Email SDK
Reference

Community registry

The plugins.json entry schema, status labels, and the validation that gates every registry change in CI.

The community registry is one static JSON file — apps/fumadocs/content/community/plugins.json in the SDK repository — listing third-party adapters, plugins, and hybrid packages. The docs site renders it on the community page; changes land by pull request and are validated by a script in CI.

To list a package, build it first: Publish a community adapter or Publish a community plugin.

Entry schema

apps/fumadocs/content/community/plugins.json
[
  {
    "name": "SMTP2GO",
    "package": "email-sdk-smtp2go",
    "kind": "adapter",
    "status": "community",
    "description": "Adds an SMTP2GO provider adapter for Email SDK.",
    "href": "https://www.npmjs.com/package/email-sdk-smtp2go",
    "repo": "https://github.com/stefandevo/email-sdk-smtp2go",
    "maintainer": "stefandevo",
    "pluginId": "smtp2go",
    "adapter": "smtp2go",
    "importName": "smtp2goPlugin"
  }
]

Prop

Type

verification itself requires reviewedAt (ISO date), reviewedBy, provenance: true, noInstallScripts: true, and runtimeDependencies (a non-negative integer); notes is optional.

Status labels

StatusMeaning
communityListed by pull request. Not endorsed or audited.
verifiedPassed the static checks and npm audit for exactly verifiedVersion.
officialMaintained by OpenCore or in the Email SDK repository.

Verification is per version: a new release is unverified until the entry's verifiedVersion is updated and the checks pass again.

Validation

Run the check locally before opening a pull request:

bun run community:check

That runs scripts/validate-community-registry.ts, which enforces the schema above: required fields, valid npm package names, https-only links, the enum values, no duplicate name/package/pluginId, adapter on non-plugin entries, and complete verification blocks on verified and official entries.

The npm audit in CI

With --network (or automatically when CI=true — the same script runs in CI via bun run release:ci), verified and official entries get a deeper audit. The script downloads the published npm tarball for verifiedVersion and fails the build if the package:

  1. Has a repository that does not match the entry's repo.
  2. Defines preinstall, install, or postinstall scripts.
  3. Has a runtime dependency count that differs from verification.runtimeDependencies.
  4. Does not declare @opencoredev/email-sdk as a peer dependency.
  5. Exposes a bin entry.
  6. Contains suspicious tokens in shipped JavaScript (child_process, eval(, Function(, token-stealing env reads, curl /wget ).

Static checks, not a security guarantee

The audit lowers obvious supply-chain risk; it does not prove third-party code is safe. Read the source, pin versions, and apply your normal dependency review before installing any listed package.

Adapter contract

The EmailProvider type, context, response and error contracts every adapter must implement.

Errors

Every Email SDK error class and code, the retryable flag, and how to branch on failures in application code.

On this page

Entry schemaStatus labelsValidationThe npm audit in CI