No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Bump for visibility since I posted this late last night (hope that's okay) :slightly_smiling_face: Should I post an issue instead I wonder? (not sure where discussion like this is preferred)

To first approximation it is indeed currently "downstream authors are trusted".  We keep our direct dependencies fairly minimal, and vet new dependencies for being generally trusted components in the NPM ecosystem.  Some of our dependencies, ike `grpc` and `protobufj` pull in an unfortuantely large downstream set of dependencies.  We are looking into newer alternatives to replace these that may have smaller transitive dependency surface area.  We are also considering whether to pre-package dependencies  instead of pull from NPM, to ensure tighter specification of patch versions.  But this is something that generally goes against common practice for NPM/Node.js, so we have not yet chosen to do this.

If you (or others) have any specific recommendations related to this, please do let us know.