Issue #3277025 by Spokje, longwave: For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code (cherry picked from commit 8b44468e)