This topic was automatically generated from Slack. You can find the original thread here.
Hello felllow Pipedreamers. I am interested to know whether anyone has been able to find a way to control the whole dependency closure of used npm packages. I don’t mean just the version of the imported package, but also all transitive dependencies. There is some more detail here: [FEATURE] Enable users to supply a package.json for a workflow · Issue #12165 · PipedreamHQ/pipedream · GitHub and a sad idea for a workaround. someone has solved this already and can point me in the right direction.
Hi , the dependencies are installed within Pipedream run-time. So if Pipedream run-time have not yet offer this feature right now, you can only work-around it.
I understand your security concern. Pipedream offers the convenience way to install dependencies and execute your Node.js/Python code out of the box, and it comes with a trade-off in security - which is suitable for certain customer segments.
For your usecase that prioritize security, I would recommend you to package all your code and dependency to a single executable, and execute it from a Pipedream code step as follow:
• Build & Package your Node.js code step and all of its dependencies to a single executable (compatible with amm64 architecture)
• Store your executable in Pipedream Filestore, Workflow Attachment, etc…
• In your workflow, download the executable to the tmp dir, set execute permission, then execute it in a code step
By this, you will be in full control of the code and dependencies.
Hi Leo, appreciate the answer. I think once I work at this level of control, there is no reason to use pipedream anymore. I basically lose all of the convenience of pipedream. I believe there should be a middle ground somewhere. A world where I can still use pipedream as intended with all its convenience whilst not at the same time sacrificing security altogether.
someone has solved this already and can point me in the right direction.