Designing a marketplace with user-contributed content is no small feat. On top of security, consistency, and tooling, it's super important for us to be confident that the way we ask you to build extensions will stay the same for many Directus versions to come.
Over the last year, we've laid lots of groundwork towards this goal - the Directus Extensions SDK which helps scaffold and build extensions, being able to install extensions via npm or external storage locations, a robust and flexible metadata structure, and several other changes to help you build great extensions and ensure we can run them reliably.
Right now, we really leave it to Directus project admins to understand the security implications of installed extensions. Given that Directus touches your database and asset storage, we know there's a need to do better, especially in a future where users installing extensions may not also be managing infrastructure.
Today, we're announcing what we believe is the last part of the foundational work required to build a marketplace - the Secure Extensions Framework. Secure Extensions will be aggressively sandboxed, with permissions needing to be requested before many actions are taken, including external web requests and database operations.
Existing extensions not using the Secure Extensions Framework will continue to work in Directus 10.7 and beyond, but we encourage all extensions developers to adopt it as we continue work on the Directus Marketplace.
Check out our documentation to learn more about secure extensions and, as always, if you have questions feel free to join our Discord community.