[csunbird]

What is the difference between downloading a wordpress plugin and running it in your server and downloading a jar from maven/a js package from npm and running it?

[marcus_holmes]

Nothing. These are also very, very dangerous and expose your site to supply-chain attacks.

The article linked to here [0] which is a must-read for everyone who feels that adding a dependency is safe.

[0] https://medium.com/hackernoon/im-harvesting-credit-card-numb...

[jmnicolas]

I work with C#, most (all?) Nugget packages I download are open source, which isn't the case of a lot of WP plugins that are obfuscated.

They're also centrally managed by Microsoft, so if there was a problem with one package they could kick it out of the Nugget repo.

But in the end you're right, it's mostly a matter of trust and finger crossed.