agrees to transfer the responsibility for the game and it's possibly unwanted actions upon himself from the devs. This would allow servers owner who know what are doing and do not need such security restrictions to continue freely operate their servers and provide services to improve the experience of all the players using their servers without putting them at risk of any kind.

20 hours ago, BB Goat said:

No! We cannot lose TheSim:QueryServer!

To be honest, I still don't understand the point of this change in the first place, since all the data you can fetch using TheSim:QueryServer you can already have installed in the mod itself. All the change has done is that we have lost the only way to communicate with outside services where the servers didn't have to be on the same machine as them.

So stuff like translation mods, automatic updates for lists or translations, public discord integration mods, crash reporting, etc... won't work anymore, and there is no other way you can implement those things.

With this change an ocean of endless possibilities has been taken away from the modder community just for one person indirectly abusing it after more than a decade of it's availability without any problems whatsoever. All that just for a negligible effect on the actual resolving of the current problem...

[Hubert Zhang]

QueryServer was the only way to interact with services outside the game. I created a mod which can sync messages from a bilibili livestream to in-game chat. However it's now broken by this update... Can we have a new set of api which allows mod access third party website?
 

The websites to be accessed should be described in mod manifest and displayed in in-game mod menu.

[Steorra]

On 1/25/2025 at 1:45 PM, EatenCheetos said:

Noooo! This is going to break everything! RIP Base Projection, sharing bases, and my dstbases.com project

What? Even base projection also got impacted by the update?? Oh my.

 

Edited January 26, 2025 by Steorra

[BezKa]

Is there a way to make the game give you a warning before installing a mod/entering a server with a mod that has the function?

[Love_MapleSyrup]

6 hours ago, Philip. said:

是的，就是这个！服务器配置（或专用服务器的命令行选项）将使服务器所有者能够拒绝所有这些安全措施，条件是所有者同意将游戏的责任及其可能不想要的行为从开发者转移到自己身上。这将允许知道自己在做什么并且不需要此类安全限制的服务器所有者继续自由运营他们的服务器并提供服务，以改善所有使用其服务器的玩家的体验，而不会让他们面临任何风险。

老实说，我一开始还是不明白这个改变的意义，因为所有你可以使用 TheSim:QueryServer 获取的数据都已经安装在 mod 本身中了。这个改变带来的全部影响就是我们失去了与外部服务通信的唯一方式，即服务器不必与它们在同一台机器上。

因此，诸如翻译 mod、列表或翻译的自动更新、公共 discord 集成 mod、崩溃报告等功能将不再起作用，而且你没有其他方法可以实现这些功能。

随着这一变化，modder 社区的无限可能性被剥夺了，而这仅仅是因为一个人间接滥用了它，而它已经存在了十多年，没有任何问题。所有这些对当前问题的实际解决都产生了微不足道的影响……

If there is no better way to make the api more secure, your approach is very good!

[IronFuzzball]

I am sad to report that this obliterates my Discord Rich Presence mod. Devs, I hope that you are able to come up with something that satisfies your security requirements while also not limiting modding creativity. Consider making TheSim:QueryServer reach any url (or just localhost) as a toggleable option in game settings!

[Serpens]

On 1/24/2025 at 8:30 PM, JesseB_Klei said:

This is a hotfix meant to address concerns about the game's sandboxing and protection with regards to mods. It will break some mods from working as they were initially written for the time being until a better or alternative solution can be provided. We understand that this is an inconvenience for many mods that use these features in legitimate ways and we are open to hearing out potential solutions for allowing them to work again in a more defined way

What is a proper alternative way to save information to be available for the player also in other saves?

In my specific case I used io.write in my Adventure Mode Mod to save and tell the game on next worldgeneration what kind of world to generate. I'm no programmer DarkXero wrote that code many years ago. He also used TheSim:SetPersistentString to save component informations like inventory to restore it in the next world, this still seems to work luckily. No clue though why he did not use SetPersistentString instead of io.write for the information about what world to load next...

[TheKaoticFoxi23]

Just hoping they change this so good mods can stay. At least two mods I adore have already been broken by this

[Violet Desiree]

4 minutes ago, TheKaoticFoxi23 said:

Just hoping they change this so good mods can stay. At least two mods I adore have already been broken by this

which ones

[Cliffford W.]

On 1/26/2025 at 2:51 PM, BezKa said:

Is there a way to make the game give you a warning before installing a mod/entering a server with a mod that has the function?

Idk about engine side. but on Lua side yes, you can give people prompts if you agree to the mod saving certain stuff or refuse.

That is if the developer adds such popup AFAIK Tropical Experience has function to subscribe to mods without your knowledge