Switching to `node-ipc` altenatives

[achrinza]

Not sure if this was better-suited to be posted as a bug or feature request.

Describe the bug

Currently, this project has a direct dependency on [email protected]. Although https://github.com/open-rpc/server-js/pull/754 has resolved the immediate issue, there may be future concerns with sticking to node-ipc.

Depending on the threat model, pinning to a known-good version of node-ipc may not be suffice as there is a nested, transitive dependency on easy-stack@^1.0.0, which is maintained by the same person. Hence, it may be possible for the same maintainer to publish a malicious version of that package. The dependency chain is:

@open-rpc/server-js > [email protected] > [email protected] > easy-stack@^1.0.0

To Reproduce

Install @open-rpc/server-js.

Expected behavior

The dependency tree does not contain a transitive dependency on a package managed by the same author which published the malicious versions of node-ipc.

Additional context

Since the publishing of malicious versions of node-ipc to NPM, there has been concerns with trusting the author on future versions of node-ipc and other packges. This includes transitive nested dependencies of node-ipc such as easy-stack.

One solution is to use a third-party fork such as @achrinza/node-ipc (my own fork) or @node-ipc/node-ipc (another fork with new features).

Another solution is to migrate to a different IPC package altogether.