Project dead?

[jvgeee]

14 PRs, no real activity for ~1.5 years, is this project still alive? Need new contributors/maintainers?

If so, please let the community help! This project has 35,000 weekly downloads on NPM so I'm sure there'll be a lot of interest in keeping it alive.

[majindageta]

Kinda dead, i'm still using this a lot.

for this PR #229
i'm stuck to a previous version, i'll have to find time to find a solution

[estahn]

Probably best to fork and have it maintained elsewhere. What do you think @AshanFernando

[caseyfw]

My company literally can't use this in its current state as it has dependencies with known critical vulnerabilities.

Such a shame, because it's literally just a matter of merging some of the dependabot PRs.

[AshanFernando]

@estahn It seems, we need to reorganize and find a new set of maintainers. Please +1 for this thread if you would like to volunteer as a maintainer so that we can take the project forward.

[caseyfw]

Probably the worst possible solution from a community perspective, but I ended up re-writing a lean version of this plugin in TS, implementing just the docker version of starting DynamoDB and the migrations mechanism, and put it in one of my company's private library monorepos.

We're busy migrating away from Serverless, so I'm probably not well placed to act as maintainer, and my company is really weird about open-sourcing things.

Given the 35k weekly downloads, there must be some folk out there who would be ideal maintainers.

[yoelfme]

@estahn It seems, we need to reorganize and find a new set of maintainers. Please +1 for this thread if you would like to volunteer as a maintainer so that we can take the project forward.

👍🏽

[OPthyago]

@estahn It seems, we need to reorganize and find a new set of maintainers. Please +1 for this thread if you would like to volunteer as a maintainer so that we can take the project forward.

+1

[kalanchoej]

My company literally can't use this in its current state as it has dependencies with known critical vulnerabilities.

Such a shame, because it's literally just a matter of merging some of the dependabot PRs.

We're in the same position.

Also: +1 👍

[AshanFernando]

@kalanchoej @OPthyago @yoelfme I've added you as maintainers.

[terozio]

Great if the project has a new set of maintainers! Can we expect a new release soonish fixing the most obvious vulnerable dependencies?

[OPthyago]

I'm talking with @AshanFernando about it @terozio.

[kdybicz]

for people struggling with critical vulnerabilities: I'm forcing safe versions of problematic dependencies of serverless-dynamodb-local by adding below lines to package.json in my projects. I'm using yarn if that makes any difference.

  "resolutions": {
    "serverless-dynamodb-local/dynamodb-localhost/mocha/yargs-unparser/flat": "^5.0.2",
    "serverless-dynamodb-local/dynamodb-localhost/mocha/minimatch": "^3.1.2",
    "serverless-dynamodb-local/aws-sdk/xml2js": "^0.5.0"
  },

[terozio]

Any hope of progress here?

[jvgeee]

For anyone struggling with this, I've gotten serverless offline + dynamodb local working with the following:

1. Using this fork of serverless-dynamodb-local which updates a bunch of dependancies - most importantly this fixes a broken version of dynamodb-localhost.
2. Using Dynamodb Toolbox. I was using Dynogels previously but it's no longer supported

Relevant dependencies from my package.json:

"devDependencies": {
    "@aws-sdk/client-dynamodb": "^3",
    "@aws-sdk/credential-providers": "^3.312.0",
    "@aws-sdk/lib-dynamodb": "^3",
    "serverless-dynamodb-local": "https://github.com/eheyder/serverless-dynamodb-local",
    "serverless-offline": "^12.0.4",
    "serverless-prune-plugin": "^1.5.1",
    "serverless-webpack": "^5.11.0",
}

Works totally fine now.

@AshanFernando @OPthyago At a bare minimum could you update the dynamodb-localhost dependency here?

[yudikubota]

Any maintained forks?

[domdomegg]

It's a shame this thread didn't get the project back alive. There is a maintained fork that has committed to ongoing longer-term maintenace (Disclaimer: I am a contributor to this fork):

Solution: You can use serverless-dynamodb, a maintained fork. It is a drop-in replacement for this package, and is updated to fix this bug. This is a drop-in replacement for serverless-dynamodb-local, so to upgrade simply:

1. Uninstall serverless-dynamodb-local, e.g. npm uninstall serverless-dynamodb-local
2. Install serverless-dynamodb, e.g. npm install serverless-dynamodb
3. Update references in your code, including your serverless config, from serverless-dynamodb-local to serverless-dynamodb (quite possible that you won't have any, as you just refer to it from your serverless config)
4. (optional) Update your serverless config custom dynamodb key to serverless-dynamodb

Of course, it's all still open-source and MIT licensed. Ownership of this new package sits with a registered charity, that is committed to maintaining the package into the future and is open to contributions from the community.

There's an explanation as to the intentions behind this fork, and how it compares to other forks in the README.

In any case would be open to feedback on the fork - can drop create an issue in that repository or email me (address on profile).