Bump aws-sdk from 2.250.1 to 2.1693.0 #2
Conversation
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.250.1 to 2.1693.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Commits](aws/aws-sdk-js@v2.250.1...v2.1693.0) --- updated-dependencies: - dependency-name: aws-sdk dependency-version: 2.1693.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on January 26
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
AWS SDK requires Node 10 but project uses Node 8
High Severity
The upgraded [email protected] requires Node.js >= 10.0.0 as specified in its engines field, but the project uses Meteor 1.6.1.3 which bundles Node.js 8.x, and the CircleCI configuration explicitly uses node:8.9. This version mismatch can cause runtime failures or unexpected behavior in the S3 file upload functionality, as aws-sdk may use Node 10+ specific APIs or features not available in Node 8.
🔬 Verification Test
Why verification test was not possible: The bug is a version compatibility issue between the aws-sdk package's engine requirement and the project's Node.js runtime. This cannot be tested directly without setting up the full Meteor 1.6.1.3 environment with Node 8.9 and observing runtime behavior. The issue is evident from comparing the documented requirements: [email protected] states "node": ">= 10.0.0" in its engines field (package-lock.json lines 1421-1423), while .circleci/config.yml line 9 shows circleci/node:8.9 and .meteor/release shows [email protected] (which bundles Node 8.x).
package-lock.json#L1420-L1423
Lines 1420 to 1423 in b86ae21
package.json#L126-L127
Lines 126 to 127 in b86ae21
lockfileVersion 3 incompatible with project's npm 5
Medium Severity
The lockfileVersion: 3 format is only compatible with npm 7+, but the project uses Meteor 1.6.x which bundles npm 5. When npm 5 encounters this lockfile format, it will not correctly parse it and will either ignore it or regenerate it in version 1 format. This causes dependency resolution to become non-deterministic, potentially resulting in different package versions being installed than specified, leading to unpredictable behavior and non-reproducible builds.
🔬 Verification Test
Why verification test was not possible: This compatibility issue is documented behavior based on npm versioning. lockfileVersion 3 was introduced in npm 7 and intentionally lacks backward compatibility with npm 5/6 (unlike lockfileVersion 2 which maintains compatibility). The issue is confirmed by: 1) the Meteor 1.6 announcement explicitly stating it bundles "npm 5", 2) the package-lock.json showing lockfileVersion: 3 at line 4, and 3) the absence of a top-level dependencies object (required for npm 5/6 compatibility) confirmed by grep search. Testing would require setting up an npm 5 environment and observing the lockfile being ignored or regenerated.
package-lock.json#L3-L4
Lines 3 to 4 in b86ae21
Bumps aws-sdk from 2.250.1 to 2.1693.0.
Release notes
Sourced from aws-sdk's releases.
... (truncated)
Commits
9d3c66eUpdates SDK to v2.1693.0c039567test(client-elastictranscoder): remove feature test (#4711)f5b1a6fdocs: end-of-support (#4706)657d6fechore: use ssh private key for git sync (#4705)c12585bchore: remove regression label management (#4699)966fa6cUpdates SDK to v2.1692.05d0e38aDelete EC2 launch configuration e2e tests (#4685)b9ce346chore: fix issue config (#4683)c066681Update issue template config and disable docs requests (#4682)163a7cfModified bug issue template to add checkbox to report potential regression. (...Maintainer changes
This version was pushed to npm by aws-sdk-bot, a new releaser for aws-sdk since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Updates dependency version only.
aws-sdkinpackage.jsonfrom^2.250.1to^2.1693.0Written by Cursor Bugbot for commit b86ae21. This will update automatically on new commits. Configure here.