Installing the package using NPM gives me a moderate security advisory warning:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ le-challenge-cloudflare                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ le-challenge-cloudflare > cloudflare > verymodel > joi >     │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 398 scanned packages
  1 vulnerability requires manual review. See the full report for details.

More recent versions of the cloudflare package no longer depend on verymodel, so updating to a newer version would likely resolve this issue.

Thank you for your consideration.

Hello!

There's a new version of Greenlock just around the corner that will have some breaking API changes.

I'm contacting you to let you know so you can update your module if you'd like it to continue working with future versions - and it's a pretty easy update.

Mandatory Changes

The update will be mandatory (due to changes in ACME / Let's Encrypt that I don't plan to backport), but all of the API changes serve to make working with greenlock much easier, and reduce code size.

The relevant APIs are already available in Greenlock v2.7+ and most plugins will change very little.

We're also changing the naming convention (in part to help signal which modules are compatible with the new version). For example, this module would be renamed acme-dns-01-cloudflare.

Documentation & Test Harness

The documentation for plugins is about... 1000x more clear, and there's now a test harness too:

• acme-challenge-test

Reference Implementation

There's also a much simpler reference implementation. You can see that it requires far less code on the part of the plugin author:

• acme-http-01-cli

What's in Greenlock v3

Transitional v2.7+

The v3 APIs are already available in Greenlock v2.7+, so plugin authors should make the switch sooner rather than later.

Mandatory Upgrade: ACME v2½

ACME draft 15 introduces a breaking change (POST-as-GET) which Let's Encrypt v2 is adopting (but they're sticking with "v2" nonetheless). The new v2 is already enabled in their API and the old v2 will be turned off in November of 2019.

Simpler

Greenlock has a lot of cruft from dumb ideas that I had as well as a ton of backwards compatibility shims, which tend to be troublesome.

v3 will be ripping out the shims for cleaner code.

Limited Dependencies

A little copying is better than a little dependency.

Greenlock has lost a lot of weight already. In fact, it has zero external dependencies - only dependencies that are part of the project.

We encourage plugin developers to stay away from heavy libraries where possible. This helps with security by reducing the number of "weak links" in the authorship chain as well as making it easier to debug code.

We provide @root/request as a lightweight drop-in replacement for request (and fairly similar to node-fetch) for making http API requests and, even in node v6, almost all of the features of lodash are available in native VanillaJS as part of Objects and Arrays.

Continued Node v6 Support

Greenlock began gaining a lot of traction in the node v6 days and there are still a large number node v6 deployments. We encourage plugin developers to just use plain old JavaScript or to have an npm prepublish that generates VanillaJS.

I think the acmePrefix variable was renamed to acmeChallengePrefix.