Dependencies mismatch across some packages

[ernestostifano]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

We have the following dependency chain:

• @aws-sdk/client-s3@npm:3.682.0 -> @aws-crypto/sha1-browser@npm:5.2.0 -> @smithy/util-utf8@npm:2.3.0

Which is not compatible with other SDK packages' chains, e.g.:

• @aws-sdk/client-dynamodb@npm:3.682.0 -> @smithy/util-utf8@npm:3.0.0
• @aws-sdk/client-iot -> @smithy/util-utf8@npm:3.0.0
• @aws-sdk/middleware-sdk-s3@npm:3.682.0 -> @smithy/util-utf8@npm:3.0.0
• ...

This causes two different versions of @smithy/util-utf8 and its dependecies to be bundled in our app.

There are also issues with some semver declarations in other packages, e.g.:

• @aws-sdk/client-sqs@npm:3.682.0 -> @aws-sdk/middleware-sdk-sqs@npm:3.679.0 (3.679.0 is fixed).

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/*@3.682.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v21.7.3

Reproduction Steps

N/A.

Observed Behavior

See description.

Expected Behavior

Versioning of the SDK packages to be consistent to avoid different versions of modules being bundled together.

Possible Solution

Make sure all packages are bumped together and that correct semver syntax is being used when declaring dependencies.

In the meantime, we are using Yarn Resolutions to mitigate. However, this is risky across major versions like in the case of @smithy/util-utf8@npm:2.3.0/@smithy/util-utf8@npm:3.0.0.

Additional Information/Context

N/A.

[kuhe]

This is not a bug, our dependency wants to use a specific version of util-utf8 and we want to use another version. Your application bundle will function correctly whether you override @smithy/util-utf8 to a single version or include the nested version.

Please create a request to https://github.com/aws/aws-sdk-js-crypto-helpers/tree/master/packages/sha1-browser to release a version using ^3.0.0 of util-utf8.

[zshzbh]

Hey @ernestostifano ,

Thanks for the feedback! I just checked the codebase -

aws-sdk/client-s3 version 3.682 has dependency of "@smithy/util-utf8": "^3.0.0",

@aws-crypto/sha1-browser has dependency of "@smithy/util-utf8": "^2.0.0",

Think the request would be updating the version to ^3.0.0

[zshzbh]

I just created a request - aws/aws-sdk-js-crypto-helpers#847.
Please let us know if you have any other questions.

Thanks!
Maggie

[timtucker-dte]

Note that the dependency is now up to @smithy/util-utf8 4.0 in most of the AWS SDK, so the @aws-crypto packages continue to fall further behind.

[zshzbh]

@timtucker-dte This ticket is for aws-sdk-js-crypto-helpers to update their dependency, which could not be done by AWS JS SDK team. I will close this ticket and we can followup the issue on aws-sdk-js-crypto-helpers repo