diff --git a/packages/core/PluginLoader.ts b/packages/core/PluginLoader.ts
index 8770cfc65bd..f2bbecc9c99 100644
--- a/packages/core/PluginLoader.ts
+++ b/packages/core/PluginLoader.ts
@@ -122,20 +122,33 @@ export interface LoadedPlugin {
   default: PluginConstructor
 }
 
-export function pluginDescriptionString(pluginDefinition: PluginDefinition) {
-  if (isUMDPluginDefinition(pluginDefinition)) {
-    return `UMD plugin ${pluginDefinition.name}`
-  }
-  if (isESMPluginDefinition(pluginDefinition)) {
+export function pluginDescriptionString(d: PluginDefinition) {
+  if (isUMDPluginDefinition(d)) {
+    return `UMD plugin ${d.name}`
+  } else if (isESMPluginDefinition(d)) {
     return `ESM plugin ${
-      (pluginDefinition as ESMUrlPluginDefinition).esmUrl ||
-      (pluginDefinition as ESMLocPluginDefinition).esmLoc.uri
+      (d as ESMUrlPluginDefinition).esmUrl ||
+      (d as ESMLocPluginDefinition).esmLoc.uri
     }`
+  } else if (isCJSPluginDefinition(d)) {
+    return `CJS plugin ${d.cjsUrl}`
+  } else {
+    return 'unknown plugin'
   }
-  if (isCJSPluginDefinition(pluginDefinition)) {
-    return `CJS plugin ${pluginDefinition.cjsUrl}`
+}
+export function pluginUrl(d: PluginDefinition) {
+  if (isUMDPluginDefinition(d)) {
+    // @ts-expect-error
+    return d.url ?? d.esmLoc.uri ?? d.umdUrl
+  } else if (isESMPluginDefinition(d)) {
+    // @ts-expect-error
+    return d.esmUrl ?? d.esmUri
+  } else if (isCJSPluginDefinition(d)) {
+    // @ts-expect-error
+    return d.cjsUrl || d.cjsLoc.uri
+  } else {
+    return 'unknown url'
   }
-  return 'unknown plugin'
 }
 
 function isInWebWorker() {
diff --git a/products/jbrowse-web/src/components/ConfigWarningDialog.tsx b/products/jbrowse-web/src/components/ConfigWarningDialog.tsx
index 3bd6d98cb2e..cff863aa52e 100644
--- a/products/jbrowse-web/src/components/ConfigWarningDialog.tsx
+++ b/products/jbrowse-web/src/components/ConfigWarningDialog.tsx
@@ -1,12 +1,8 @@
-import { pluginDescriptionString } from '@jbrowse/core/PluginLoader'
+import { useState } from 'react'
+
+import { pluginDescriptionString, pluginUrl } from '@jbrowse/core/PluginLoader'
 import { Dialog } from '@jbrowse/core/ui'
-import WarningIcon from '@mui/icons-material/Warning'
-import {
-  Button,
-  DialogActions,
-  DialogContent,
-  DialogContentText,
-} from '@mui/material'
+import { Alert, Button, DialogActions, DialogContent } from '@mui/material'
 
 import type { PluginDefinition } from '@jbrowse/core/PluginLoader'
 
@@ -19,20 +15,31 @@ export default function ConfigWarningDialog({
   onCancel: () => void
   reason: PluginDefinition[]
 }) {
+  const [show, setShow] = useState(false)
   return (
     <Dialog open maxWidth="xl" title="Warning" onClose={onCancel}>
       <DialogContent>
-        <WarningIcon fontSize="large" />
-        <DialogContentText>
+        <Alert severity="warning" style={{ width: 800 }}>
           This link contains a cross origin config that has the following
           unknown plugins:
           <ul>
             {reason.map(r => (
-              <li key={JSON.stringify(r)}>{pluginDescriptionString(r)}</li>
+              <li key={JSON.stringify(r)}>
+                {pluginDescriptionString(r)} - ({pluginUrl(r)})
+              </li>
             ))}
           </ul>
-          Please ensure you trust the source of this link.
-        </DialogContentText>
+          Please ensure you trust the source of this link.{' '}
+          <Button onClick={() => { setShow(!show) }}>Why am I seeing this?</Button>
+          {show ? (
+            <div>
+              Config files can load arbitrary javascript files via plugins. For
+              security purposes, we display this message when a cross-origin
+              config is detected to be loading plugins that are not in our
+              plugin store
+            </div>
+          ) : null}
+        </Alert>
       </DialogContent>
       <DialogActions>
         <Button
diff --git a/products/jbrowse-web/src/components/SessionWarningDialog.tsx b/products/jbrowse-web/src/components/SessionWarningDialog.tsx
index 89c2b59d6dc..61ee2c013b0 100644
--- a/products/jbrowse-web/src/components/SessionWarningDialog.tsx
+++ b/products/jbrowse-web/src/components/SessionWarningDialog.tsx
@@ -1,12 +1,8 @@
-import { pluginDescriptionString } from '@jbrowse/core/PluginLoader'
+import { useState } from 'react'
+
+import { pluginDescriptionString, pluginUrl } from '@jbrowse/core/PluginLoader'
 import { Dialog } from '@jbrowse/core/ui'
-import WarningIcon from '@mui/icons-material/Warning'
-import {
-  Button,
-  DialogActions,
-  DialogContent,
-  DialogContentText,
-} from '@mui/material'
+import { Alert, Button, DialogActions, DialogContent } from '@mui/material'
 
 import type { PluginDefinition } from '@jbrowse/core/PluginLoader'
 
@@ -19,19 +15,29 @@ export default function SessionWarningDialog({
   onCancel: () => void
   reason: PluginDefinition[]
 }) {
+  const [show, setShow] = useState(false)
   return (
     <Dialog open maxWidth="xl" title="Warning" onClose={onCancel}>
       <DialogContent>
-        <WarningIcon fontSize="large" />
-        <DialogContentText>
+        <Alert severity="warning" style={{ width: 800 }}>
           This link contains a session that has the following unknown plugins:
           <ul>
             {reason.map(r => (
-              <li key={JSON.stringify(r)}>{pluginDescriptionString(r)}</li>
+              <li key={JSON.stringify(r)}>
+                {pluginDescriptionString(r)} - ({pluginUrl(r)})
+              </li>
             ))}
           </ul>
           Please ensure you trust the source of this session.
-        </DialogContentText>
+          <Button onClick={() => { setShow(!show) }}>Why am I seeing this?</Button>
+          {show ? (
+            <div>
+              Sessions can load arbitrary javascript files via session plugins.
+              For security purposes, we display this message when sessions
+              contain plugins that are not from our plugin store
+            </div>
+          ) : null}
+        </Alert>
       </DialogContent>
       <DialogActions>
         <Button
diff --git a/yarn.lock b/yarn.lock
index e0c70a3f12b..cc03d08969d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -99,7 +99,7 @@
     "@smithy/util-utf8" "^2.0.0"
     tslib "^2.6.2"
 
-"@aws-sdk/client-cloudfront@^3.726.1":
+"@aws-sdk/client-cloudfront@^3.738.0":
   version "3.738.0"
   resolved "https://registry.yarnpkg.com/@aws-sdk/client-cloudfront/-/client-cloudfront-3.738.0.tgz#8492886fd9cc81a49047960d17d2c8967f2bae92"
   integrity sha512-T2bAcJrNpZsPHfh+YJR9yYg8rxRAAWvwYlvJgwtPz0kn3TiNdOwcbgiQkcWuWTKxirshOpn6sWBoRcAarMYVZg==
@@ -2242,10 +2242,10 @@
   resolved "https://registry.yarnpkg.com/@hutson/parse-repository-url/-/parse-repository-url-3.0.2.tgz#98c23c950a3d9b6c8f0daed06da6c3af06981340"
   integrity sha512-H9XAx3hc0BQHY6l+IFSWHDySypcXsvsuLhgYLUGywmJ5pswRVQJUHpOsobnLYp2ZUaUlKiKDrgWWhosOwAEM8Q==
 
-"@inquirer/checkbox@^4.0.7":
-  version "4.0.7"
-  resolved "https://registry.yarnpkg.com/@inquirer/checkbox/-/checkbox-4.0.7.tgz#4c11322ab932765cace50d163eea73002dd76432"
-  integrity sha512-lyoF4uYdBBTnqeB1gjPdYkiQ++fz/iYKaP9DON1ZGlldkvAEJsjaOBRdbl5UW1pOSslBRd701jxhAG0MlhHd2w==
+"@inquirer/checkbox@^4.1.0":
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/@inquirer/checkbox/-/checkbox-4.1.0.tgz#016ab8ebafc162a1699708955f4297d7fb9dcabf"
+  integrity sha512-lgw1pGGzCHy+zecYbdwM2N8ZaEuPLGVTQcQf7q0OFFTSpgAJ6JUkAKdzt4+psefPuYPuQfxpVoo8BnIpya/toQ==
   dependencies:
     "@inquirer/core" "^10.1.5"
     "@inquirer/figures" "^1.0.10"
@@ -2301,10 +2301,10 @@
     wrap-ansi "^6.2.0"
     yoctocolors-cjs "^2.1.2"
 
-"@inquirer/editor@^4.2.4":
-  version "4.2.4"
-  resolved "https://registry.yarnpkg.com/@inquirer/editor/-/editor-4.2.4.tgz#1b2b6c0088c80375df1d7d2de89c30088b2bfe29"
-  integrity sha512-S8b6+K9PLzxiFGGc02m4syhEu5JsH0BukzRsuZ+tpjJ5aDsDX1WfNfOil2fmsO36Y1RMcpJGxlfQ1yh4WfU28Q==
+"@inquirer/editor@^4.2.5":
+  version "4.2.5"
+  resolved "https://registry.yarnpkg.com/@inquirer/editor/-/editor-4.2.5.tgz#9b94c0c290d6c94bf71d0c9d9b054b510b63db2b"
+  integrity sha512-flpme7eferTprqcQkBu+xYLBWvt2nA/IUG/lOEiE/Sl0AGWWE8zFKk1H6HaS3YxPTPPKHJ2I05M7oGBPwlcXVA==
   dependencies:
     "@inquirer/core" "^10.1.5"
     "@inquirer/type" "^3.0.3"
@@ -2358,13 +2358,13 @@
     ansi-escapes "^4.3.2"
 
 "@inquirer/prompts@^7.2.3":
-  version "7.2.4"
-  resolved "https://registry.yarnpkg.com/@inquirer/prompts/-/prompts-7.2.4.tgz#115f3a8ed1f9c6726e18cd797aecec8ca32629ec"
-  integrity sha512-Zn2XZL2VZl76pllUjeDnS6Poz2Oiv9kmAZdSZw1oFya985+/JXZ3GZ2JUWDokAPDhvuhkv9qz0Z7z/U80G8ztA==
+  version "7.3.0"
+  resolved "https://registry.yarnpkg.com/@inquirer/prompts/-/prompts-7.3.0.tgz#5c7cf6f97b0b1ce171ea990eed47c8c13e11bead"
+  integrity sha512-PdUMwuYR/06AwtGFN/afQZY0tOnCa8DJCJfHZ+SJg8+soiyr7BqwB++GKM3QehW4nUVEI+7D4d6Fj/iWL3+9aw==
   dependencies:
-    "@inquirer/checkbox" "^4.0.7"
+    "@inquirer/checkbox" "^4.1.0"
     "@inquirer/confirm" "^5.1.4"
-    "@inquirer/editor" "^4.2.4"
+    "@inquirer/editor" "^4.2.5"
     "@inquirer/expand" "^4.0.7"
     "@inquirer/input" "^4.1.4"
     "@inquirer/number" "^3.0.7"
@@ -3273,12 +3273,12 @@
   integrity sha512-IUeCeLdehVocLML6Wub7OZVM96Sk97AshiWmeNnozI6/OYdS34hQ2+thH7ETUZas9nkC2nNkJ5jLwuAHm+5/vw==
 
 "@oclif/core@^4", "@oclif/core@^4.0.19", "@oclif/core@^4.0.37", "@oclif/core@^4.2.3":
-  version "4.2.5"
-  resolved "https://registry.yarnpkg.com/@oclif/core/-/core-4.2.5.tgz#6b51e1db17272204b2431fee3eba93a21d59ebbe"
-  integrity sha512-bdXOojq8GaPnWnDgVOw030JlUROJEiDLXiV3XUUGUQDEp6YpVQvEYLIrUsEvyfASU3z3FGg3DC9k0kprcOYdhw==
+  version "4.2.6"
+  resolved "https://registry.yarnpkg.com/@oclif/core/-/core-4.2.6.tgz#f2f1696be03a815a4c391504312f90fce29fbb4e"
+  integrity sha512-agk1Tlm7qMemWx+qq5aNgkYwX2JCkoVP4M0ruFveJrarmdUPbKZTMW1j/eg8lNKZh1sp68ytZyKhYXYEfRPcww==
   dependencies:
     ansi-escapes "^4.3.2"
-    ansis "^3.9.0"
+    ansis "^3.10.0"
     clean-stack "^3.0.1"
     cli-spinners "^2.9.2"
     debug "^4.4.0"
@@ -3296,17 +3296,17 @@
     wordwrap "^1.0.0"
     wrap-ansi "^7.0.0"
 
-"@oclif/plugin-help@^6.0.15", "@oclif/plugin-help@^6.2.21":
-  version "6.2.23"
-  resolved "https://registry.yarnpkg.com/@oclif/plugin-help/-/plugin-help-6.2.23.tgz#e2ffdc8c94235d99ae4c3f5825006cf75343515b"
-  integrity sha512-BA0h1fbheN74cdrITKIwqfsRtnw/G+oysHbn+IsqWcsecgy5HZwI37/cCRLXZSZQndsgoYAhqvVpyleXv3g83A==
+"@oclif/plugin-help@^6.0.15", "@oclif/plugin-help@^6.2.23":
+  version "6.2.24"
+  resolved "https://registry.yarnpkg.com/@oclif/plugin-help/-/plugin-help-6.2.24.tgz#bf0a9992a70725494ea0966f2017311137b87e60"
+  integrity sha512-BsyXhwTWicLqXFMlbu4HkL2z9/W2ZbO6NjHaWub7lHuM9pDBjQd8nK9eI1KBjsTvvNbu1dxTQKJV7A/yBkz+Zw==
   dependencies:
     "@oclif/core" "^4"
 
 "@oclif/plugin-not-found@^3.2.32":
-  version "3.2.39"
-  resolved "https://registry.yarnpkg.com/@oclif/plugin-not-found/-/plugin-not-found-3.2.39.tgz#ada974685b35bac7bdfe9192d7700829d2c1282e"
-  integrity sha512-4GFjDsxYBSGktnI8bSUzffyYqSulh9sm+vvsJQi2gJsxSEcXKSk3+ZAsy80l8K0dYIwjfVDrErelq6AUSsqp2Q==
+  version "3.2.40"
+  resolved "https://registry.yarnpkg.com/@oclif/plugin-not-found/-/plugin-not-found-3.2.40.tgz#09d68ddb48e1b4291bc4b61ca6936a988481b0b9"
+  integrity sha512-XTjazxZ7l1B/O9BeNuoB5rIUITwwcFhm/qGVJWmfjra40dDub7YDspZ8Zpp/PvMGmTAZp0dkeVwzGCk8sbEv9w==
   dependencies:
     "@inquirer/prompts" "^7.2.3"
     "@oclif/core" "^4"
@@ -3314,12 +3314,12 @@
     fast-levenshtein "^3.0.0"
 
 "@oclif/plugin-warn-if-update-available@^3.1.31":
-  version "3.1.31"
-  resolved "https://registry.yarnpkg.com/@oclif/plugin-warn-if-update-available/-/plugin-warn-if-update-available-3.1.31.tgz#203bc7e63f7f7df5bb1e31f42c3c1b52eaa00763"
-  integrity sha512-0ZN7o+Tv00gYrwlKsfMQ8VvJGb9Vhr3UYStFJh1AbEdGTPlURv51aatTW27AIV2atfluCh0MMntVZSzoDcuxSQ==
+  version "3.1.32"
+  resolved "https://registry.yarnpkg.com/@oclif/plugin-warn-if-update-available/-/plugin-warn-if-update-available-3.1.32.tgz#9c8cdb56b3c664574ff0cd3d232a0148c7efb9eb"
+  integrity sha512-KDbLvWxXS1aBfjUDFBiZqvONVhTOmOLzgwvJ4dpNiZVfONhZZRl0k4muJy2UdHtCYUV5GoMHyRzhfDi+eLOL3w==
   dependencies:
     "@oclif/core" "^4"
-    ansis "^3.5.2"
+    ansis "^3.10.0"
     debug "^4.4.0"
     http-call "^5.2.2"
     lodash "^4.17.21"
@@ -5555,7 +5555,7 @@ ansi-styles@^6.1.0:
   resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-6.2.1.tgz#0e62320cf99c21afff3b3012192546aacbfb05c5"
   integrity sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==
 
-ansis@^3.10.0, ansis@^3.5.2, ansis@^3.9.0:
+ansis@^3.10.0:
   version "3.10.0"
   resolved "https://registry.yarnpkg.com/ansis/-/ansis-3.10.0.tgz#6886afb0f729b1fa865df6b710b97a9915b7d0d4"
   integrity sha512-hxDKLYT7hy3Y4sF3HxI926A3urzPxi73mZBB629m9bCVF+NyKNxbwCqqm+C/YrGPtxLwnl6d8/ZASCsz6SyvJA==
@@ -9947,9 +9947,9 @@ immer@^9.0.7:
   integrity sha512-bc4NBHqOqSfRW7POMkHd51LvClaeMXpm8dx0e8oE2GORbq5aRK7Bxl4FyzVLdGtLmvLKL7BTDBG5ACQm4HWjTA==
 
 import-fresh@^3.1.0, import-fresh@^3.2.1, import-fresh@^3.3.0:
-  version "3.3.0"
-  resolved "https://registry.yarnpkg.com/import-fresh/-/import-fresh-3.3.0.tgz#37162c25fcb9ebaa2e6e53d5b4d88ce17d9e0c2b"
-  integrity sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==
+  version "3.3.1"
+  resolved "https://registry.yarnpkg.com/import-fresh/-/import-fresh-3.3.1.tgz#9cecb56503c0ada1f2741dbbd6546e4b13b57ccf"
+  integrity sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==
   dependencies:
     parent-module "^1.0.0"
     resolve-from "^4.0.0"
@@ -12605,17 +12605,17 @@ obuf@^1.0.0, obuf@^1.1.2:
   integrity sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg==
 
 oclif@^4.0.0:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/oclif/-/oclif-4.17.21.tgz#cbed26814b2cb4b4f971e5d0c00780451258c6b8"
-  integrity sha512-ix0H1xSWrk12jxALgub+6Eo9uvV+t42EQVeapDmPCUw78QVivOxmnpTws5ZU2DDbviLGDDIZrWGywfK8OS87rQ==
+  version "4.17.24"
+  resolved "https://registry.yarnpkg.com/oclif/-/oclif-4.17.24.tgz#c03ecfc6cd4c44f9fcbb51564d56e7c6acbb8435"
+  integrity sha512-Ktxmt9eZgndW0Ca+6U5uIN6Y5c3YsBLjst//Aaapp7krkrX4DrJNrRgjn9KfOu4BCOVUCkotEBO6x+ySxOZcAw==
   dependencies:
-    "@aws-sdk/client-cloudfront" "^3.726.1"
+    "@aws-sdk/client-cloudfront" "^3.738.0"
     "@aws-sdk/client-s3" "^3.735.0"
     "@inquirer/confirm" "^3.1.22"
     "@inquirer/input" "^2.2.4"
     "@inquirer/select" "^2.5.0"
     "@oclif/core" "^4.2.3"
-    "@oclif/plugin-help" "^6.2.21"
+    "@oclif/plugin-help" "^6.2.23"
     "@oclif/plugin-not-found" "^3.2.32"
     "@oclif/plugin-warn-if-update-available" "^3.1.31"
     async-retry "^1.3.3"
@@ -12629,7 +12629,7 @@ oclif@^4.0.0:
     got "^13"
     lodash "^4.17.21"
     normalize-package-data "^6"
-    semver "^7.6.3"
+    semver "^7.7.0"
     sort-package-json "^2.14.0"
     tiny-jsonc "^1.0.1"
     validate-npm-package-name "^5.0.1"
@@ -14463,7 +14463,7 @@ semver@^6.0.0, semver@^6.2.0, semver@^6.3.0, semver@^6.3.1:
   resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
   integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
 
-semver@^7.0.0, semver@^7.1.1, semver@^7.3.2, semver@^7.3.4, semver@^7.3.5, semver@^7.3.7, semver@^7.3.8, semver@^7.5.3, semver@^7.5.4, semver@^7.6.0, semver@^7.6.2, semver@^7.6.3:
+semver@^7.0.0, semver@^7.1.1, semver@^7.3.2, semver@^7.3.4, semver@^7.3.5, semver@^7.3.7, semver@^7.3.8, semver@^7.5.3, semver@^7.5.4, semver@^7.6.0, semver@^7.6.2, semver@^7.6.3, semver@^7.7.0:
   version "7.7.0"
   resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.0.tgz#9c6fe61d0c6f9fa9e26575162ee5a9180361b09c"
   integrity sha512-DrfFnPzblFmNrIZzg5RzHegbiRWg7KMR7btwi2yjHwx06zsUbO5g613sVwEV7FTwmzJu+Io0lJe2GJ3LxqpvBQ==
@@ -15783,9 +15783,9 @@ typescript-eslint@^8.0.1:
   integrity sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==
 
 typescript@^5.8.0-dev.20241213:
-  version "5.8.0-dev.20250201"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.8.0-dev.20250201.tgz#e9d08ad125fc0687ce4a4f4a916a21ca4b4620f8"
-  integrity sha512-dH6JX5ZdOLme/jasEkBV2/HbhOp5RuYxeMasdzndYrC3HVpSSoU/OEIiBRl1+2zzhRLkAjYknZtbvm6EW+Qadw==
+  version "5.8.0-dev.20250202"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.8.0-dev.20250202.tgz#a35eb60e7a0f23fa14ab62bedb3a4f76797c4fff"
+  integrity sha512-7utuv4a7BhkLf+HacefGv1/uM8DAGc1dQ11SuE6WbrRGFrwu/Qk9tV6T621TqtDMP0iYWamsOKMApskxx1bYJA==
 
 uglify-js@^3.1.4:
   version "3.19.3"