Skip to content

@types/uuid is listed as a production dependency in many clients #6980

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
3 of 4 tasks
patrick-boisen-smtdata opened this issue Mar 27, 2025 · 2 comments
Closed
3 of 4 tasks

@types/uuid is listed as a production dependency in many clients #6980

patrick-boisen-smtdata opened this issue Mar 27, 2025 · 2 comments
Assignees
@kuhe
Labels
closed-for-staleness guidance General information and guidance, answers to FAQs, or recommended best practices/resources. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.

Comments

@patrick-boisen-smtdata
Copy link

Checkboxes for prior research

Describe the bug

I noticed that I seemed to have devDependencies finding a way into my production docker images. Turns out that one of them came from packages in this repo:

pnpm why @types/uuid
Legend: production dependency, optional only, dev only

redacted_app_name@0.1.10 /app

dependencies:
@aws-sdk/client-athena 3.699.0
└── @types/uuid 9.0.8
@aws-sdk/client-secrets-manager 3.699.0
└── @types/uuid 9.0.8
athena-express-plus 8.1.0
└─┬ @aws-sdk/client-athena 3.699.0
  └── @types/uuid 9.0.8

A quick code search in the repo shows that it is in quite a few clients.

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-*@3.699.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.19.0

Reproduction Steps

pnpm why @types/uuid

Observed Behavior

@types/uuid is listed as a production dependency, which does not seem correct.

Expected Behavior

That the package is listed as a devDependency.

Possible Solution

List the package as a devDependency.

Additional Information/Context

Other than just being extra stuff in docker images etc. it also triggers security scanners, which makes it something we have to deal with in our company.
@patrick-boisen-smtdata patrick-boisen-smtdata added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 27, 2025
@kuhe
Copy link
Contributor

kuhe commented Mar 27, 2025

For TypeScript users, all types used in the SDK must be in dependencies. You can elect to delete the package from your runtime.

@kuhe kuhe added guidance General information and guidance, answers to FAQs, or recommended best practices/resources. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 27, 2025
@kuhe kuhe self-assigned this Mar 27, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 7, 2025

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Apr 7, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@kuhe kuhe

Labels
closed-for-staleness guidance General information and guidance, answers to FAQs, or recommended best practices/resources. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kuhe @patrick-boisen-smtdata