Skip to content

Remove aws package extensions#5100

Merged
dskloetc merged 1 commit into
mainfrom
kloet/aws-extensions
Jun 17, 2026
Merged

Remove aws package extensions#5100
dskloetc merged 1 commit into
mainfrom
kloet/aws-extensions

Conversation

@dskloetc

@dskloetc dskloetc commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

#3327 added package extensions in .yarnrc.yml for @aws-sdk to satisfy peer dependencies transitively required by @aws-sdk/client-s3.

With newer versions of the AWS SDK (updated in #5098), these extensions are no longer necessary because the credential packages used by @aws-sdk/client-s3 no longer declare peer dependencies on @aws-sdk/client-sts and @aws-sdk/client-sso-oidc.

Furthermore, these extensions are keeping around an old vulnerable version of fast-xml-parser which prevents https://github.com/smartcontractkit/external-adapters-js/security/dependabot/421 from being fixed.

Changes

yq -i '
  del(.packageExtensions."@aws-sdk/credential-provider-ini@*") |
  del(.packageExtensions."@aws-sdk/credential-provider-web-identity@*") |
  del(.packageExtensions."@aws-sdk/token-providers@*")
' .yarnrc.yml

yarn
  1. Remove the 3 @aws-sdk package extensions from .yarnrc.yml.
  2. Run yarn.

Steps to Test

git checkout 23ceaae1d1~1
yq -i '
  del(.packageExtensions."@aws-sdk/credential-provider-ini@*") |
  del(.packageExtensions."@aws-sdk/credential-provider-web-identity@*") |
  del(.packageExtensions."@aws-sdk/token-providers@*")
' .yarnrc.yml
yarn
# Notice that this fails:
yarn bundle packages/sources/s3-csv-reader -o packages/sources/s3-csv-reader/bundle

# Error: Module not found: Error: @aws-sdk/credential-provider-ini tried to access @aws-sdk/client-sts (a peer dependency) but it isn't provided by its ancestors; this makes the require call ambiguous and unsound.
# ... etc.

grep fast-xml-parser yarn.lock   # includes vulnerable version 4.4.1

# Try the same at 23ceaae1d1 and notice that it passes.
git reset --hard HEAD
git checkout 23ceaae1d1
yq -i '
  del(.packageExtensions."@aws-sdk/credential-provider-ini@*") |
  del(.packageExtensions."@aws-sdk/credential-provider-web-identity@*") |
  del(.packageExtensions."@aws-sdk/token-providers@*")
' .yarnrc.yml
yarn
yarn bundle packages/sources/s3-csv-reader -o packages/sources/s3-csv-reader/bundle
grep fast-xml-parser yarn.lock   # expect only 5.7.3

Quality Assurance

  • If a new adapter was made, or an existing one was modified so that its environment variables have changed, update the relevant infra-k8s configuration file.
  • If a new adapter was made, or an existing one was modified so that its environment variables have changed, update the relevant adapter-secrets configuration file.
  • If a new adapter was made, or a new endpoint was added, update the test-payload.json file with relevant requests.
  • The branch naming follows git flow (feature/x, chore/x, release/x, hotfix/x, fix/x) or is created from Jira.
  • This is related to a maximum of one Jira story or GitHub issue.
  • Types are safe (avoid TypeScript/TSLint features like any and disable, instead use more specific types).
  • All code changes have 100% unit and integration test coverage. If testing is not applicable or too difficult to justify doing, the reasoning should be documented explicitly in the PR.

@changeset-bot

changeset-bot Bot commented Jun 17, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 754a6a8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@dskloetc dskloetc marked this pull request as ready for review June 17, 2026 18:19
@danwilliams-cll danwilliams-cll requested a review from Copilot June 17, 2026 18:21
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request removes now-unnecessary Yarn packageExtensions for @aws-sdk/* packages after upgrading to newer AWS SDK v3 versions, which eliminates forced retention of older transitive dependencies (notably an older vulnerable fast-xml-parser).

Changes:

  • Removed three @aws-sdk/* entries from .yarnrc.yml packageExtensions that previously injected client-sts / client-sso-oidc.
  • Regenerated dependency state via yarn, updating yarn.lock to drop the legacy AWS SDK v3.696.0 subtree and fast-xml-parser@4.4.1 (now only fast-xml-parser@5.7.3 remains).
  • Updated .pnp.cjs accordingly to reflect the new dependency graph.

Reviewed changes

Copilot reviewed 1 out of 64 changed files in this pull request and generated no comments.

File Description
.yarnrc.yml Removes AWS SDK packageExtensions that are no longer needed with newer AWS SDK versions.
yarn.lock Drops old AWS SDK v3.696.0 artifacts and removes fast-xml-parser@4.4.1, leaving fast-xml-parser@5.7.3.
.pnp.cjs Updates Yarn PnP runtime state to match the new resolved dependency tree.
Files not reviewed (1)
  • .pnp.cjs: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dskloetc dskloetc merged commit 05c7971 into main Jun 17, 2026
23 checks passed
@dskloetc dskloetc deleted the kloet/aws-extensions branch June 17, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@mxiao-cll mxiao-cll mxiao-cll approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dskloetc @mxiao-cll