feat: typing ingest lambda and related files, app entry, adjusting types as needed (#1087)

* feat: convert errors.js to typescript  fix: fix issue with ava test runner not identifying the error typescript file and finding temporary workaround during migration.

* feat: creating base STAC types fix: updating linter overrides fro typescript

* feat: convert geo-utils and logger to typescript  feat: use BBox type from geojson lib

* feat: typing stac-utils fix: tweaking types based on experience in stac-utils.ts

* feat: deleted s3-utils.js which was slightly different from s3-utils.ts.  Confirmed using s3-utils.ts passes all tests

* feat: rounding out typing for s3-utils.ts

* feat: typing sns file

* feat: typing aws clients

* feat: converting database clients to typescript

* complete typing of asset-proxy and asset-buckets files tests: flesh out input object in test to be a more complete StacItem to pass an expected logic gate

* feat: first quick pass at typing Searchparams and DbOperation

* feat: updating changelog

* logger: change to 'info' not 'error' in case of index already existing

* feat: typing database.ts and updating types as required

* feat: cleaning up types, remove unused, consolidating where appropriate

* updating changelog

* feat: typing a few remainig untyped params

* feat: moved some utils to api-utils.ts and typed them  feat: changed api.js to api.ts

* feat: typing api.ts, adjusting types as needed

* feat: adding missing type, adding return type in a few spots where it was missing

* updating changelog

* PR feedback

* feat: typing ingest lambda and related files, adjusting types as needed

* converting lambdas to typescript

* feat: finishing typing lambdas, extending base express Request type, adding types as necessary

* updating changelog

* fix: PR feedback

* PR feedback changs after reviewing Claude suggestions

* updating .nsprc file

Author: theodorehreuter

.nsprc

@@ -2,32 +2,32 @@
     "1113461": {
         "active": true,
         "notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
-        "expiry": "2026-04-25"
+        "expiry": "2026-09-30"
     },
     "1113466": {
         "active": true,
         "notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
-        "expiry": "2026-04-25"
+        "expiry": "2026-09-30"
     },
     "1113540": {
         "active": true,
         "notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
-        "expiry": "2026-04-25"
+        "expiry": "2026-09-30"
     },
     "1113545": {
         "active": true,
         "notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
-        "expiry": "2026-04-25"
+        "expiry": "2026-09-30"
     },
     "1113548": {
         "active": true,
         "notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
-        "expiry": "2026-04-25"
+        "expiry": "2026-09-30"
     },
     "1113553": {
         "active": true,
         "notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
-        "expiry": "2026-04-25"
+        "expiry": "2026-09-30"
     },
     "1115339": {
         "active": true,
@@ -39,6 +39,11 @@
         "notes": "fast-xml-parser is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. The entity expansion limit bypass via JavaScript falsy evaluation of zero values only affects applications that explicitly configure maxEntityCount:0 or maxEntitySize:0. We do not configure fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
         "expiry": "2026-06-30"
     },
+    "1116957": {
+        "active": true,
+        "notes": "fast-xml-parser is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. The XMLBuilder XML comment and CDATA injection via unescaped delimiters requires use of the XMLBuilder API with attacker-controlled input. We do not use fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
+        "expiry": "2026-06-30"
+    },
     "1115541": {
         "active": true,
         "notes": "brace-expansion is a transitive dependency of redoc, used only for API documentation rendering. The zero-step sequence causing process hang is not exploitable as brace-expansion is never used to process untrusted input in our usage context.",
@@ -112,14 +117,34 @@
     "1115527": {
         "active": true,
         "notes": "path-to-regexp is a transitive dependency of express. A DoS via multiple route parameters is a low practical risk for stac-server: deployments are primarily hosted on AWS which provides built-in DDoS detection and mitigation, and the underlying data is generally not mission critical. A fix is expected upstream in the near future and will be incorporated before the next release.",
-        "expiry": "2026-04-30"
+        "expiry": "2026-09-30"
     },
     "1116663": {
         "active": true,
         "notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The ADD_TAGS function form bypassing FORBID_TAGS due to short-circuit evaluation requires both ADD_TAGS as a function and FORBID_TAGS to be configured simultaneously. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
         "expiry": "2026-09-30"
     },
-    "1116832": {
+    "1117138": {
+        "active": true,
+        "notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The FORBID_TAGS bypass via function-based ADD_TAGS predicate requires direct DOMPurify configuration with both options simultaneously. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
+        "expiry": "2026-09-30"
+    },
+    "1117139": {
+        "active": true,
+        "notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode requires direct DOMPurify configuration with RETURN_DOM mode enabled. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
+        "expiry": "2026-09-30"
+    },
+    "1117140": {
+        "active": true,
+        "notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The prototype pollution to XSS bypass via CUSTOM_ELEMENT_HANDLING fallback requires attacker-controlled input to DOMPurify. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
+        "expiry": "2026-09-30"
+    },
+    "1117015": {
+        "active": true,
+        "notes": "postcss is a transitive dependency of @redocly/cli via styled-components, used only as a build tool to generate static API documentation. The XSS via unescaped </style> in CSS stringify output requires attacker-controlled CSS input processed by PostCSS. We do not use PostCSS directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
+        "expiry": "2026-09-30"
+    },
+    "1117042": {
         "active": true,
         "notes": "protobufjs is a transitive dependency of @redocly/cli via @opentelemetry/otlp-transformer, used only as a build tool to generate static API documentation. The arbitrary code execution via malicious protobuf definitions requires attacker-controlled protobuf definition files, which is not possible in our usage context as @redocly/cli is never run against untrusted input.",
         "expiry": "2026-06-30"

.vscode/settings.json

@@ -17,4 +17,7 @@
   },
   "editor.tabSize": 2,
   "files.insertFinalNewline": true,
+  "typescript.tsserver.maxTsServerMemory": 4096,
+  "typescript.tsserver.experimental.enableProjectDiagnostics": false,
+  "typescript.disableAutomaticTypeAcquisition": true
 }

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Changed
 
+- Typing the top level lambda layer ([1087](https://github.com/stac-utils/stac-server/pull/1087))
 - Typing the api layer in `api.ts`, pushing some minor functions to a new utility files `api-utils.ts` ([1081](https://github.com/stac-utils/stac-server/pull/1081))
 - Converting the database layer to typescript as part of migration ([1077](https://github.com/stac-utils/stac-server/pull/1077))
 - Converting additional files to typescript as part of typescript migration and generating related types ([1071](https://github.com/stac-utils/stac-server/pull/1071))

package-lock.json

@@ -83,15 +83,15 @@
     "@smithy/types": "^4.13.1",
     "@stoplight/spectral-cli": "^6.15.0",
     "@tsconfig/node22": "^22.0.5",
-    "@types/aws-lambda": "^8.10.159",
+    "@types/aws-lambda": "^8.10.161",
     "@types/color-convert": "^2.0.4",
     "@types/color-name": "^2.0.0",
     "@types/color-string": "^1.5.5",
     "@types/compression": "^1.8.1",
     "@types/cors": "^2.8.19",
     "@types/debug": "^4.1.12",
     "@types/eslint": "^9.6.1",
-    "@types/express": "^4.17.21",
+    "@types/express": "^4.17.25",
     "@types/geojson": "^7946.0.16",
     "@types/http-errors": "^2.0.5",
     "@types/lodash-es": "^4.17.12",

package.json

@@ -0,0 +1,12 @@
+import { APIGatewayProxyEvent } from 'aws-lambda'
+
+// extending the main 'express' 'Request' type to add 'endpoint'
+// that is not on the default type
+declare global {
+  namespace Express {
+    interface Request {
+      endpoint: string
+      event?: APIGatewayProxyEvent
+    }
+  }
+}

src/@types/express/index.d.ts

@@ -1,7 +1,7 @@
 // @ts-nocheck
 import cors from 'cors'
-import createError from 'http-errors'
-import express from 'express'
+import createError, { HttpError } from 'http-errors'
+import express, { Request, Response, NextFunction } from 'express'
 import compression from 'compression'
 import morgan from 'morgan'
 import path from 'path'
@@ -13,13 +13,8 @@ import { readFile } from '../../lib/fs.js'
 import addEndpoint from './middleware/add-endpoint.js'
 import logger from '../../lib/logger.js'
 import { AssetProxy } from '../../lib/asset-proxy.js'
-
-/**
- * @typedef {import('express').Request} Request
- * @typedef {import('express').Response} Response
- * @typedef {import('express').NextFunction} NextFunction
- * @typedef {import('express').ErrorRequestHandler} ErrorRequestHandler
- */
+import { StacItem } from '../../lib/types.js'
+import { isFeatureCollection } from '../../lib/stac-utils.js'
 
 export const createApp = async () => {
   const txnEnabled = process.env['ENABLE_TRANSACTIONS_EXTENSION'] === 'true'
@@ -115,7 +110,7 @@ export const createApp = async () => {
     }
   })
 
-  app.get('/search', async (req, res, next) => {
+  app.get('/search', async (req: Request, res: Response, next) => {
     try {
       const result = await api.searchItems(
         database, 'GET', null, req.endpoint, req.query, req.headers
@@ -333,8 +328,8 @@ export const createApp = async () => {
               next(error)
             }
           }
-        } else if (req.body.type === 'FeatureCollection') {
-          const duplicateItemErrors = []
+        } else if (isFeatureCollection(req.body)) {
+          const duplicateItemErrors: StacItem[] = []
           let itemsCreated = 0
           for (const item of req.body.features) {
             try {
@@ -569,14 +564,13 @@ export const createApp = async () => {
   })
 
   // catch 404 and forward to error handler
-  app.use((_req, _res, next) => {
+  app.use((_req: Request, _res: Response, next: NextFunction) => {
     next(createError(404))
   })
 
   // error handler
   app.use(
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    /** @type {ErrorRequestHandler} */ ((err, _req, res, _next) => {
+    ((err: HttpError, _req: Request, res: Response, _next: NextFunction) => {
       res.status(err.status || 500)
 
       res.type('application/json')
@@ -601,5 +595,3 @@ export const createApp = async () => {
 
   return app
 }
-
-export default { createApp }