Bump uuid and @aws-sdk/client-dynamodb in /backend/src/mithrandir#1110
Bump uuid and @aws-sdk/client-dynamodb in /backend/src/mithrandir#1110dependabot[bot] wants to merge 1 commit into
Conversation
Removes [uuid](https://github.com/uuidjs/uuid). It's no longer used after updating ancestor dependency [@aws-sdk/client-dynamodb](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-dynamodb). These dependencies need to be updated together. Removes `uuid` Updates `@aws-sdk/client-dynamodb` from 3.758.0 to 3.1053.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-dynamodb/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1053.0/clients/client-dynamodb) --- updated-dependencies: - dependency-name: uuid dependency-version: dependency-type: indirect - dependency-name: "@aws-sdk/client-dynamodb" dependency-version: 3.1053.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is a large AWS SDK version jump (3.758 → 3.1053) that bumps the Node engine requirement to >=20 and leaves @aws-sdk/lib-dynamodb at 3.758.0 — worth a human verifying the Lambda runtime/peer-dep compatibility before merging.
Extended reasoning...
Overview
This is a Dependabot PR that updates @aws-sdk/client-dynamodb from 3.758.0 to 3.1053.0 in backend/src/mithrandir (the SailApps authentication Lambda handler), and removes the unused transitive uuid dependency. Only package.json and package-lock.json are touched.
Security risks
The uuid package removal is safe — index.ts uses Node's built-in crypto.randomUUID(), not the npm uuid package, so no runtime behavior change there. No code paths in the auth handler reference the removed dependency directly.
Level of scrutiny
I'd recommend a human run a build/test pass before merging. A few things stand out as worth a quick check rather than rubber-stamping:
- Very large version jump (~295 minor versions of the AWS SDK in one go), spanning substantial internal restructuring (new packages like
@aws-sdk/dynamodb-codec,@aws/lambda-invoke-store, restructured@smithy/core). - Node engine bump for the new
@aws-sdk/client-dynamodbis>=20.0.0(previously>=18.0.0). The Lambda runtime configuration is defined in the deploy infra (not in this repo, as far as I can see) — worth confirming it's Node 20+. - Version skew with
@aws-sdk/lib-dynamodb: this PR leaveslib-dynamodbpinned at 3.758.0 while bumpingclient-dynamodbto 3.1053.0. The peer-dep^3.758.0is technically satisfied, but the two packages are typically released in lockstep. The lockfile now contains two versions of@aws-sdk/core(3.758.0 and 3.974.13) coexisting, which can lead to subtle DocumentClient marshalling/unmarshalling issues.
Other factors
No bugs were flagged by the bug-hunter, which is expected for a lockfile-only change since static analysis won't catch SDK runtime compatibility. The mithrandir handler manages OAuth PKCE state, encrypted tokens, and DynamoDB-stored auth data — not a place where I'd auto-approve a 295-version SDK leap without someone confirming a successful build + smoke test.
Removes uuid. It's no longer used after updating ancestor dependency @aws-sdk/client-dynamodb. These dependencies need to be updated together.
Removes
uuidUpdates
@aws-sdk/client-dynamodbfrom 3.758.0 to 3.1053.0Release notes
Sourced from @aws-sdk/client-dynamodb's releases.
... (truncated)
Changelog
Sourced from @aws-sdk/client-dynamodb's changelog.
... (truncated)
Commits
ef69ea6Publish v3.1053.0443d6bePublish v3.1052.00d6242dchore(codegen): update@smithydependencies (#8038)b825c13Publish v3.1051.0bdc9fc6Publish v3.1050.004d52f3Publish v3.1049.0313813dPublish v3.1048.01af9047chore(codegen): updated import sources for aws-sdk core (#8015)eabae7dchore(codegen): sync for browser bundle fixes (#8022)8edb907Publish v3.1047.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.