Skip to content

fix(security): drop unused @serverless/utils production dependency#738

Merged
sid88in merged 1 commit into
masterfrom
fix/drop-serverless-utils-dep
Jul 9, 2026
Merged

fix(security): drop unused @serverless/utils production dependency#738
sid88in merged 1 commit into
masterfrom
fix/drop-serverless-utils-dep

Conversation

@sid88in

@sid88in sid88in commented Jul 8, 2026

Copy link
Copy Markdown
Owner

fix(security): drop unused @serverless/utils production dependency (Fixes #266)

Summary

Removes @serverless/utils from dependencies. It was a phantom production dependency — declared but never used at runtime — and the only consumer-facing path to the critically vulnerable decompress.

The alert

Dependabot #266decompress archive extraction can write files/links outside the target directory (GHSA-mp2f-45pm-3cg9 / CVE-2026-53486, CVSS 9.1 critical). decompress is unmaintained and has no patched version on the <= 4.2.1 line; the only upstream remedy is migrating to the @xhmikosr/decompress fork.

Why removing the dependency is the right fix

Of the three intro paths in the alert, two (serverless, @serverless/test) are devDependencies and never ship to consumers. The only production path was:

dependencies → @serverless/utils@6.15.0 → decompress@4.2.1

And @serverless/utils isn't actually used by the plugin:

  • No import/require of @serverless/utils anywhere in src/.
  • The single reference is an ambient declare module '@serverless/utils/log' in src/types/serverless.d.ts — a type-only declaration that does not require the package to be installed.
  • The plugin's log / progress / writeText are injected by the Serverless framework through the plugin constructor, not imported from this package.
  • The compiled lib/ output never references it.

It's a leftover from before the plugin moved to the injected utils object.

Result

  • decompress (and file-type, uuid, which shared the same @serverless/utils root) are gone from the production dependency tree.
  • npm audit --omit=dev0 vulnerabilities (was 5).
  • npm run build, npm run lint (0 errors), and npm run test (362 passing) are all green.
  • @serverless/utils remains available transitively for dev tooling (serverless, @serverless/test), so CI/build/test are unaffected.

To apply

# remove the "@serverless/utils" line from dependencies, then:
npm install     # regenerates package-lock.json
npm run build && npm run lint && npm test

Note on fully closing the alert

This removes the consumer-facing (runtime) exposure. decompress still exists in the dev tree via serverless / @serverless/test, so Dependabot may keep #266 open but should reclassify it from "Runtime dependency" to a development-only dependency on the next scan. Options for the dev residue:

  • Recommended: dismiss Issue with split stack plugin for Lambda functions. #266 (reason: only in dev dependencies / not reachable by consumers) once it reclassifies, or configure Dependabot to scope alerts to runtime deps.
  • Upgrade the serverless / @serverless/test devDependencies to a line that no longer pulls decompress.
  • Not recommended: an overrides remap of decompress@xhmikosr/decompress@^11.1.3. The fork is ESM-only with a changed API, while serverless@3 consumes decompress@4's CommonJS API — this would break the dev CLI path (and unit tests wouldn't catch it, since they don't exercise serverless's extraction code).

Summary by CodeRabbit

  • Chores
    • Removed an unused package dependency from the project.

@serverless/utils was declared in dependencies but never imported at
runtime. It was the only consumer-facing path to decompress@4.2.1
(GHSA-mp2f-45pm-3cg9 / CVE-2026-53486), which has no upstream patch.
Removing it clears decompress/file-type/uuid from the production tree;
npm audit --omit=dev now reports 0 vulnerabilities. No runtime or build
impact.

Fixes #266
@sid88in
sid88in requested a review from AlexHladin July 8, 2026 03:20
@sid88in sid88in self-assigned this Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0a2920a-bd03-4b1d-994b-5db30b0328ba

📥 Commits

Reviewing files that changed from the base of the PR and between 6c31a16 and b570af3.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
💤 Files with no reviewable changes (1)
  • package.json

📝 Walkthrough

Walkthrough

The @serverless/utils dependency was removed from the dependencies section of package.json. No other changes were made.

Changes

Dependency removal

Layer / File(s) Summary
Remove unused dependency
package.json
The @serverless/utils package entry is removed from the dependencies list.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested labels: dependencies

Suggested reviewers: sid88in

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: removing an unused production dependency for security.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/drop-serverless-utils-dep

Comment @coderabbitai help to get the list of available commands.

@sid88in
sid88in merged commit b48496b into master Jul 9, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Issue with split stack plugin for Lambda functions.

2 participants