How Concerned Should One Be About Security When Using Community Plugins?

peeragetalkers · October 13, 2024, 8:41pm

I stumbled upon Obsidian Addict, a website that assesses the security of each plugin and assigns it a ‘trust grade’. Intrigued, I looked up all the plugins I currently use and was alarmed to find that nearly half of them received poor security ratings.

Here’s, for example, Calendar’s grade:

I then looked up the top 15 plugins: five have ‘F’ security grades and quite a few have ‘critical’ vulnerabilities, including ‘Style Settings’ & And ‘Minimal Theme Settings’–plugins that @kepano himself will encourage you to use w/ Minimal Theme:

Now, I’m no developer nor cybersecurity specialist, and the website doesn’t provide more detail about the nature of these ‘vulnerabilites’ beyond what’s shown on the screenshots attached above. So how seriously should one take this?

joethei · October 14, 2024, 10:30am

The way that site is juding security is problematic, it only looks at the vulnerabilities of the dependencies of said plugin.
Pretty much every vulnerability of these dependencies cannot actually be exploited in the context of Obsidian.

And getting an F for not having a lockfile, I find questionable.
maybe dock a few points sure, but giving the worst possible grade is not reasonable imo.

And unrelated to security, recency is a bad indicator, a lot of plugins do one job, and do it well, they don’t need regular updates.