Comment by kepano
18 hours ago
Every update is scanned, and we will be regularly re-scanning all the latest versions of every plugin as we improve the system. The review system is based on our eslint plugin which itself open source and reproducible, so anyone can contribute to improving it: https://github.com/obsidianmd/eslint-plugin
And since plugins are open source, users can also audit the code and flag issues via the Community site.
That's very cool - using a linter as a standardization system removes a lot of the guesswork out of submitting! But it's an unenviable challenge to guard against bad actors here - there's now an open-source oracle that an attacker could use to see if their technique would sneak by the review process, and they can have a coding agent iterate until successful.
I might encourage adding things like https://ofriperetz.dev/articles/eslint-plugin-security-is-un... or https://github.com/mozilla/eslint-plugin-no-unsanitized as things that flag for further review - and likely adding even more that you might not publicize as part of the eslint-plugin repository, so there's a more obscure level of protection that might catch a would-be attacker!
The system consists of a few different parts, the linter is only one part and is responsible for surfacing issues to the dev during development.
We have additional checks that also check the release assets to catch issues in dependencies etc, that part is not public.
Longtime (early adopter) Obsidian user here. Thank you for such an amazing tool. And congrats on the launch!
Curious if you considered oxlint^1? (It's a a faster, simpler, near drop-in replacement for eslint.)
1. https://oxc.rs/docs/guide/usage/linter.html
It's the first I am hearing about it, but I'll take a look!