我们希望分享一些针对 QGIS 插件仓库（QGIS Plugin Repository）所作的更新。2026 年 1 月，我们发布了 QEP…… 了解更多关于插件仓库安全增强的信息

We want to share some updates we have made on the QGIS Plugin Repository. In January 2026 we shared QEP… Read more Plugin Repository Security Enhancements

我们还对插件仓库中所有现有插件（仅限最新版本）“回溯运行”了新的安全检查，并为其分配了安全徽章，但未阻止或移除任何插件的发布。若您在左侧看到一个小写的“i”，可能仍存在若干非阻断性检查项有待查阅。若您是某插件的所有者，可登录 https://plugins.qgis.org 查看系统为您的插件标记出的问题：其中包含两类阻断性问题（将阻止您发布插件）以及若干非阻断性问题类别（仅为建议性质）。所有详细信息请参阅此处的信息页面： 需特别说明的是，这些安全建议与徽章仅在插件网站上显示；QGIS Desktop 中的插件管理器目前尚不提供任何安全扫描结果提示。 首先，请勿惊慌。绝大多数插件初始均会显示此类徽章；但我们预期，随着开发者陆续发布更新，插件仓库中将逐步填充带“绿色徽章”的插件。 随后，请系统性地审阅报告中列出的问题并予以修复。如需在本地运行相同检查工具，可参考 https://plugins.qgis.org/docs/security-scanning 了解我们在服务器端所采用的具体工具。 再次强调，请勿惊慌。预计一年后，当大多数插件完成更新，“绿色徽章”将成为常态；而现阶段，您只需知晓我们正致力于提升整个插件生态系统的安全性。 我们理解，在某些情况下，您确实需要嵌入 API 密钥、凭据，或执行其他可能触发告警的操作。QGIS 本身并不承担强制执行职责，仅要求所有新上传插件必须通过绿色徽章检查。必要时，您可使用 pragma / override 机制。 我们的目标是确保插件开发者已逐一查阅每项报告问题，认真评估其影响，并在此基础上有意识地选择忽略或予以修复。

We also ‘back ran’ the new security checks on every existing plugin in the plugin repository (latest versions only) and assigned them a security badge without blocking or removing any plugin from being published. If you see a small ‘i’ on the left there may still be some non-blocking checks to look at. If you are the owner of a plugin, you can log in to https://plugins.qgis.org and review the issues that have been flagged for your plugin: There are two blocking issue categories (that will prevent you from publishing your plugin) and additional non-blocking issue categories (that are advisories only). You can see all the details at the information page here: We would like to note that these security advisories and badges are only shown on the plugins website, the plugin manager in QGIS Desktop does not yet provide any indication of the security scan results. Firstly, don’t panic. Almost all plugins initially have this badge, but we expect over time that the repository is populated with ‘green badged’ plugins as developers publish their updates. Then review the issues listed in the report and fix them systematically, refer to https://plugins.qgis.org/docs/security-scanning for the specific tools we use on the server if you want to run them locally too. Again, don’t panic. In a year’s time when most plugins have been updated we expect green badges to be the norm, but for now, just know that we are working on improving the security of our plugin ecosystem. We know that in some cases you may actually need to embed API keys or credentials or do things that raise a flag. QGIS does not play an enforcement role beyond requiring that all newly uploaded plugins are green flagged. You can use pragmas / overrides where needed. What we are trying to do is ensure that plugin developers have visited each reported issue, considered it and either consciously chosen to ignore it, or fixed it.