You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I speak as someone who have never really used @serverless/components directly (I've only used Serverless CLI so far).
This dependency has caused me a lot of problems in the more recent versions of the Serverless CLI. I doubt everyone would have the need to make deployments or automate any services in a Chinese region, yet this dependency is hardwired to the Components library (it's a library, right? Sorry, I couldn't tell from first glance).
Wouldn't it be better to have it as a peer dependency instead of a hard one? So that those that actually need to deploy to a chinese region would have to explicitly add support as needed.
Additional Data
Two of the problems I've faced:
Having to compile a native library
AFAICT, following serverless@2, on every npm install, NPM tries to download snappy, but there's no binary for Windows. Because of that, it tries to compile it locally with the Visual Studio toolchain. I don't think it's the right thing to force everyone to install Visual Studio for a peer dependency most of the world (i.e. outside China) won't use at all.
Some evidence that @serverless/platform-client-china has part of the guilt. This was taken from a project with nothing but a devDependency on [email protected]:
It seems that @serverless/platform-client-china brings a lot of heavy dependencies to the table, that most of the other projects in the Serverless organization do not depend on. I have no idea why you'd need any of them (kafka, socket.io, etc), and frankly, I don't really care, because I'm not in China, neither do I operate any business in China.
Also, being affected by CVE on a transitive dependency of @serverless/components affects all of its users, including the users of the biggest consumer of the library, which is the Serverless CLI (IMHO). And the library's dependency tree is already plenty deep. Wouldn't it be better to reduce the scope, at least in this case?
The most recent CVE was opened some hours ago, following a previous security report/issue of some weeks prior. Granted, this does not concern any Serverless project directly, but I just wanted to point out that the target surface for bugs and attacks is greatly broadened by such a long dependency list. Those not dependent on making any interactions to a Chinese region may be able to mitigate risks by simply not installing any Chinese region support.
Follows some evidence to show that @serverless/components is part of the path to the library affected by the CVE's I linked earlier:
I apologize if what I'm asking is not feasible at all. But if it's possible to transform @serverless/platform-client-china dependency into a peerDependency, I kindly ask for you (the maintainers) to do so.
In any case, thank you very much for making Serverless! It's an amazing tool, and I use it everyday! (Also, please do tell if I can give any help on this specific issue)
The text was updated successfully, but these errors were encountered:
I would strongly support making @serverless/platform-client-china an optional peer dependency, and am happy to make a PR if folks are open to this change :)
Description
I speak as someone who have never really used
@serverless/components
directly (I've only used Serverless CLI so far).This dependency has caused me a lot of problems in the more recent versions of the Serverless CLI. I doubt everyone would have the need to make deployments or automate any services in a Chinese region, yet this dependency is hardwired to the Components library (it's a library, right? Sorry, I couldn't tell from first glance).
Wouldn't it be better to have it as a peer dependency instead of a hard one? So that those that actually need to deploy to a chinese region would have to explicitly add support as needed.
Additional Data
Two of the problems I've faced:
Having to compile a native library
AFAICT, following
serverless@2
, on everynpm install
, NPM tries to downloadsnappy
, but there's no binary for Windows. Because of that, it tries to compile it locally with the Visual Studio toolchain. I don't think it's the right thing to force everyone to install Visual Studio for a peer dependency most of the world (i.e. outside China) won't use at all.Some evidence that
@serverless/platform-client-china
has part of the guilt. This was taken from a project with nothing but adevDependency
on[email protected]
:Recent CVE's on transitive dependencies
It seems that
@serverless/platform-client-china
brings a lot of heavy dependencies to the table, that most of the other projects in the Serverless organization do not depend on. I have no idea why you'd need any of them (kafka
,socket.io
, etc), and frankly, I don't really care, because I'm not in China, neither do I operate any business in China.Also, being affected by CVE on a transitive dependency of
@serverless/components
affects all of its users, including the users of the biggest consumer of the library, which is the Serverless CLI (IMHO). And the library's dependency tree is already plenty deep. Wouldn't it be better to reduce the scope, at least in this case?The most recent CVE was opened some hours ago, following a previous security report/issue of some weeks prior. Granted, this does not concern any Serverless project directly, but I just wanted to point out that the target surface for bugs and attacks is greatly broadened by such a long dependency list. Those not dependent on making any interactions to a Chinese region may be able to mitigate risks by simply not installing any Chinese region support.
Follows some evidence to show that
@serverless/components
is part of the path to the library affected by the CVE's I linked earlier:I apologize if what I'm asking is not feasible at all. But if it's possible to transform
@serverless/platform-client-china
dependency into apeerDependency
, I kindly ask for you (the maintainers) to do so.In any case, thank you very much for making Serverless! It's an amazing tool, and I use it everyday! (Also, please do tell if I can give any help on this specific issue)
The text was updated successfully, but these errors were encountered: