Can plugins cause trouble at all?

A very generic question about plugin/s, home made or shared or downloaded. If one installs a plugin, no matter how well made (or not), and over the coming days and weeks the data, the app and/ or the plugin changes ... I add new data, Laurent releases a new version, the plugin doesn't keep up with it, etc. etc ...
CAN this by any means spell MORE troubles than changes to the db and the app alone could ever do ? In other words

  • is the API design (considered) fail safe or
  • is every single plugin an extra risk ?

Plugins don't have direct access to the database and wreak havoc (in the database).

However, they can manipulate your notes. As with all SW, plugins also can have bugs. I haven't tried that, but I think a malicious actor could delete your notebooks. But so could Joplin.

The plugin system does not have a permission concept, so every plugin has access to every public API that is available. But, please note that the public API was designed for the plugins.

1 Like

Of course Joplin could do this too, I agree. But generally my personal trust level towards the Joplin dev is different than towards an unknown plugin dev. Major damage is easy to spot and come by with backups. But some minor delete/s, etc. could go a long way before detected, and by then the backups may already have been replaced. Considering the full scope of your answer (thank again !) ... I guess I keep my Joplin carefree and plugin free :wink:

The information between the plug-in developer and the author is asymmetrical, which is an inevitable problem for plug-in development

Concerning security aspects: If you are familiar with the Node.js/NPM ecosystem, you can easily clone the plugin repository, take a (brief or more-in-depth) look at its source code and build the .jpl archive yourself. This way you can be sure to have nothing fishy going on.

Concerning database integrity: it certainly depends on the type of plugin. Let's say, it is about user interface enhancement, than there is minor/less chance of any data "corruption" or loss. In the worst case, the plugin will crash or disturb Joplin program/UI execution. Then the simple solution is to just remove the plugin e.g. from the plugins folder and you should be good to go again.