fix(security): drop unused @serverless/utils production dependency#738
Merged
Conversation
@serverless/utils was declared in dependencies but never imported at runtime. It was the only consumer-facing path to decompress@4.2.1 (GHSA-mp2f-45pm-3cg9 / CVE-2026-53486), which has no upstream patch. Removing it clears decompress/file-type/uuid from the production tree; npm audit --omit=dev now reports 0 vulnerabilities. No runtime or build impact. Fixes #266
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
📝 WalkthroughWalkthroughThe ChangesDependency removal
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested labels: dependencies Suggested reviewers: sid88in 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
AlexHladin
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(security): drop unused
@serverless/utilsproduction dependency (Fixes #266)Summary
Removes
@serverless/utilsfromdependencies. It was a phantom production dependency — declared but never used at runtime — and the only consumer-facing path to the critically vulnerabledecompress.The alert
Dependabot #266 —
decompressarchive extraction can write files/links outside the target directory (GHSA-mp2f-45pm-3cg9 / CVE-2026-53486, CVSS 9.1 critical).decompressis unmaintained and has no patched version on the<= 4.2.1line; the only upstream remedy is migrating to the@xhmikosr/decompressfork.Why removing the dependency is the right fix
Of the three intro paths in the alert, two (
serverless,@serverless/test) are devDependencies and never ship to consumers. The only production path was:And
@serverless/utilsisn't actually used by the plugin:import/requireof@serverless/utilsanywhere insrc/.declare module '@serverless/utils/log'insrc/types/serverless.d.ts— a type-only declaration that does not require the package to be installed.log/progress/writeTextare injected by the Serverless framework through the plugin constructor, not imported from this package.lib/output never references it.It's a leftover from before the plugin moved to the injected
utilsobject.Result
decompress(andfile-type,uuid, which shared the same@serverless/utilsroot) are gone from the production dependency tree.npm audit --omit=dev→ 0 vulnerabilities (was 5).npm run build,npm run lint(0 errors), andnpm run test(362 passing) are all green.@serverless/utilsremains available transitively for dev tooling (serverless,@serverless/test), so CI/build/test are unaffected.To apply
Note on fully closing the alert
This removes the consumer-facing (runtime) exposure.
decompressstill exists in the dev tree viaserverless/@serverless/test, so Dependabot may keep #266 open but should reclassify it from "Runtime dependency" to a development-only dependency on the next scan. Options for the dev residue:serverless/@serverless/testdevDependencies to a line that no longer pullsdecompress.overridesremap ofdecompress→@xhmikosr/decompress@^11.1.3. The fork is ESM-only with a changed API, whileserverless@3consumesdecompress@4's CommonJS API — this would break the dev CLI path (and unit tests wouldn't catch it, since they don't exercise serverless's extraction code).Summary by CodeRabbit