Overview

Build Tools

esbuild dominates — used by 80% of plugins. Rollup holds second place, commonly via the official Obsidian plugin template. A small fraction use no build step at all, typically simple plugins shipping plain JavaScript.

Lockfiles

78.0% of plugins include a lockfile. npm lockfiles are by far the most common, followed by pnpm and yarn. Plugins without a lockfile cannot have their builds verified — dependency versions may have drifted since release.

Node Versions

Node.js version distribution from CI workflow configs. 1,250 plugins specify a Node version in their CI configuration. The table below shows major version distribution.

CI/CD Coverage

52.2% of plugins have a release workflow in their repository. Among those using CI, package manager detection shows a strong preference for pnpm over npm — likely reflecting newer, more actively maintained plugins.

Tags & Releases

Most plugins have between 1 and 20 tagged releases. A small number of mature plugins have over 50. Very few plugins have no tags at all.

Plugin Activity

Plugins are classified by how recently they released an update. Active plugins released within the last 6 months. Slow plugins last released 6-12 months ago. Stale plugins have not released in over a year.

Security Practices

Security disclosure practices are rare in the ecosystem. Only 20 plugins (0.7%) include a SECURITY.md file. This is consistent with the ecosystem being largely hobby and productivity software rather than security-critical infrastructure.

Build Verification

Build verification attempts to reproduce each plugin's published release from source and compare the output. Several conditions can block verification. The most significant blocker is missing lockfiles — affecting 22.0% of plugins. Git dependencies and SASS usage are present but uncommon. Native modules are extremely rare.