nedtwigg
commented
5 months ago Spotless never sends your code to a remote server, and none of our plugins do.
We did have a problem once where one our formatters was doing XML validation, and full-spec XML validation did some network requests to get a DTD to validate against, and we filed a CVE for that when we realized it:
Some Spotless formatters are based on npm packages. And the way we interface with them is to open a little webserver on localhost, and do localhost requests to send data from the JVM to the Node.js process. That's what you're seeing.
If we ever find a plugin sending code to any network service, it is a red alarm fire, and would get a CVE just like we did with XML DTD mentioned earlier.
renannprado
Hello dear maintainers,
I was setting up spotless in my project and while trying it out I started facing the below exception (which I already managed to fix).
I got a bit scared though, because it seems that it's trying to send my code to a remote server... is that correct?
I understand that you don't have control over all the plugins (i.e. I guess nothing would prevent prettier itself from doing this), but in this case here it seems that potential code leaking is coming from spotless itself.
If the answer to the above question is "yes", is it possible to optout of this altogether?
The below exception seems to be related to this class, but I can't make any conclusions just by looking at this class alone.
Thanks!