Hi, just curious how the Pulumi developers/users think about security of e.g. downstream dependencies of Pulumi? Is it a 'downstream authors are trusted' kind of thing, or does some type of vetting on downstream dependencies happen? I am wondering this because there are lots of downstream deps and Pulumi working directly with infrastructure opens new attack vectors (secret access, etc). Thoughts? http://npm.broofa.com/?q=@pulumi/pulumi

To first approximation it is indeed currently "downstream authors are trusted". We keep our direct dependencies fairly minimal, and vet new dependencies for being generally trusted components in the NPM ecosystem. Some of our dependencies, ike

grpc

and

protobufj

pull in an unfortuantely large downstream set of dependencies. We are looking into newer alternatives to replace these that may have smaller transitive dependency surface area. We are also considering whether to pre-package dependencies instead of pull from NPM, to ensure tighter specification of patch versions. But this is something that generally goes against common practice for NPM/Node.js, so we have not yet chosen to do this. If you (or others) have any specific recommendations related to this, please do let us know.