fix: remove unused aws-lambda package to eliminate aws-sdk v2 dependency#5088
Open
jensenbox wants to merge 1 commit intogithub-aws-runners:mainfrom
Open
fix: remove unused aws-lambda package to eliminate aws-sdk v2 dependency#5088jensenbox wants to merge 1 commit intogithub-aws-runners:mainfrom
jensenbox wants to merge 1 commit intogithub-aws-runners:mainfrom
Conversation
The `aws-lambda` npm package (a CLI deploy tool, last updated 2021) was listed as a production dependency in `webhook` and `aws-powertools-util` but is not used anywhere at runtime. All imports from 'aws-lambda' in the codebase resolve to `@types/aws-lambda` (TypeScript type definitions), which is already correctly declared as a devDependency. The `aws-lambda` package transitively pulls in `aws-sdk` v2 (EOL since Sep 2025), which triggers the dependency vulnerability scan (GHSA-j965-2qgj-vjmq). Since there is no patch for v2 — the advisory recommends migrating to v3 — the correct fix is to remove the unused package rather than suppressing the scanner. This eliminates aws-sdk v2 and its unnecessary transitive dependencies from the lockfile.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
aws-lambdanpm package (npmjs.com/package/aws-lambda) is a CLI deploy tool last published in November 2021. It is listed as a production dependency inwebhookandaws-powertools-util, but is not used anywhere at runtime.Every
importfrom'aws-lambda'in the codebase (e.g.import { Context, SQSEvent } from 'aws-lambda') resolves to@types/aws-lambda— TypeScript type definitions that are erased at compile time.@types/aws-lambdais already correctly declared as adevDependencyin all packages that use it.Why this matters
The
aws-lambdapackage transitively depends onaws-sdk@^2.814.0(v2), which reached end-of-support on September 8, 2025. Advisory GHSA-j965-2qgj-vjmq flags all of aws-sdk v2 with no patch available — the only remediation is migrating to v3. This causes the Dependency vulnerability scan to fail on any PR that modifies the lockfile enough to trigger a dependency graph rebuild.What this PR does
aws-lambdafromdependenciesinlambdas/functions/webhook/package.jsonandlambdas/libs/aws-powertools-util/package.jsonyarn.lock, eliminatingaws-sdkv2 and its transitive dependency tree from the lockfileWhat this PR does NOT do
@types/aws-lambda(the TypeScript types) — those remain as devDependenciesTest plan
yarn testacross all 7 projects)