Bug Fixes

• client: only set initial invBusy state locally (Linden)
• server/shops: decrement item count before hooks (Linden)
• server/inventory: early bailout if giveItem has no available slot (Linden)

This update fixes an item duplication exploit exposed by a change in v2.47.3 which added a delay to the swapItems event. Some underlying behaviour has been changed which should prevent it from occurring again - additionally, hooks which yield (i.e. Wait) should no longer risk saving a dirty state to the database.

Bug Fixes

• server/crafting: get locks on correct ids (Linden)
• server: prevent item duplication on disconnect mid-swap (#1950) #1950 (Kenshin13)
• server/hooks: correctly output hook rejections to console (Linden)
• client: display serverId in give player list (Linden)
• client/utils: get client's player index in defaultGetPlayerName (Linden)
• server: commit swapItems atomically so a yielding hook cannot dupe (#1952) #1952 (Kenshin13)

Bug Fixes

• client: leftover print (Linden)

Chores

• update ox_lib dependency to 3.36.4 (Linden)

Bug Fixes

• client: handle updateInventory in swapItems callback (Linden)
• server/inventory: earlier invokingResource check on addItem (Linden)

Code Refactoring

• init: use GetConvarBool (Linden)
• server/hooks: print on hook rejection (Linden)
• support strict state bags (Linden)

Chores

• update ox_lib dependency to 3.36.0 (Linden)

Bug Fixes

• inventory: don't double up inventory updates (Linden)
• server/hooks: delay post-hook events (Linden)
• web: re-add sass dependency (Linden)

Chores

• bump version to v2.47.2 (github-actions)

Bug Fixes

• server/inventory: weapon components not updating (#1939) #1939 (Maximus)
• client: opening a glovebox in a moving vehicle (#1940) #1940 (iampitchou)
• server/hooks: don't add failed hook to results (Linden)

This release patches some potential vulnerabilities with modifying inventory state during actions, leading to incorrect item removal.

For third-party resources, new features have been added to improve security and reliability.

You can now register stashes with an instance field, which prevents any player from accessing it unless their instance state has been set to the same value. Note this is technically only secure when using strict statebags.

I have also added post-hook events to correctly support scripts that wish to run custom logic after completing certain actions. Many third-party scripts previously registered hooks which would trigger "side-effects", such as modifying an item or giving items when the hook ran. This leads to major issues and exploits, as hooks run before such an action has been completed and could still fail for a number of reasons (including other hooks rejecting it).

Hook callbacks are intended for validation only and should avoid side effects such as modifying data, writing to a database, or triggering additional operations.

Because actions may still be in progress or may fail, modifying item or inventory state before completion can lead to race conditions or inconsistent behavior.

To avoid issues, perform state changes or follow-up logic in post-hook events.

You can now safely run such logic after actions have been validated internally and by other hooks by using the hookId (returned by registerHook) as an event. The hook callback is also now optional if you only need to use the built-in filters and don't require custom validation.

---Use filter logic so only relevant inventories trigger the post-hook event.
local hookId = exports.ox_inventory:registerHook('swapItems', nil, {
    inventoryFilter = {
        '^glove[%w]+',
        '^trunk[%w]+',
    }
})
 
---Print everytime an item is moved to or from a vehicle inventory.
---Success will be false if the hook rejected the action or it failed elsewhere.
AddEventHandler(hookId, function(success, payload)
    print(hookId, success)
    lib.print.info(payload)
end)

Features

• server/inventory: add instance field to registered stashes (Linden)
• server: add instance validation to openInventory callback (Linden)
• implement basic locks manager (Linden)
• server/hooks: new hookId format and include id in payload (Linden)
• server/hooks: Add post-action events to event hooks (Linden)
• server/items: add invoking resource to createItem hook payload (Linden)

Bug Fixes

• client: ensure currentInventory is always defined, type fixes (Linden)
• server/inventory: ensure player inventory is open before swap (Linden)
• client: always trigger closeInventory event on close (Linden)
• client/inventory: clear evidence.zoneId (Linden)
• server/crafting: add locks to crafting ingredients (Linden)
• server/crafting: return if locks fail (Linden)
• client: set coords when opening inventory (Linden)
• server: add locks to useItem (Linden)
• server/inventory: extra Inventory.SetSlot arg validation (Linden)
• server/inventory: extra Inventory.RemoveItem arg validation (Linden)
• server/inventory: inconsistent inventory.openedBy behaviour (Linden)
• server/inventory: SetSlot error checking (Linden)
• server/shops: add better fallbacks for openShop hook (#1933) #1933 (JHansen2000)
• server/inventory: disallow negative values when updating weapons (Linden)
• client: don't set coords on default inventory (Linden)
• client: support txadmin's heal event (Linden)
• server/inventory: SetSlot return value on item deletion (Linden)
• server/inventory: typo in RemoveItem (Linden)

Code Refactoring

• sync inventory.instance to client (Linden)
• server/inventory: use Locks with swapItems and giveItem (Linden)
• server/inventory: use more descriptive lock ids (Linden)
• locks: take an array rather than varargs (Linden)
• client: allow movement while using drop (Linden)
• server/hooks: don't format post-hook event names (Linden)

Chores

• type fixes (Linden)

Bug Fixes

• server/inventory: correction to swapItems exploit check (Linden)

Patches an exploit that passed incorrect data to newly created drops, allowing item duplication.

Features

• utils/server: add LogExploit function (Linden)
• ui: add thousands separator formatting to item amount input (#1927) #1927 (Acc-Off)

Bug Fixes

• server/inventory: ensure dropItem transfers from player inventory. (Linden)
• support giving items to players in vehicles (#1925) #1925 (Marcelo Silva)

Code Refactoring

• web: fetch stub (Linden)
• server: add logging for some known exploits (Linden)
• server/inventory: early bailout on invalid swapItems data (Linden)

Continuous Integration

• release: update actor_id (Linden)

Chores

• luarc template (Linden)
• add japanease locale (#1926) #1926 (Acc-Off)

Features

• add convars for defining markers (#1892) #1892 (Maximus7474)
• client: add convar to disable steal command (#7) #1924 (ANTOND.)
• client: add convar to disable inventory setup notification (#8) #1924 (ANTOND.)
• client/utils: add function to suppress item notifications (#9) #1924 (ANTOND.)
• items/containers: export setContainerProperties function (#31) #1924 (ANTOND.)
• shops/server: add new openShop hook on shop open (#51) #1924 (JHansen2000)
• crafting: add zone level groups support (#82) #1924 (Skryptific)
• utils/server: extend image validity check to inlcude nui URIs (#84) #1924 (Maximus7474)
• client: setGetPlayerMethod export (#87) #1924 (Maximus7474)
• client: add convar to disable steal command (#7) #1924 (ANTOND.)
• client: add convar to disable inventory setup notification (#8) #1924 (ANTOND.)
• client/utils: add function to suppress item notifications (#9) #1924 (ANTOND.)
• items/containers: export setContainerProperties function (#31) #1924 (ANTOND.)
• shops/server: add new openShop hook on shop open (#51) #1924 (JHansen2000)
• crafting: add zone level groups support (#82) #1924 (Skryptific)
• utils/server: extend image validity check to inlcude nui URIs (#84) #1924 (Maximus7474)
• client: setGetPlayerMethod export (#87) #1924 (Maximus7474)

Bug Fixes

• init: drop weight (#1898) #1898 (iSentrie)
• locales/tr: syntax error (#1905) #1905 (FingerlessGloves)
• server: player inventory access security (Linden)
• client: disable hotbar keybind when invHotkeys are disabled (#6) #1924 (ANTOND.)
• modules/ox: use GetVehicleFromEntity. (#10) #1924 (Zoo)
• use drop convars for newdrop inventory (#20) #1924 (ANTOND.)
• server: nil check before accessing inventory instance (#19) #1924 (ANTOND.)
• inventory/server: remove item if swap fail to prevent dupe (#28) #1924 (Ceeb)
• server: improve count validation and extra type checks (#23) #1924 (ANTOND.)
• client: allow searching inventory for players with police job or target with canSteal (#35) #1924 (Devexity)
• inventory/server: prevent ammo from creating invalid metadata when removed from weapons (#39) #1924 (mikigoalie)
• inv/client: trunk access if entity is exploded (#46) #1924 (mikigoalie)
• client/inventory: corrected arg (#48) #1924 (mikigoalie)
• server: missing invtype check (#53) #1924 (Maximus7474)
• server: inventory type missmatch for temporary stashes (#55) #1924 (Maximus7474)
• bridge/qbx: clamp new player status values (#57) #1924 (SamyHub)
• client: weaponwheel manual override being "cancelled" by exiting vehicle (#78) #1924 (Maximus7474)
• client: disable hotbar keybind when invHotkeys are disabled (#6) #1924 (ANTOND.)
• modules/ox: use GetVehicleFromEntity. (#10) #1924 (Zoo)
• use drop convars for newdrop inventory (#20) #1924 (ANTOND.)
• server: nil check before accessing inventory instance (#19) #1924 (ANTOND.)
• inventory/server: remove item if swap fail to prevent dupe (#28) #1924 (Ceeb)
• server: improve count validation and extra type checks (#23) #1924 (ANTOND.)
• client: allow searching inventory for players with police job or target with canSteal (#35) #1924 (Devexity)
• inventory/server: prevent ammo from creating invalid metadata when removed from weapons (#39) #1924 (mikigoalie)
• inv/client: trunk access if entity is exploded (#46) #1924 ([mikigoalie](4dd2c9...