Risks when using community nodes#
Installing community nodes from npm means you are installing unverified code from a public source into your SMS-iT Workflow instance. This has some risks.
Risks include:
- System security: community nodes have full access to the machine that SMS-iT Workflow runs on, and can do anything, including malicious actions.
- Data security: any community node that you use has access to data in your workflows.
- Breaking changes: node developers may introduce breaking changes in new versions of their nodes. A breaking change is an update that breaks previous functionality. Depending on the node versioning approach that a node developer chooses, upgrading to a version with a breaking change could cause all workflows using the node to break. Be careful when upgrading your nodes.
SMS-iT Workflow vets verified community nodes
In addition to publicly available community nodes from npm, SMS-iT Workflow inspects some nodes and makes them available as verified community node inside the nodes panel. These nodes have to meet a set of data and system security requirements for approval.
Report bad community nodes#
You can report bad community nodes to security@SMS-iT Workflow.io
Disable community nodes#
If you are self-hosting SMS-iT Workflow, you can disable community nodes by setting SMS-iT Workflow_COMMUNITY_PACKAGES_ENABLED to false. On SMS-iT Workflow cloud, visit the Cloud Admin Panel and disable community nodes from there. See troubleshooting for more information.