This message was deleted.
# general
s
This message was deleted.
👍 1
f
Bump for visibility since I posted this late last night (hope that's okay) 🙂 Should I post an issue instead I wonder? (not sure where discussion like this is preferred)
👍 1
w
To first approximation it is indeed currently "downstream authors are trusted". We keep our direct dependencies fairly minimal, and vet new dependencies for being generally trusted components in the NPM ecosystem. Some of our dependencies, ike
grpc
and
protobufj
pull in an unfortuantely large downstream set of dependencies. We are looking into newer alternatives to replace these that may have smaller transitive dependency surface area. We are also considering whether to pre-package dependencies instead of pull from NPM, to ensure tighter specification of patch versions. But this is something that generally goes against common practice for NPM/Node.js, so we have not yet chosen to do this. If you (or others) have any specific recommendations related to this, please do let us know.
👍 1