Switching to node-ipc altenatives

[achrinza]

Describe the bug

Currently, this framework has a direct dependency on node-ipc@^10.0.1. Considering the recent developments of the node-ipc maintainer publishing malicious versions, are there any plans to switch to a fork?

Currently, the published versions now only have a harmless peacenotwar protestware dependency.

Depending on the threat model, pinning to a known-good version of node-ipc may not be suffice as there are nested, transitive dependencies which are maintained by the same person. Hence, it may be possible for the same maintainer to publish a malicious version of easy-stack, vanilla-test, ansi-colors-es6 or strong-type.

How to Reproduce

Installing the latest version of glee installs transitive dependencies managed by the @/riaevangelist.

Expected behavior

Switch to a clean fork of node-ipc.

Some available forks that I'm aware of:

• @achrinza/node-ipc - My own fork
• @node-ipc/node-ipc - Another fork with new features

[github-actions]

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

[jonaslagoni]

The dependency is leftover from earlier implementation, it's getting removed: #274