Hi just curious how the Pulumi developers users think about

Question

Hi just curious how the Pulumi developers users think about security of e g downstream dependencies of Pulumi Is it a downstream authors are trusted kind of thing or does some type of vetting on downstream dependencies happen I am wondering this because there are lots of downstream deps and Pulumi working directly with infrastructure opens new attack vectors secret access etc Thoughts <http npm broofa com q= pulumi pulumi>

faint-gold-95070 · Answer

Bump for visibility since I posted this late last night hope that s okay slightly smiling face Should I post an issue instead I wonder not sure where discussion like this is preferred

white-balloon-205 · Answer

To first approximation it is indeed currently downstream authors are trusted We keep our direct dependencies fairly minimal and vet new dependencies for being generally trusted components in the NPM ecosystem Some of our dependencies ike `grpc` and `protobufj` pull in an unfortuantely large downstream set of dependencies We are looking into newer alternatives to replace these that may have smaller transitive dependency surface area We are also considering whether to pre package dependencies instead of pull from NPM to ensure tighter specification of patch versions But this is something that generally goes against common practice for NPM Node js so we have not yet chosen to do this If you or others have any specific recommendations related to this please do let us know