Hi developers,
Games can import code modules dynamically using the require function. Currently we allow closed source modules to be used within a game even if the game creator does not have access to the code. This poses a serious risk because models can contain malicious code and developers have no way to audit the code. Additionally, our platform does not contain any sandboxing support so modules can do anything game scripts can do, such as writing to data stores or teleporting players to another game. We have no protections in place for this.
On February 1st, we will be removing the ability to use closed source modules from other creators on the platform. If you want other developers to use your modules, you must open them to the public or publish them under the same account as the game.
Soon we will start showing warnings in Output for games which will be affected. You will be able to use the in-game Developer Console to view these warnings.
Here are the steps to change a module from private to public:
- Go to the Create page
- Click “Models”
- Find the module you want to change
- Click the cog icon and select “Configure”
- Check the “Allow Copying” checkbox
- Click “Save”
Longer term, we are investigating the following:
- Providing sandboxing for scripts so that developers have full control over what code they import can do in their game. This may eventually allow us to reintroduce closed source modules once we have put certain safeguards in place.
- Allowing creators to share code and other assets with specific users instead of the entire platform.