Community Plugin - Security Hint and Quality Gate

I agree with this. I think we can’t reasonably expect that plugin devs provide support as if it was a full-time job. Most people in the community are creating and maintaining plugins as volunteers, on their free time, out of the goodness of their hearts and with the intention to help as many people as they can.

A developer agreement that includes this, once a dev has decided to stop maintaining a plugin, sounds reasonable to me:

The remaining three points are good practices, and without the time pressure, would probably be adopted by plugin devs to the best of their abilities. I believe we will get a lot further if we kindly support these volunteers, so they can keep doing the great job that they are doing. These could be added to the PR template (strike-through and bold are my edits):

Some server-side checks that inform users in the plugin store when was the last release, and whether there are any known dependency vulnerabilities for it sound reasonable to me.

As a user, you can also take up part of this work load and periodically review your plugins, e.g. Log in or sign up to secure your projects | Snyk or another scanner of your choice and of course opening PRs to solve such issues.

2 Likes