Sure the plugin hooks still need to be implemented. It wouldnt make much sense to do that now before any actual use case exists, then the hooks would remain unused or wouldnt even work properly. Thats why it should be implemented together with a proof of concept plugin.
Its not necessary to learn Rust to improve mod tools in Lemmy. There can be external mod tools implemented as api clients using any language, such as LemmyAutomod. Its also possible to add plugin support for Lemmy, which again can be implemented in various languages thanks to webassembly
This is not true, Lemmy can definitely have plugins and there is an extensive discussion about this topic. The conclusion is that plugins should be implemented in webassembly, so that they can be written in many different languages. See extism for details. Whats needed is someone with a clear use case who can implement a proof of concept, as it wouldnt make sense to add plugin hooks that no one uses.
Also mod tools can be implemented as api clients such as LemmyAutomod.
One of the comments mentions that another app can trigger search through an Android intent. So its better to be safe and close any potential vulnerabilities, but this doesnt seem particularly useful for an attacker.
I dont have time to read all that. The problem with Beehaw is that the admins are extremely entitled, as if we had some obligation to work for them for free. Similar to what is described in OP.
However we are consistently improving the mod tools, and accept contributions in that area. You can see in the dev updates.
Im a former contributor to F-Droid with various merged pull requests. Looking at the indicated pull request I really doubt that it was an intentional attack. First of all its easy to forget for a new developer to escape SQL parameters, and the docs dont even mention a risk of SQL injection attacks. And of the users pushing for the PR to be merged, one is a long-time F-Droid contributor, and the other also looks like a real human with many contributions in other repos, so no sockpuppets in sight.
It simply looks like standard open source behaviour, for better or for worse. A new user makes a contribution for a highly demanded feature, and users want it to get merged as soon as possible. Maintainers are discussing the big picture of the change and want to avoid breaking changes, without getting into code review yet. The new contributor seems unwilling to make any design changes to his PR, and gets frustrated that it doesnt get merged as is. The potential vulnerability is only noticed half a year after the PR was opened, at which point it was already de facto abandoned. So not an attack, but simply a developer who is new to open source and doesnt understand how the process works.
We only do major versions around once a year so those could still be named, while using numbers for minor versions. Lemmy is more user-facing than react, so it would make sense to have a more user-friendly versioning.
I see now, if an instance has any site languages configured those will be applied for new users. You can see it in /api/v3/site field discussion_languages. However both lemmy.world and lemm.ee return all languages there.