fix: remove unused aws-lambda package to eliminate aws-sdk v2 dependency

jensenbox · jensenbox · commit cdb096b5dd1e · 2026-03-30T23:19:49.000-07:00
The `aws-lambda` npm package (a CLI deploy tool, last updated 2021) was listed as a production dependency in `webhook` and `aws-powertools-util` but is not used anywhere at runtime. All imports from 'aws-lambda' in the codebase resolve to `@types/aws-lambda` (TypeScript type definitions), which is already correctly declared as a devDependency. The `aws-lambda` package transitively pulls in `aws-sdk` v2 (EOL since Sep 2025), which triggers the dependency vulnerability scan (GHSA-j965-2qgj-vjmq). Since there is no patch for v2 — the advisory recommends migrating to v3 — the correct fix is to remove the unused package rather than suppressing the scanner. This eliminates aws-sdk v2 and its unnecessary transitive dependencies from the lockfile.
diff --git a/lambdas/functions/webhook/package.json b/lambdas/functions/webhook/package.json
@@ -34,8 +34,7 @@
     "@middy/core": "^6.4.5",
     "@octokit/rest": "22.0.1",
     "@octokit/types": "^16.0.0",
-    "@octokit/webhooks": "^14.2.0",
-    "aws-lambda": "^1.0.7"
+    "@octokit/webhooks": "^14.2.0"
   },
   "nx": {
     "includedScripts": [
diff --git a/lambdas/libs/aws-powertools-util/package.json b/lambdas/libs/aws-powertools-util/package.json
@@ -22,8 +22,7 @@
   "dependencies": {
     "@aws-lambda-powertools/logger": "^2.31.0",
     "@aws-lambda-powertools/metrics": "^2.31.0",
-    "@aws-lambda-powertools/tracer": "^2.31.0",
-    "aws-lambda": "^1.0.7"
+    "@aws-lambda-powertools/tracer": "^2.31.0"
   },
   "nx": {
     "includedScripts": [
diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock
