04/19/2019, 4:46 AM
Hi, just curious how the Pulumi developers/users think about security of e.g. downstream dependencies of Pulumi? Is it a 'downstream authors are trusted' kind of thing, or does some type of vetting on downstream dependencies happen? I am wondering this because there are lots of downstream deps and Pulumi working directly with infrastructure opens new attack vectors (secret access, etc). Thoughts?
👍 1
Bump for visibility since I posted this late last night (hope that's okay) 🙂 Should I post an issue instead I wonder? (not sure where discussion like this is preferred)
👍 1


04/20/2019, 12:40 AM
To first approximation it is indeed currently "downstream authors are trusted". We keep our direct dependencies fairly minimal, and vet new dependencies for being generally trusted components in the NPM ecosystem. Some of our dependencies, ike
pull in an unfortuantely large downstream set of dependencies. We are looking into newer alternatives to replace these that may have smaller transitive dependency surface area. We are also considering whether to pre-package dependencies instead of pull from NPM, to ensure tighter specification of patch versions. But this is something that generally goes against common practice for NPM/Node.js, so we have not yet chosen to do this. If you (or others) have any specific recommendations related to this, please do let us know.
👍 1