S3 SDK has (too) many dependencies, and some optional peer dependencies which lead to errors / warnings, and some apparently contain vulnerabilitiesย #4797
Description
Checkboxes for prior research
- I've gone through Developer Guide and API reference
- I've checked AWS Forums and StackOverflow.
- I've searched for previous similar issues and didn't find any solution.
Describe the bug
When installing @aws-sdk/client-s3, 102 packages are installed. Some of them are not required in many scenarios IMO, e.g.
@aws-sdk/md5-jsis available natively using nodejs- I suppose
@aws-sdk/util-utf8-browseris not used on the server / in a node env @aws-sdk/util-base64is implemented in the browser@aws-crypto/sha256-browseris used only in the browser,@aws-crypto/sha256-jsis (probably?) only used on the server@aws-crypto/ie11-detectionis probably (hopefully!?) a thing of the past, and if it is used, it's only used in the browser- etc.
By installing so many dependencies, chances are that vulnerabilities are present. At the time of writing, fast-xml-parser is vulnerable (ok, this is extermely new, so it may not be a bit unfair to mention this).
Furthermore, when building a project with webpack, I get the following warnings / errors:
WARNING in ../../node_modules/@aws-sdk/signature-v4-multi-region/dist-es/SignatureV4MultiRegion.js 27:63-111
Module not found: Error: Can't resolve '@aws-sdk/signature-v4-crt' in '[...]/node_modules/@aws-sdk/signature-v4-multi-region/dist-es'
@ ../../node_modules/@aws-sdk/signature-v4-multi-region/dist-es/index.js 1:0-41 1:0-41
@ ../../node_modules/@aws-sdk/client-s3/dist-es/runtimeConfig.shared.js 1:0-76 15:52-74
@ ../../node_modules/@aws-sdk/client-s3/dist-es/runtimeConfig.js 16:0-84 24:31-53
@ ../../node_modules/@aws-sdk/client-s3/dist-es/S3Client.js 15:0-73 18:26-44
@ ../../node_modules/@aws-sdk/client-s3/dist-es/index.js
@ ./src/server/s3/deleteS3Object.ts 1:0-57 5:28-47
[...]
WARNING in ../../node_modules/@aws-sdk/util-user-agent-node/dist-es/is-crt-available.js 3:78-96
Module not found: Error: Can't resolve 'aws-crt' in '[...]/node_modules/@aws-sdk/util-user-agent-node/dist-es'
@ ../../node_modules/@aws-sdk/util-user-agent-node/dist-es/index.js 4:0-52 14:25-39
@ ../../node_modules/@aws-sdk/client-s3/dist-es/runtimeConfig.js 15:0-65 33:12-28
@ ../../node_modules/@aws-sdk/client-s3/dist-es/S3Client.js 15:0-73 18:26-44
@ ../../node_modules/@aws-sdk/client-s3/dist-es/index.js
@ ./src/server/s3/deleteS3Object.ts 1:0-57 5:28-47
[...]
And yes, I've also noticed
- @aws-sdk/client-s3 (@aws-sdk/signature-v4-crt) 3.29.0 introduces aws-crt and deprecated dependenciesย #2750
- Missing Peer Dependency | @aws-sdk/client-s3 missing @aws-sdk/signature-v4-crtย #2960
- S3 Multi-Region Access Point(MRAP) is not available unless with additional dependencyย #2822
but they don't really solve the core issue IMHO.
I don't know where these modules are used during production, but our tests / use cases apparently work without using these dependencies.
So now I have a lot of packages installed, I don't know which packages are used and which are unused, and our validation team, who validates these packages, have to validate more than 100 packages, and I expect that most of them are not even used. And we install packages in our server / CI, which are not even intended to be used on the server.
SDK version number
@aws-sdk/[email protected], see package-lock.json below for the full list
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v18.16.0
Reproduction Steps
npm init -y
npm i --save @aws-sdk/client-s3
npm audit
tree node_modulesObserved Behavior
(Too) Many dependencies are installed, some (most?) of them are unused.
There's a warning when compiling with webpack (missing peer dependencies). I don't know which features use these peer dependencies (missing docs), but apparently we don't use it.
Expected Behavior
Fewer packages are installed, all or almost all are used. I can install only what I need, and I need only a fraction of the features offered by the S3 sdk.
It is clearly documented which features use @aws-sdk/signature-v4-crt and aws-crt. Even better: this feature is extracted in a separate package, so if you don't need it, you don't install it.
Possible Solution
Do you think there's a better way to split up the sdk even more? E.g. separate a browser / server package, at least for the most popular packages like (I suppose) S3? Or have a "lite" version of some packages, which include the features used in 99% of the cases? And have a "extended" version of a package, which wrap the APIs that are only used in 1% of the libraries? Or convert more dependencies to peer dependencies, and describe which peer dependencies are used for which platforms / api calls? Or convert more peer dependencies, and create a meta package (e.g. @aws-sdk/client-s3-node) which requires the necessary peer dependencies?
I think it's a difficult problem, but there must be a better way! ๐ค
Additional Information/Context
