Someone said on reddit that "pulumi is a node app that requires the npm ecosystem", and for him there is a security concern to work with Node/npm in its organization. From my understanding pulumi is written in go, so is a go application not a node app and npm is not required if you don't use npm runtime. Am I wrong and not understanding things correctly?

It is only a "node app" if you select Javascript/Typescript as the language of choice to write your infrastructure code.

I think the person was talking about pulumi cli itself. not the infrastructure program.

You are understanding it correctly. The Pulumi CLI is indeed Go, as are the multitude of the Pulumi providers, which are separate binaries and processes.

possibly confusing Pulumi with CDK