# Community registry (/docs/v/0.6.1/reference/community-registry)
The community registry is one static JSON file — `apps/fumadocs/content/community/plugins.json` in the [SDK repository](https://github.com/opencoredev/email-sdk) — listing third-party adapters, plugins, and hybrid packages. The docs site renders it on the [community page](/docs/v/0.6.1/plugins/community); changes land by pull request and are validated by a script in CI.
To list a package, build it first: [Publish a community adapter](/docs/v/0.6.1/guides/authoring/publish-community-adapter) or [Publish a community plugin](/docs/v/0.6.1/guides/authoring/publish-community-plugin).
## Entry schema [#entry-schema]
```json title="apps/fumadocs/content/community/plugins.json"
[
{
"name": "SMTP2GO",
"package": "email-sdk-smtp2go",
"kind": "adapter",
"status": "community",
"description": "Adds an SMTP2GO provider adapter for Email SDK.",
"href": "https://www.npmjs.com/package/email-sdk-smtp2go",
"repo": "https://github.com/stefandevo/email-sdk-smtp2go",
"maintainer": "stefandevo",
"pluginId": "smtp2go",
"adapter": "smtp2go",
"importName": "smtp2goPlugin"
}
]
```
`verification` itself requires `reviewedAt` (ISO date), `reviewedBy`, `provenance: true`, `noInstallScripts: true`, and `runtimeDependencies` (a non-negative integer); `notes` is optional.
## Status labels [#status-labels]
| Status | Meaning |
| ----------- | --------------------------------------------------------------------- |
| `community` | Listed by pull request. Not endorsed or audited. |
| `verified` | Passed the static checks and npm audit for exactly `verifiedVersion`. |
| `official` | Maintained by OpenCore or in the Email SDK repository. |
Verification is per version: a new release is unverified until the entry's `verifiedVersion` is updated and the checks pass again.
## Validation [#validation]
Run the check locally before opening a pull request:
```bash
bun run community:check
```
That runs `scripts/validate-community-registry.ts`, which enforces the schema above: required fields, valid npm package names, https-only links, the enum values, no duplicate `name`/`package`/`pluginId`, `adapter` on non-plugin entries, and complete `verification` blocks on verified and official entries.
### The npm audit in CI [#the-npm-audit-in-ci]
With `--network` (or automatically when `CI=true` — the same script runs in CI via `bun run release:ci`), verified and official entries get a deeper audit. The script downloads the published npm tarball for `verifiedVersion` and fails the build if the package:
1. Has a `repository` that does not match the entry's `repo`.
2. Defines `preinstall`, `install`, or `postinstall` scripts.
3. Has a runtime dependency count that differs from `verification.runtimeDependencies`.
4. Does not declare `@opencoredev/email-sdk` as a peer dependency.
5. Exposes a `bin` entry.
6. Contains suspicious tokens in shipped JavaScript (`child_process`, `eval(`, `Function(`, token-stealing env reads, `curl `/`wget `).
The audit lowers obvious supply-chain risk; it does not prove third-party code is safe. Read the
source, pin versions, and apply your normal dependency review before installing any listed
package.