Skip to content

Extension mandarin, pinyin, english 3 in 1 synchronised #3694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
persopourytb-wq wants to merge 1 commit into from
+6 −0
Closed

Extension mandarin, pinyin, english 3 in 1 synchronised #3694

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,5 +40,11 @@
"description": "Throw songs/artists to trash bin and never hear them again (automatically skip). This extension will append a Throw to Trashbin option in tracks and artists link right click menu.",
"preview": "https://i.imgur.com/ZFTy5Rm.png",
"main": "Extensions/trashbin.js"
},
{
"name": "Mandarin Lyrics",
"description": "Display Mandarin Chinese lyrics with synchronized pinyin romanization and English translation",
"preview": "https://raw.githubusercontent.com/persopourytb-wq/test/main/preview.png",
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

External preview image should be hosted consistently with other extensions.

The preview URL points to the same personal "test" repo. Other extensions either use null or stable Imgur links. If this extension is accepted, the preview image should be hosted on a stable, trusted location rather than a repo the author could delete or modify at any time.

🤖 Prompt for AI Agents 
In `@manifest.json` at line 47, The manifest's "preview" value currently points to
a personal test repo image which is unstable; update the "preview" field in
manifest.json (the "preview" key) to either null or a stable, trusted image URL
(e.g., an approved Imgur/CID-hosted asset) so the extension uses a consistent
external preview source.

"main": "https://raw.githubusercontent.com/persopourytb-wq/test/main/dist/index.js"
}
Comment on lines +44 to 49
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🚨 Critical security risk: externally hosted extension code bypasses all review controls.

Every other extension in this manifest uses a local relative path (e.g., "Extensions/trashbin.js"), meaning the code is vendored in-repo and subject to PR review. This entry points main to https://raw.githubusercontent.com/persopourytb-wq/test/main/dist/index.js — a personal GitHub repo named "test".

This means:

  1. No code review is possible — the actual extension source is not part of this PR or this repository.
  2. Arbitrary code injection — the repo owner can push any changes to their main branch at any time, and those changes would be served to all users automatically, with zero oversight.
  3. No stability guarantee — the repo can be deleted, renamed, or made private at any time, breaking the extension for all users.

The extension JS should be vendored locally under Extensions/ like all other entries, so it goes through the normal review process.

-		"main": "https://raw.githubusercontent.com/persopourytb-wq/test/main/dist/index.js"
+		"main": "Extensions/mandarinLyrics.js"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{
"name": "Mandarin Lyrics",
"description": "Display Mandarin Chinese lyrics with synchronized pinyin romanization and English translation",
"preview": "https://raw.githubusercontent.com/persopourytb-wq/test/main/preview.png",
"main": "https://raw.githubusercontent.com/persopourytb-wq/test/main/dist/index.js"
}
{
"name": "Mandarin Lyrics",
"description": "Display Mandarin Chinese lyrics with synchronized pinyin romanization and English translation",
"preview": "https://raw.githubusercontent.com/persopourytb-wq/test/main/preview.png",
"main": "Extensions/mandarinLyrics.js"
}
🤖 Prompt for AI Agents 
In `@manifest.json` around lines 44 - 49, The manifest entry for the extension
named "Mandarin Lyrics" currently points its "main" field to an external URL,
which bypasses review — download or copy the extension bundle from
https://raw.githubusercontent.com/persopourytb-wq/test/main/dist/index.js into
the repository under the Extensions/ directory (e.g.,
Extensions/mandarin-lyrics.js), update the "main" value in the manifest from the
external URL to the new relative path ("Extensions/mandarin-lyrics.js"), remove
any remaining externally hosted references (and optionally vendor the preview
image under Extensions or assets and update "preview"), and include the vendored
files in this PR so the code is reviewable and auditable.

]
Loading