[Security] Using the latest shiki library could introduce dependency risk for users

[AndrewMohawk]

Please see: shikijs/shiki#843

TL;DR -- the latest update to Shikijs includes some new dependencies that are not used much and also have the same single maintainer. This may introduce dependency risk as this is such a high used library

[brc-dd]

FWICT, the oniguruma-to-es library and its dependencies are only used if you manually choose the synchronous engine in Shiki. For most users, these libraries won’t affect their setup. While postinstall scripts could potentially pose a risk, these dependencies don’t include any, and in security-critical environments, it's good practice to configure your package manager to block untrusted scripts. For example, pnpm.onlyBuiltDependencies achieves this in pnpm, while npm and yarn offer similar controls, as detailed here. Bun and Deno do this by default.

Regarding the concern about "fairly unused packages," I don’t think this is a valid issue in this case. Dependencies specifically created to support another library naturally have low usage metrics initially. Over time, they may grow in adoption as they prove their stability and utility. Moreover, Anthony (Shiki’s maintainer) has been collaborating with slevithan for several months now, and evidently trusts their work, as Regex+—another of their libraries—was already a key part of Shiki’s dependency tree.

From what I’ve seen, the code in these dependencies is not obfuscated, meaning it’s open for anyone to review. If there are actual vulnerabilities or concerns, they can and should be reported. Finally, for users who are still wary, the synchronous engine is experimental and optional. It won’t become the default without rigorous testing across projects.

[AndrewMohawk]

Agree with all these points, the concern I have is that if that single account gets compromised it could be used to introduce vulnerabilities into a large surface area

[brc-dd]

Ah, perhaps you can ask the Shiki team to invite slevithan as a team member and discuss moving the projects to shiki org itself. Also, npm will require 2FA on slevithan's account once the packages become more popular. And maybe ask them to setup npm provenance and publish from github actions.

[slevithan]

Just commenting to add the detail that npm has required 2FA on my account for years since I publish multiple other unrelated projects that have millions of monthly downloads. @AndrewMohawk, it seems unproductive to be raising this with multiple other projects that use Shiki. This has been addressed by myself and Shiki's author in the issue you linked. Shiki is also essentially a single-maintainer project since Anthony does most of the work.

[AndrewMohawk]

Sure, I can close this, but for what it is worth 2FA that is not Phishing resistant (ie hardware tokens or passkeys) is not really worth much anymore, phishing kits have been automating the 2FA flow for 5yrs+ in free open source projects. I highly recommend if you have not that you move to phishing resistant MFA