Skip to content

LTS update 19 12 2025 #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dooly123 wants to merge 826 commits into
base: long-term-support
Choose a base branch
from
Open

LTS update 19 12 2025 #462

dooly123 wants to merge 826 commits into from

Conversation

@dooly123
Copy link
Collaborator

@dooly123 dooly123 commented Dec 19, 2025

The last LTS release was before we attempted 600+ users. Since then, we have made further improvements and fixed bugs

The differences are bug fixes, ui changes, and IK changes

dooly123 and others added 14 commits December 14, 2025 02:12
@dooly123
hamburger gone from being loaded on phone
532da84
@dooly123
updated onscreen keyboard
5cf4609
@dooly123
on screen controls improved
c9354bd
@Vowgan
Added task cancellation to avatar list when closing the menu (#449)
5f425d5
@dooly123
loading avatar is now used directly first frame before reval
6828a85
@dooly123
Merge branch 'developer' of https://github.com/BasisVR/Basis into dev…
7f33c28 
…eloper
@dooly123
early work on a system to control max avatar loads
0bd1282
@dooly123
todays build
ab46bef
@cnlohr
Package Updates (AudioLink + Export Volumetrics) (#454)
bad8179 
1. Update AudioLink to 3.0.0
2. Add volumetrics in unity package
@Vowgan
Added Kat's Mirror Icon (#450)
02b9abf
@katruud
OS X rnnoise support (#456)
d1e0efd
@Vowgan
Added new Server Panel, minor fixes (#457)
0b770ea 
* Added new Server Panel

* Removed extra MetaXRProjectSettings file.

* Fixed naming for UpdateReticleRenderer
@Vowgan
Forced layout rebuild for the avatar menu text (#458)
0785fd7
@mriise
Add Zeromessenger (#460)
7399ba5 
* Add ZeroMessenger
"Fork" ZeroMessenger into basis, apply some patches for unity-specific things.

* add filter tests and samples

* fix: package and sln

* fix: revert settings for device matcher for this pr
@dooly123 dooly123 enabled auto-merge (squash) December 19, 2025 00:20
@dooly123 dooly123 disabled auto-merge December 19, 2025 00:22
@dooly123 dooly123 closed this Dec 19, 2025
@dooly123 dooly123 reopened this Dec 19, 2025
dooly123 and others added 11 commits December 20, 2025 01:44
@dooly123
working on mulithreading eyes and blinking input
f4b71c7
@dooly123
ready for testing
b80b37b
@dooly123
removed some usings
fd407ea
@dooly123
more cleanup
8f1997e
@dooly123
header changes
23bbff1
@dooly123
removed ulipsyncblendshape just making it more us
3a62a7d
@SineVector241
feat: Update opus to v1.6 and include MacOS binaries. (#464)
aaa9d1f 
Update opus to v1.6 and include MacOS binaries.
@dooly123
changed how voice gain works on remote clients
4cb5571
@dooly123
cleaned up audiosource
41ba35c
@katruud @claude
Mac .bee file build fixes (#465)
97a672c 
* add rnnoise binaries

* mac build fixes

* Remove unused Mac-specific Unity rendering settings

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* added mac build of opus from @SineVector241

* add asmdef ignores for macos as needed

* Opus 1.6.0 https://github.com/AvionBlock/OpusSharp/releases/tag/v1.6.0

* add asmdefs for ios visionos tvos

* add mic permission requirement for apple builds

* clean up

* Fix assembly reference: use correct name with space

Changed "Basis_Framework" to "Basis Framework" to match the actual
assembly name defined in Basis Framework.asmdef.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
@katruud
feat: ios builds of opus and rnnoise (#466)
5fa550b
dooly123 added 26 commits January 10, 2026 22:34
@dooly123
fixed a few sdk bugs
22c0428
@dooly123
changed ui raycasting visuals
4ecc40a
@dooly123
added capped framerate set
1918ae1
@dooly123
changed more openxr settings
3254147
@dooly123
set some defaults better
7d4dd6f
@dooly123
went back to know good
6ad4198
@dooly123
good bye meta, we dont need it to use basis with openxr
dc5145b 
get rekt
@dooly123
changed bit packer again, added occlusion baking and clearing based o…
1c3449b 
…n platforms designation

can be turned off in AssetBundleBuildSettings
@dooly123
corrected InteractionLineRenderer width
cc4f38d
@dooly123
more changes
cdce0f7
@dooly123
disable debug on sound effect
b3266ec
@dooly123
android back building without stripping data
922fab8
@dooly123
added auto increment
80447d7
@dooly123
getting ready to test dx12 and fix known bad bugs
01ebbc2
@dooly123
rolling
81241ee
@dooly123
put the old police content system back in
587630f 
this is a huge error on my part
@dooly123
project settings updated for the last time yay
d4ed43a
@dooly123
fixed DeInitalize call
710fd29
@dooly123
updated a few menus with create new instead of create new entry
9d1a59e
@dooly123
second attempt
12465e4
@dooly123
updated save system
432e3d8
@dooly123
changed sorting orders
333ebcf
@dooly123
off threaded more of the validation work
216e44d
@dooly123
mulithreaded more work
8f8f664
@dooly123
changed sorting order more
b3ca615
@dooly123
looks like 1 works
de3467a
@aicodeguard
Copy link

aicodeguard commented Jan 15, 2026

Code Review – Key Findings

Summary:
This review identified 3 critical issues, primarily focusing on security vulnerabilities where sensitive credentials (passwords) are logged in plain text, and a concurrency bug that could lead to system crashes.

Issues

  1. [Security] Plain-text Credential Logging in Client Console
    The ReadString helper method logs every configuration value it reads, including Password and AvatarPassword. This exposes credentials in the application logs.

    • File: Basis Server/BasisNetworkClientConsole/BasisNetworkClientConsole/ConfigManager.cs
    • Line: 30
    • Fix: Remove the BNL.Log call in ReadString or filter out keys containing "Password".

  2. [Security] Plain-text Server Password Logging
    The ProcessEnvironmentalOverrides method iterates through all configuration fields and logs their values if an environment variable override exists. This includes the server Password field.

    • File: Basis Server/BasisNetworkCore/BasisServerConfiguration.cs
    • Line: 100
    • Fix: Modify the logging logic to check if the field name is sensitive (e.g., "Password") and redact the value in the log output.

  3. [Bug] Race Condition in Static Initialization
    The AvatarSyncSize property uses a non-thread-safe lazy initialization pattern. IsWired is set to true before avatarSyncSize is calculated. A concurrent thread could read IsWired as true and return avatarSyncSize as 0, causing downstream buffer allocation failures.

    • File: Basis Server/BasisNetworkCore/Compression/BasisBitPackingConstants.cs
    • Lines: 17-22
    • Fix: Move the initialization to a static constructor or use a lock block to ensure atomicity.

@yewnyx
Copy link
Collaborator

yewnyx commented Jan 15, 2026 

                if (IsWired == false)
                {
                    IsWired = true;
                    //156 = 12 + 8 + 2 + 134
                    avatarSyncSize = WritePosition + WriteRotation + WriteScale + SumBitsPerSlot();
                }
                return avatarSyncSize;

Just FYI, this pattern of lazy initialization is definitely not threadsafe, if you use it anywhere else.

Also, why does your constants file hold public non-constant non-readonly integer variables? Also the byte arrays are mutable (their reference is readonly, but not their contents).

@Toys0125
Copy link
Contributor

Toys0125 commented Jan 15, 2026

Just FYI, this pattern of lazy initialization is definitely not threadsafe, if you use it anywhere else.

I find it interesting that the aicodeguard says the exact same thing. Only 20 mins before you.

@yewnyx
Copy link
Collaborator

yewnyx commented Jan 15, 2026

Just FYI, this pattern of lazy initialization is definitely not threadsafe, if you use it anywhere else.

I find it interesting that the aicodeguard says the exact same thing. Only 20 mins before you.

Not at all. I took a look at that to see if it was actually worthwhile and think it is worth a human actually saying "yes this is real"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.