In light of recentsupply chain attacks against the npm ecosystem, I examined the dependency graphs of my projects to identify risky downstream dependencies.
Nunjucks has few dependencies (which is great) but a-sync-waterfall stood out to me as a great attack target and I would propose to inline it into nunjucks to remove the dependency. My reasoning is the following:
nunjucks is a popular project and the only significant dependent on a-sync-waterfall.
the package is not maintained by a frequent contributor to nunjucks or the npm ecosystem.
the author's github & npm account appear dormant. they might or might not be able to recognize or respond to an account breach.
the package has had no activity for a long time.
the scope of the package is small enough to make inlining feasible.
In my view, the risk of depending on this package outweigh the benefits of not having to maintain the piece of code.
I'm happy to contribute a PR and help with this. Feel free to close the issue otherwise.
In light of recent supply chain attacks against the npm ecosystem, I examined the dependency graphs of my projects to identify risky downstream dependencies.
Nunjucks has few dependencies (which is great) but
a-sync-waterfall
stood out to me as a great attack target and I would propose to inline it into nunjucks to remove the dependency. My reasoning is the following:a-sync-waterfall
.In my view, the risk of depending on this package outweigh the benefits of not having to maintain the piece of code.
I'm happy to contribute a PR and help with this. Feel free to close the issue otherwise.