JSPM

pluginkit

0.3.3
    • ESM via JSPM
    • ES Module Entrypoint
    • Export Map
    • Keywords
    • License
    • Repository URL
    • TypeScript Types
    • README
    • Created
    • Published
    • Downloads 3
    • Score
      100M100P100Q14783F

    Package Exports

    • pluginkit
    • pluginkit/index.ts

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (pluginkit) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    @dotpenlabs/pluginkit PluginKit: A simple, tiny open source lib for adding an plugin ecosystem to your app, securely. Lightweight, framework-agnostic plugin runtime for secure iframe-based plugin loading via manifest files and SHA-256 verification.

    🧩 What is this?

    PluginKit makes it easy to add safe, sandboxed plugins to your app — using static JSON manifests and hash verification.

    Ideal for:

    • open plugin ecosystems
    • web apps that need untrusted plugin loading
    • projects that want a zero-backend, verifiable plugin registry

    🔧 How it works

    • You publish a manifest.json with a url and sha256 hash
    • PluginKit loads the iframe, verifies the hash, and mounts it
    • Plugins talk to your app via postMessage and events
    • No eval, no risk — just sandboxed plugins

    Disclaimer

    PluginKit is a work in progress and may not always provide optimal performance and/or security. Please report performance bugs on our issue page, and security issues via the security page at dotpenlabs/dotpen.

    PluginKit now explicitly checks if the plugin's load domain is different from the app's domain. Only if this is true, and if the app has explicitly enabled the allowInsecureSameOrigin option and the plugin has the "pluginkit:allow-same-origin" permission, the iframe sandbox will be extended with allow-same-origin.

    This prevents plugins hosted on the same domain as the app from gaining access to the app’s DOM, cookies, and localStorage, which would pose a serious security risk.

    Note: when allow-same-origin is allowed, the plugin can still access data from its own plugin domain (e.g. access other endpoints and plugins). Use this feature with caution. The recommendation is to use a separate (sub)domain for plugins, not a path or subfolder.

    We recommend hosting plugins on trusted sources like GitHub Raw Content, so that you can review and approve plugins beforehand.

    🛠️ Example

    import { PluginKit } from "@dotpenlabs/pluginkit";

const pk = new PluginKit({
    database:
        "https://raw.githubusercontent.com/dotpenlabs/PluginKit/main/repository.json",
    plugins:
        "https://raw.githubusercontent.com/dotpenlabs/PluginKit/main/plugins/",
    resumeAfterReload: true,
});

pk.add("nl.bijsven.pkg"); // downloads and stores the plugin in localStorage
pk.load("nl.bijsven.pkg"); // enables the plugin
pk.kill("nl.bijsven.pkg"); // kills all instances of nl.bijsven.pkg
pk.status("nl.bijsven.pkg"); // gets the status of the pkg ("installed" | "active" | "dead")
pk.send("nl.bijsven.pkg", "userpage_opened"); // sents <event> to the plugin
pk.on("app:log_to_console", ({ plugin, data }) => {
    console.log(`${plugin} sends data`);
});
pk.remove("nl.bijsven.pkg");
console.log(await pk.list());

// the plugins folder needs to have 2 items;
// - manifest.json (the manifest for the plugin)
// - plugin.html (the plugin itself.)

    📦 Building

    To make a build

    npm install -g bun
bun build ./index.ts --outdir ./out --minify

    the output will be in ./out/index.js, and the example located in ./test/ will work with the new (local) build.