Plugin package security / transparency

Hi All,

I’m trying to better understand plugin security and dependency management in Bubble, especially for third-party plugins.

There are two areas I’m hoping to get more clarity on:

Licensing and third-party packages
Many plugin authors rely on JavaScript libraries or other packages created by others. In most ecosystems, those packages come with licenses (MIT, Apache, GPL, etc.) that require certain disclosures or conditions.
How does Bubble ensure that plugin authors are only using packages they are properly licensed to use? Is there any way for app builders to verify this, or is it entirely handled at the plugin author / Bubble review level?

Security vulnerabilities and dependency visibility
With plugin creation becoming more accessible (and often assisted by LLMs), I’m concerned that dependency management might sometimes be overlooked, such as keeping packages up to date or being aware of (un)known vulnerabilities in specific versions.
Is there any way to see which external packages and versions are used by the plugins in an app? Having visibility into this would make it easier to perform vulnerability checks and make informed decisions about plugin usage or updates.

If any of this is based on a misunderstanding of how Bubble plugins work under the hood, I’d really appreciate being pointed in the right direction. I’m mainly trying to understand where vulnerabilities can arise, how to identify them, and what controls are realistically available to app builders.

Thanks in advance for any insight!!

Hi @DRRR - plugin author here. These are good questions that are (unfortunately) rarely considered!

I don’t know the exact details of the plugin review process, but I sense the Bubble team is more focused on testing the functionality of the plugins rather than checking that authors are correctly following the terms of a licence.

I suspect Bubble would claim responsibility for adhering to a license lies with the plugin author (interestingly, I can’t see anything specific on this point in the marketplace policies), but this is just speculation on my part.

If it’s an open-source plugin you can see the source code by:

Navigating to the plugin page → See plugin code

Libraries can be imported via a script in the header on the Shared tab:

Screenshot 2025-12-17 at 09.09.201658×508 51.1 KB

via a header on a specific element in the ‘Elements’ tab:

Screenshot 2025-12-17 at 09.14.491906×676 90 KB

or via the node modules section on server-side actions:

Screenshot 2025-12-17 at 09.12.311710×598 71.5 KB

If it’s a commercial plugin you won’t be able to see the source code, but you should be able to see any libraries being added via a header by checking the elements tab in dev tools.

I don’t think you’ll be able to see what node modules are being used in commercial plugins.

It would be quite useful to have a community tool that does an automatic check for outdated packages or packages with vulnerabilities. Potential idea @rico.trevisan, @lindsay_knowcode , @georgecollier ?

One last thought: the Bubble review process for commercial plugins seems more detailed than for open-source plugins. I’m not sure there’s even a human involved in the review of open-source plugins (I’m open to correction on this), so extra caution advised when installing them.

In my other life I’d just add dependabot into your github actions to start with. And some static code analysis tools ….

Thanks Alex!

Very useful response, appreciated.

In the past I was involved with building apps in Ruby. Our devs used Bundler Audit to keep packages up to date and check for vulnerabilities. I knew there were hundreds of packages in the app we built so I can imagine for Bubble there is a ton as well. Unfortunately as soon as I’m using my browser console I run into a huge knowledge gap .

A tool that would scan on vulnerabilties in packages would be awesome, especially if it would also check on best practices and certain risk, for example packages set to silent updates/ unpinned versions and untrusted storage locations.

Where some plugins and packages operate in the backend, I assume it will be more difficult to perform a browser based assessment on those (or are these low risk by default)?

No problem @DRRR.

I wouldn’t assume plugins that operate in the backend (i.e. those that use a server side plugin action) are necessarily lower risk. And unfortunately you’re not going to be able to see what packages those actions are using (for commercial plugins at least).

I while back I made this chrome extension to list all the Site jS library imports - (after the lottie debacle) - The idea was take the extracted list - drop it into chatGPT and get a risk assessment of all the imported libraries.

Thanks. Just installed it and ran the outcomes in GPT.

One commonly cited example of issues is the use of @latest in popular packages (Lottie you mentioned is indeed a well-known case). If I understand it correctly, the typical risk scenario looks like this:

A maintainer (or a compromised account) publishes a new version of a widely used package that includes malicious code. Any application that pulls @latest immediately starts executing that code. The issue is eventually discovered and patched, but during that window the malicious version is already running in production across many apps. Even if the “good” version is restored quickly, the damage window has already existed.

I understand from my LLM buddy that in teams nromally mitigate this by pinning versions, adding SRI(?), enforcing strict CSP rules, and continuously monitor dependency advisories. In Bubble, however, developers often cannot see, control, or override how a plugin author references these external packages.

The opposite problem also exists a lot: outdated pinned dependencies.

For example, I installed a simple “create PDF” plugin that hasn’t been updated in over two years. The plugin pins this version:

https://cdn.jsdelivr.net/npm/jspdf@1.5.3/dist/jspdf.min.js

That version has known issues acording to ChatGPT. Snyk reports XSS and ReDoS vulnerabilities and recommends upgrading to jsPDF 2.3.1+. The Bubble app developer has no practical way to upgrade or remediate this, because the dependency is buried inside the plugin and the plugin itself is no longer maintained. Menas you could fork the plugin and build something new but this creates a difficult situation:

• Bubble encourages extensibility through plugins (which is great).

• At the same time, responsibility for security risks is effectively pushed to end users.

• Those users often cannot inspect, update, monitor, or even see the third-party dependencies they are now responsible for.

From a no-code / low-code trust perspective, this feels misaligned. I think that many users explicitly choose the Bubble platform to avoid managing low-level dependency security, supply-chain risks, and vulnerability monitoring (on top of numerous other advantages but we’re focussing on security).

I fully understand the complexity here and that this may simply be a blind spot rather than an intentional design choice. That said, it’s easy to imagine these exact scenarios being the root cause of a future high-impact security incident, with serious ramifications for both app builders and the Bubble ecosystem as a whole.

At minimum, some form of visibility or monitoring tooling around plugin-embedded dependencies (versions, update status, known advisories) would go a long way toward addressing this gap.

Chat als came up with the following:

Below is Step 1 expressed cleanly as a formal threat model mapping, keeping it high-level and suitable for security, risk, or executive audiences.

Step 1 — Threat model mapping (STRIDE + CIA)

Primary risk

Uncontrolled third-party JavaScript execution via Bubble plugins

This risk arises when external JavaScript dependencies are embedded through plugins that:

Are opaque to the app owner

May be dynamically versioned (@latest) or outdated

Are not monitored for security advisories

Execute with full client-side privileges

STRIDE mapping

S — Spoofing

Malicious scripts can impersonate trusted client-side components

Fake UI elements, forms, or authentication flows can be injected

Users may unknowingly submit credentials or sensitive data

CIA impact: Confidentiality, Integrity

T — Tampering

Client-side logic can be altered at runtime

Form values, API requests, or workflow triggers can be modified before submission

Business rules enforced in the browser can be bypassed or manipulated

CIA impact: Integrity

R — Repudiation

Malicious code can manipulate analytics, logs, or telemetry

User actions may be misrepresented or obscured

Forensic reconstruction becomes unreliable

CIA impact: Integrity, Availability (operational trust)

I — Information Disclosure

DOM scraping, token theft, and data exfiltration are trivial once script execution is compromised

PII, session identifiers, API keys, and user-generated content can be silently leaked

Exfiltration can occur without visible user impact

CIA impact: Confidentiality (primary), Integrity (secondary)

D — Denial of Service

Malicious or buggy dependencies can crash the UI or block rendering

External CDN outages or dependency removals can break core functionality

Emergency takedowns during supply-chain incidents can cause widespread outages

CIA impact: Availability

E — Elevation of Privilege

Compromised scripts inherit the full trust of the application’s client-side context

Attacker-controlled code can execute privileged actions intended only for trusted logic

Combined with backend misconfigurations, this can enable broader compromise

CIA impact: Confidentiality, Integrity

CIA summary (executive view)

CIA Pillar

Impact Level

Rationale

Confidentiality

High

Silent data exfiltration and token theft are trivial once JS is compromised

Integrity

High

Business logic and user actions can be manipulated without detection

Availability

Medium

Outages are likely during incidents or CDN failures but are not the primary goal

Not sure what to make of this.