Checkboxes for prior research
Describe the bug
As of now, I haven’t found an actively maintained repository or version of @amazon-dax-sdk/lib-dax that fully supports the current dependency ecosystem.
This package has a transitive dependency on uuid, which has been upgraded to v14.x. Starting from v12, uuid is ESM-only and no longer supports CommonJS. However, @amazon-dax-sdk/lib-dax still relies on require("uuid"), which creates a runtime incompatibility in environments that execute code as CommonJS.
Attempts to resolve this via dependency overrides are not viable:
Forcing a newer uuid version (v12+) results in runtime failures due to ESM/CommonJS mismatch.
Downgrading uuid to a CommonJS-compatible version (v11 or below) is blocked by security policies, as those versions are flagged as vulnerable dependencies.
As a result, we are currently in a dependency deadlock:
The DAX SDK requires CommonJS-compatible uuid
The only supported uuid versions are ESM-only
This leads to build and runtime failures, particularly in Lambda environments where the dependency tree is resolved from the deployed layer.
Regression Issue
SDK version number
@amazon-dax-sdk/lib-dax
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v22.0.0
Reproduction Steps
- install
@amazon-dax-sdk/lib-dax
- run
npm audit
Observed Behavior
@amazon-dax-sdk/lib-dax depends on vulnerable version of uuid
Expected Behavior
- correctly use the
uuid package to generate unique identifiers, if not rely on crypto
Possible Solution
No response
Additional Information/Context
No response
Checkboxes for prior research
Describe the bug
As of now, I haven’t found an actively maintained repository or version of
@amazon-dax-sdk/lib-daxthat fully supports the current dependency ecosystem.This package has a transitive dependency on
uuid, which has been upgraded tov14.x.Starting fromv12,uuidis ESM-only and no longer supports CommonJS. However,@amazon-dax-sdk/lib-daxstill relies onrequire("uuid"), which creates a runtime incompatibility in environments that execute code as CommonJS.Attempts to resolve this via dependency overrides are not viable:
Forcing a newer
uuidversion (v12+) results in runtime failures due to ESM/CommonJS mismatch.Downgrading
uuidto a CommonJS-compatible version (v11 or below) is blocked by security policies, as those versions are flagged as vulnerable dependencies.As a result, we are currently in a dependency deadlock:
The DAX SDK requires CommonJS-compatible
uuidThe only supported
uuidversions are ESM-onlyThis leads to build and runtime failures, particularly in Lambda environments where the dependency tree is resolved from the deployed layer.
Regression Issue
SDK version number
@amazon-dax-sdk/lib-dax
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v22.0.0
Reproduction Steps
@amazon-dax-sdk/lib-daxnpm auditObserved Behavior
@amazon-dax-sdk/lib-daxdepends on vulnerable version ofuuidExpected Behavior
uuidpackage to generate unique identifiers, if not rely oncryptoPossible Solution
No response
Additional Information/Context
No response