This patch delivers a major overhaul to the Web Monitor module, critical security hardening across the entire web stack, and targeted performance fixes
identified through a full codebase audit.

Note: The Web Monitor Dashboard is currently in EXPERIMENTAL phase. It is disabled by default and must be manually enabled in web.yml. Features, endpoints, and configuration options may change in future releases without prior notice.
FIX JAR (WEB)

Web Dashboard — Complete Rewrite (EXPERIMENTAL)

• Two-tier data collection system: Fast metrics (TPS, MSPT, memory, players) update every 2 seconds. Heavy data (entity breakdown, chunk hotspots) updates every 10 seconds. This eliminates main thread impact when the dashboard is in use.
• Client-awareness gate: Data collection is completely skipped when no one is viewing the dashboard. Zero overhead when unused.
• Removed block scanning: The previous triple-nested loop that scanned blocks for pistons every cycle has been replaced with tile entity scanning only —
  dramatically reducing per-cycle cost.
• Chunk scan cap: Hotspot analysis now processes only the top 200 chunks by tile entity count instead of scanning all loaded chunks.
• Module Statistics panel: The dashboard now displays real-time stats from active modules — frozen entities (EntityOptimizer), lobotomized villagers
  (VillagerOptimizer), items moved and registered hoppers (HopperOptimizer), chunks unloaded (ChunkOptimizer), and throttled redstone chunks
  (RedstoneTickLimiter).
• MSPT History chart: A new chart displays MSPT (milliseconds per tick) history alongside the existing TPS chart, with a 50ms danger line indicator.
• Alert system: Visual banners appear when TPS drops below 15 (warning) or below 10 (critical), and when memory usage exceeds 85% (warning) or 95%
  (critical).
• Action log: A new section shows recent optimization actions performed by the plugin in real-time.
• Copy coordinates: Click any coordinate in the players table or hotspots table to copy a /tp command directly to your clipboard.
• Search filters: Filter players by name or world, and filter entities by type using the new search inputs.
• Last update indicator: The header now shows "Live" or "Updated Xs ago" so you always know data freshness.
• Header color feedback: The header border subtly changes color based on server health — green (healthy), yellow (moderate), red (critical).
• Favicon: Both the login page and dashboard now display a branded "S" favicon.

Security Hardening

• PBKDF2 password hashing: Upgraded from SHA-256 (single-pass) to PBKDF2-HMAC-SHA256 with 600,000 iterations. Passwords are automatically re-hashed on
  first startup. The plain-text password is removed from web.yml and replaced with the hash.
• Zero hardcode policy enforced: All configuration values (port, host, username, password, session timeout, login attempts, lockout duration, update
  interval, TPS history size) are read exclusively from web.yml. Missing or invalid values disable the web module with a warning — no fallback defaults in
  code.
• Timing-safe username comparison: Username verification now uses MessageDigest.isEqual() for constant-time comparison, preventing timing attacks.
• CORS enforcement: The allowed-origins configuration is now actively enforced against the Origin header. Previously loaded but never applied.
• CSP tightened: Removed 'unsafe-inline' from Content-Security-Policy. Removed broad ws: wss: from connect-src. Added frame-ancestors 'none'. Login page
  CSS and JS moved to external files to comply.
• Removed deprecated X-XSS-Protection header: This header has been deprecated since Chrome 78 and can cause issues in modern browsers.
• WebSocket connection cap: Maximum 10 simultaneous WebSocket connections. Excess connections are rejected with code 4008.
• WebSocket session re-validation: Active WebSocket connections now re-validate their session token on every broadcast cycle. Expired sessions are
  automatically disconnected.
• Session cleanup scheduled: Expired sessions and lockout entries are now automatically cleaned every 60 seconds.
• Version information reduced: The dashboard now displays only the Minecraft version (e.g., "1.21.1") instead of the full server string that previously
  exposed the server software, fork name, and build number.
• Protected /api/status: This endpoint now requires authentication. Previously accessible without login.
• Unauthenticated /health endpoint: A new /health endpoint returns only {"status":"ok"} for external monitoring tools (UptimeRobot, Pterodactyl health
  probes) without exposing any server details.
• No-cache headers: All responses include Cache-Control: no-store and Pragma: no-cache to prevent browser caching of sensitive dashboard data.
• Safe resource loading: Internal path exposure removed — missing resources return an empty string instead of "Resource not found: path/to/file".
• Silenced Javalin/SLF4J stderr output: Javalin startup logs and SLF4J warnings no longer pollute the server console.
• Default host changed to 127.0.0.1: New installations bind to localhost only instead of all interfaces, preventing accidental public exposure.

Performance Fixes

• EntityOptimizer cleanup: O(1) instead of O(n*m): The frozen entity cleanup task previously scanned world.livingEntities for every cached entity ID. Now

• EntityOptimizer cleanup: O(1) instead of O(n*m): The frozen entity cleanup task previously scanned world.livingEntities for every cached entity ID. Now
  uses UUID-based Bukkit.getEntity() lookups — constant time per entity instead of linear scan.

• Dead code removed: Deleted optimizeWorld() (~60 lines) and restoreNearbyEntities() (~30 lines) — both superseded by their batched counterparts but still
  present in the codebase.

• forceOptimize() no longer stalls main thread: Previously called the unbatched optimizeWorld() method. Now uses inline iteration with try-catch per
  entity.

• Shared suspendOnMainThread utility: Extracted the duplicated runOnMainThread suspend function from EntityOptimizer and VillagerOptimizer into a shared
  SchedulerUtil.suspendOnMainThread() method.

• Shutdown deadlock fixed: Replaced runBlocking { scope.cancelAndJoin() } in onDisable() with non-blocking scope.cancel(). The previous implementation
  could deadlock if any coroutine was awaiting the main thread via suspendOnMainThread.

• Redundant shutdown scan removed: nmsManager.restoreAllEntities() was called in onDisable() after entityOptimizer.shutdown() — which already restores all
  entities. The duplicate full-world scan has been removed.

• WebSocket broadcast optimized: gson.toJson() is now called once per broadcast cycle instead of once per connected client.

Configuration Changes

web.yml — The following defaults have changed:

• host default changed from "0.0.0.0" to "127.0.0.1"
• auth.password is now automatically hashed on first startup (prefixed with HASHED:)
• All fields are now required — missing fields disable the web module

Compatibility

• Supports Paper, Spigot, and Purpur from 1.17 to 26.1
• Folia detection present (EntityOptimizer auto-disables on Folia)
• Java 17+ required

ServerBooster v26.1

Full compatibility update for Minecraft's new year-based versioning, plus major stability, security, and bug fix improvements.

🆕 Minecraft 26.1.x Compatibility

• Full support for the new version scheme — ServerBooster now correctly detects and runs on Minecraft 26.1, 26.1.1, 26.1.2, and any future 26.1.x
  hotfix releases.
• Updated NMS resolution — Internal server class lookups now handle Mojang-mapped class names used in 26.1, with automatic fallback for older
  versions.
• Supported version range: 1.17 - 26.1.x — Covers Paper and Spigot from 1.17 through the latest 26.1.x release.

🔧 Bug Fixes

• Block Limiter off-by-one fixed — Limits now work correctly. A limit of 4 allows exactly 4 blocks, not 3. This affected all category limits (hoppers,
  chests, crafting tables, enchanting tables, etc.), custom material limits, and entity placement limits (item frames, paintings).
• Block Limiter cache poisoning fixed — After a denied placement, the count cache could store incorrect values for up to 5 seconds, causing additional
  false denials. Cache is now properly invalidated on every placement attempt.
• Block Limiter deny message now shows accurate count — The message no longer inflates the count with the temporarily placed block.
• Hologram checksum migration — Items stacked before this update are now automatically migrated to the new checksum format without data loss.

🔒 Security Improvements

• Hologram item checksum hardened — Stack integrity checksums now use a unique per-server salt, preventing PDC manipulation exploits that could allow
  item duplication.
• Hopper ground item pickup race condition patched — Added UUID-based locking to prevent two hoppers from processing the same ground item
  simultaneously.
• Hopper statistics are now thread-safe — Transfer counters migrated to atomic operations.
• Redstone tick limiter no longer holds block references in queue — Queued throttled updates now store coordinates instead of direct block references,
  preventing potential issues with unloaded chunks.

⚡ Performance Optimizations

• NMS NamespacedKey cached — The frozen entity tag key is now created once at startup instead of on every entity check, eliminating thousands of
  unnecessary object allocations per optimization cycle.
• TPS access optimized — The plugin now uses Paper's native TPS API directly instead of falling back to NMS reflection.
• Entity Optimizer dead entity cleanup — Added periodic cleanup of frozen entity IDs for entities that no longer exist, preventing unbounded memory
  growth on long-running servers.
• Hologram clear uses targeted entity lookup — Uses efficient class-filtered entity lookup instead of iterating all world entities.

🛡️ Stability Improvements

• Coroutine lifecycle completely reworked — The plugin scope is now properly cancelled with join on shutdown, ensuring all async operations complete
  cleanly before the plugin disables.
• Orphan coroutine scope removed from commands — The command handler now shares the plugin's managed scope instead of creating its own untracked
  scope.
• Villager Optimizer main-thread bridge rewritten — Replaced unreliable deferred pattern with proper coroutine suspension, fixing potential task leaks
  on cancellation.
• Entity Optimizer error handling fixed — Exceptions in coroutines are now properly propagated instead of being silently converted to cancellation
  signals.
• Structured concurrency enforced — Fixed multiple catch blocks that were swallowing cancellation exceptions, which could cause coroutine leaks during
  plugin reload.
• Entity validity checks added — Batch entity processing now verifies entity validity before applying optimizations.
• Event priorities corrected in Hologram Manager — Item spawn and player drop events changed from observe-only to active priority, following the
  Bukkit event contract.

📦 Other Changes

• Config data classes use immutable lists — World lists in configuration models are now immutable, preventing accidental modification at runtime.
• Tab completion filtered by permissions — Players now only see commands they have permission to use in tab suggestions.
• Dead code removed — Cleaned up unused classes and redundant logic.

Compatibility

Upgrade Notes

• Drop-in replacement for any previous version. No configuration changes required.
• Stacked items from previous versions will be automatically migrated on first load.
• A checksum-salt value is generated in config.yml on first startup — do not modify this value.

Download Last Version: https://github.com/SrCodexStudio/ServerBooster/releases/tag/v26.1

ServerBooster v3.5.1

Major stability and security update with 25+ improvements across the entire plugin.

🔧 Bug Fixes

• Block Limiter off-by-one fixed — Limits now work correctly. A limit of 4 allows exactly 4 blocks, not 3. This affected all category limits (hoppers,
  chests, crafting tables, enchanting tables, etc.), custom material limits, and entity placement limits (item frames, paintings).
• Block Limiter cache poisoning fixed — Previously, after a denied placement, the count cache could store incorrect values for up to 5 seconds,
  causing additional false denials. Cache is now properly invalidated on every placement attempt.
• Block Limiter deny message now shows accurate count — The message no longer includes the temporarily placed block in its count.
• Hologram checksum migration — Items stacked before this update are now automatically migrated to the new checksum format without data loss.
  Previously, updating could reset stacked items to 1.

🔒 Security Improvements

• Hologram item checksum hardened — Stack integrity checksums now use a unique per-server salt, preventing PDC manipulation exploits that could allow
  item duplication.
• Hopper ground item pickup race condition patched — Added UUID-based locking to prevent two hoppers from processing the same ground item
  simultaneously.
• Hopper statistics are now thread-safe — Transfer counters migrated to atomic operations.
• Redstone tick limiter no longer holds block references in queue — Queued throttled updates now store coordinates instead of direct block references,
  preventing potential issues with unloaded chunks.

⚡ Performance Optimizations

• NMS NamespacedKey cached — The frozen entity tag key is now created once at startup instead of on every entity check, eliminating thousands of
  unnecessary object allocations per optimization cycle.
• TPS access optimized — The plugin now uses Paper's native TPS API directly instead of falling back to NMS reflection.
• Entity Optimizer dead entity cleanup — Added periodic cleanup of frozen entity IDs for entities that no longer exist, preventing unbounded memory
  growth on long-running servers.
• Hologram clear uses targeted entity lookup — clearHolograms now uses getEntitiesByClass instead of iterating all world entities.

🛡️ Stability Improvements

• Coroutine lifecycle completely reworked — The plugin scope is now properly cancelled with cancelAndJoin() on shutdown, ensuring all async
  operations complete cleanly before the plugin disables. Previously, coroutines could continue running briefly after shutdown.
• Orphan coroutine scope removed from commands — The command handler now shares the plugin's managed scope instead of creating its own untracked
  scope.
• Villager Optimizer main-thread bridge rewritten — Replaced CompletableDeferred pattern with proper suspendCancellableCoroutine, fixing potential
  task leaks on coroutine cancellation.
• Entity Optimizer error handling fixed — Exceptions in coroutines are now properly propagated instead of being silently converted to cancellation
  signals.
• CancellationException properly re-thrown — Fixed multiple catch blocks across Entity Optimizer and Villager Optimizer that were swallowing
  cancellation exceptions, which could break structured concurrency.
• Entity validity checks added — Batch entity processing now verifies entity.isValid alongside isDead checks before applying optimizations.
• Event priorities corrected in Hologram Manager — Item spawn and player drop events changed from MONITOR (observe-only) to HIGH priority,
  following Bukkit event contract.

📦 Other Changes

• Config data classes use immutable lists — World lists in configuration models are now List instead of MutableList, preventing accidental
  modification at runtime.
• Tab completion filtered by permissions — Players now only see commands they have permission to use in tab suggestions.
• Removed dead code — Cleaned up unused ChunkPosition class and redundant entity.remove() call after event cancellation.

Compatibility

• Minecraft: 1.17 - 1.21.x
• Server Software: Paper, Spigot
• Java: 17+

Upgrade Notes

• Drop-in replacement for any 3.x version. No configuration changes required.
• Stacked items from previous versions will be automatically migrated on first load.
• The plugin generates a checksum-salt value in config.yml on first startup — do not modify this value.

ServerBooster v3.0.2

Hotfix: Hopper Furnace Behavior + Stability Patches

• Paid version (not required, it’s only to support the project); you get direct access to the version.
  https://builtbybit.com/resources/serverbooster.92479/updates

Hopper Optimizer Fix

• Fixed: Hoppers below furnaces were pulling fuel and input items instead of only pulling from the output slot (vanilla behavior)
• Now correctly respects vanilla slot restrictions for all special containers:
  • Furnace / Blast Furnace / Smoker: Only pulls from output slot (slot 2)
  • Brewing Stand: Only pulls from potion slots (0-2), not fuel or ingredient slots
  • Chests, Barrels, etc: Unchanged, pulls from all slots

Additional Fixes (included from v3.0.1 patch cycle)

Critical Memory Leaks Fixed

• Lag machine detector stored direct chunk references preventing garbage collection
• Plugin coroutine scope died after /reload, silently breaking background tasks
• VillagerOptimizer copied ALL world entities every 30 seconds instead of only villagers

Exploit Patches

• Piston bypass: Players could push limited blocks with pistons to bypass block placement limits
• Explosion bypass: TNT/creeper explosions destroyed tracked blocks without updating the limiter

Performance

• ChunkBlockLimiter: 1,400x faster block placement checks (was scanning 1.44M blocks per event)
• HopperOptimizer: No longer scans all loaded chunks every 8 ticks, uses a hopper registry instead
• VillagerOptimizer: Pre-computes player positions instead of expensive entity searches per villager
• NMS Reflection: Cached field lookups that previously ran on every entity tick

VillagerOptimizer

• Only affects villagers with a profession (traders). Normal villagers and Nitwits are ignored
• Stuck timer no longer resets when players are nearby
• First check runs 1 second after startup instead of 30 seconds
• EntityOptimizer no longer accidentally re-enables AI on lobotomized villagers

Bug Fixes

• Elytra riptide config was never read due to a typo in the config key
• /sb info now shows all 12 modules instead of 8
• maxItemsPerTransfer config option now actually works
• Block physics detector world list updates on /sb reload
• Physics warning threshold corrected from mislabeled nanoseconds to event count
• Chunk key collisions fixed for negative coordinates
• Particle effects now work on 1.20.5+ (name changes handled)
• Block tracking file save is now crash-safe (atomic file operations)
• Auto-save no longer loses dirty flags due to race condition
• Block tracking data properly cleaned from memory on world unload
• Despawned item UUIDs no longer leak memory in the hologram system

Technical Info

• Java: 17+
• Platforms: Paper, Spigot
• Versions: 1.17.x - 1.21.x

ServerBooster v3.0.1

Major Stability & Performance Update

What's New in v3.0.1

Comprehensive audit of all 12 modules. 36 issues identified and fixed, including 5 critical memory leaks, 2 exploit patches, and major performance optimizations.

Critical Fixes

• Memory Leak Fixed: The lag machine detector stored direct chunk references in memory, preventing garbage collection. Servers running for hours would see steadily increasing RAM usage. Now stores only coordinates, auto-evicts after 5 minutes.

• Memory Leak Fixed: After /reload, the plugin's background task system would silently stop working. Update checker, entity processing, and other async tasks would fail. Now properly re-creates the task system on every reload.

• Performance Fixed: The VillagerOptimizer copied ALL entities in the world (items, projectiles, mobs) every 30 seconds just to find villagers. On busy servers this caused lag spikes. Now uses server-optimized villager-only lookup.

• Exploit Patched: Players could use pistons to push limited blocks to new positions, bypassing block placement limits entirely. Piston movements now update block tracking.

• Exploit Patched: Explosions (TNT, creepers) destroyed tracked blocks without updating the limiter. Explosions now properly clean up tracking data.

Performance Improvements

• ChunkBlockLimiter: 1,400x faster

  • Before: Every block placement scanned 1.44 MILLION blocks.
  • After: Uses tile-entity scanning + spatial index + LRU cache.

• HopperOptimizer: No more chunk scanning

  • Before: Iterated ALL loaded chunks in ALL worlds every 8 ticks.
  • After: Maintains a registry of hopper locations. Only visits known hoppers.

• VillagerOptimizer: Smarter player detection

  • Before: Expensive entity search per villager per cycle.
  • After: Player positions computed once and reused with simple distance math.

• NMS Reflection: Cached lookups

  • Field lookups that ran on every entity tick are now cached at startup.

• EntityOptimizer: Respects VillagerOptimizer

  • No longer accidentally re-enables AI on intentionally lobotomized villagers.

Bug Fixes

• Elytra config was never read - Typo in code meant riptide trident settings were always ignored
• /sb info showed 8/12 modules - Missing 4 modules from the status display
• maxItemsPerTransfer had no effect - Config loaded but never used in hopper logic
• Physics detector didn't reload worlds - World list was stuck from first startup
• Physics threshold was mislabeled - Comment said "nanoseconds" but code compared event counts
• Chunk key collisions - Negative coordinates could collide with positive ones
• Particles crashed on 1.20.5+ - Particle names were renamed in newer versions
• Data loss on crash - Block tracking save used unsafe file operations
• Save race condition - Auto-save could lose track of unsaved changes
• Memory leak on world unload - Tracking data stayed in RAM forever after world unload

VillagerOptimizer Improvements

• Profession-only targeting - Only affects villagers with a job (Librarian, Farmer, etc.). Normal villagers and Nitwits are ignored.
• Faster detection - First check runs 1 second after startup instead of 30 seconds.
• Timer no longer resets near players - Previously, standing near a villager would reset the stuck timer every cycle, preventing optimization. Now the timer keeps counting.

Item Stacking (HologramItemManager)

• Despawned item cleanup - Items that despawned naturally left stale data in memory. Now cleaned up every 5 minutes.

Technical Info

• Java: 17+
• Platforms: Paper, Spigot
• Versions: 1.17.x - 1.21.x

Thank you for supporting ServerBooster!
_{Your purchase helps keep this project alive and actively maintained.}

Release Date: February 26, 2025
Compatible: Minecraft 1.17.1 - 1.21.x | Paper, Spigot

Bug Fixed: Piglin Bartering with Stacked Items

When a Piglin picked up a gold stack created by the item stacking system (e.g., 100 gold ingots), it only performed 1 trade instead of the expected 100 trades. This completely broke Piglin farms and bartering mechanics.

Root Cause:
The plugin ignored non-player entities, causing Piglins to see amount=1 instead of the real stacked amount stored in PDC.

Solution:
The plugin now properly restores the real item amount before mobs pick them up, allowing Minecraft to process all trades correctly.

What's Changed

• Added clearStackData() method to remove PDC stacking data
• Modified onEntityPickup to handle mob pickups correctly
• Events are now cancelled for items with PDC data, then restored for vanilla processing
• For stacks >64: splits into 64 + remainder item

How It Works Now

Example: 100 Gold Ingots
Tick 1: Item has PDC (amount=1, stacked=100)
 Piglin tries to pickup
 Plugin: CANCEL, restore amount=64, create item with 36
Tick 2: Piglin picks up 64 ingots (vanilla)
 64 trades performed
Tick 3: Piglin picks up 36 ingots
 36 trades performed
Result: 100 trades completed successfully

Performance

Zero lag - Maximum 1 entity spawned per pickup, regardless of stack size.

Installation

1. Download ServerBooster-3.0.0.jar
2. Replace the old JAR in your plugins/ folder
3. Restart your server

Full Changelog: v2.0.9...v3.0.0