Description
Not sure if this was better-suited to be posted as a bug or feature request.
Describe the bug
Currently, this project has a direct dependency on [email protected]. Although #754 has resolved the immediate issue, there may be future concerns with sticking to node-ipc.
Depending on the threat model, pinning to a known-good version of node-ipc may not be suffice as there is a nested, transitive dependency on easy-stack@^1.0.0, which is maintained by the same person. Hence, it may be possible for the same maintainer to publish a malicious version of that package. The dependency chain is:
@open-rpc/server-js > [email protected] > [email protected] > easy-stack@^1.0.0
To Reproduce
Install @open-rpc/server-js.
Expected behavior
The dependency tree does not contain a transitive dependency on a package managed by the same author which published the malicious versions of node-ipc.
Additional context
Since the publishing of malicious versions of node-ipc to NPM, there has been concerns with trusting the author on future versions of node-ipc and other packges. This includes transitive nested dependencies of node-ipc such as easy-stack.
One solution is to use a third-party fork such as @achrinza/node-ipc (my own fork) or @node-ipc/node-ipc (another fork with new features).
Another solution is to migrate to a different IPC package altogether.