Tarball'd project @serverlessinc/framework-alpha continues to install unpinned transitive dependencies

[ethanherbertson]

Issue description

Despite the recent 4.33.1 release of the framework having a fix for #13450, it looks to me like the tarball package installed at runtime by the Framework's Go code, specifically https://install.serverless.com/archives/serverless-4.33.1.tgz, still does not use a lockfile when it gets installed. Its direct dependencies are pinned, but transitive dependencies will get installed according to upstream semver, which means that those transitive dependencies cannot be vetted by the Serverless team.

One notable example of this is Axios, which will be installed as a subdependency of the AWS SDK.

Here's the 4.33.1 version's package.json file:

{
  "name": "@serverlessinc/framework-alpha",
  "version": "4.33.1",
  "description": "",
  "main": "index.js",
  "type": "module",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "bin": {
    "serverless": "./dist/sf-core.js",
    "sls": "./dist/sf-core.js"
  },
  "dependencies": {
    "@aws-sdk/client-cloudfront-keyvaluestore": "3.1015.0",
    "@aws-sdk/signature-v4-crt": "3.1015.0",
    "@aws-sdk/signature-v4a": "3.1009.0",
    "ajv": "8.18.0",
    "ajv-formats": "3.0.1",
    "esbuild": "0.27.4"
  }
}

If a freshly compromised version of axios was published right now as a minor version of their v1, then it would get installed on a machine running Serverless (that happened to be due for an update) because of the transitive dependency on aws-crt, which currently specifies axios at semver ^1.12.2. When running npm install --package-lock-only on that package.json file, the resulting lockfile shows, in part:

    "node_modules/aws-crt": {
      "version": "1.30.0",
      "resolved": "https://registry.npmjs.org/aws-crt/-/aws-crt-1.30.0.tgz",
      "integrity": "sha512-PSbNf2HdLT5orB91SaAR9cARBRTaYznPJIVWDeNlsr//xlcdqYywPAOJQ6L5nBwZnTDArvk7awt6RpL4SIqWsQ==",
      "hasInstallScript": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@aws-sdk/util-utf8-browser": "^3.259.0",
        "@httptoolkit/websocket-stream": "^6.0.1",
        "axios": "^1.12.2",
        "buffer": "^6.0.3",
        "crypto-js": "^4.2.0",
        "mqtt": "^4.3.8",
        "process": "^0.11.10"
      }
    },
    "node_modules/axios": {
      "version": "1.14.0",
      "resolved": "https://registry.npmjs.org/axios/-/axios-1.14.0.tgz",
      "integrity": "sha512-3Y8yrqLSwjuzpXuZ0oIYZ/XGgLwUIBU3uLvbcpb0pidD9ctpShJd43KSlEEkVQg6DS0G9NKyzOvBfUtDKEyHvQ==",
      "license": "MIT",
      "dependencies": {
        "follow-redirects": "^1.15.11",
        "form-data": "^4.0.5",
        "proxy-from-env": "^2.1.0"
      }
    },

Context

N/A

[eahefnawy]

Thanks for reporting @ethanherbertson. We just released v4.33.2 to address this as well.

[ethanherbertson]

Yeah I agree with @czubocha 's fix, the single override for axios in 4.33.2 is misguided IMO. When can we expect to see f0370db rolled-out?

[czubocha]

We're targeting a release for later today

[ethanherbertson]

Thanks for this quick turn-around!

Not to nit-pick, but while I do see that the tarball has an eight-day old version of the direct AWS SDK modules it needs, it looks like some of the transitive dependencies are strictly speaking still younger than 3 days? Not sure how that would happen, based on your dependabot configs, though. (Though I'll admit I'm not a d-bot expert.)

    "node_modules/@aws-sdk/crt-loader": {
      "version": "3.972.28",
      "resolved": "https://registry.npmjs.org/@aws-sdk/crt-loader/-/crt-loader-3.972.28.tgz",
      "integrity": "sha512-9kUljr6w63yjnvNPqy1YJs5v2h7sIiFHFBY5iv1vIA102VxRZmI8MjD1F102ZnCEpDO1oxqulsiJpMAbs46MZg==",
      "license": "Apache-2.0",
      "dependencies": {
        "@aws-sdk/util-user-agent-node": "^3.973.14",
        "aws-crt": "^1.24.0",
        "tslib": "^2.6.2"
      },
      "engines": {
        "node": ">=20.0.0"
      }
    },

Might just be date-math edge handling/off-by-one, or something?

[czubocha]

Great eye!

We do have min-release-age=3 in the repo root .npmrc to prevent exactly this (aligned with our Dependabot 3-day cooldown policy), but it turns out npm only reads the project .npmrc from the nearest directory with a package.json. Since packages/framework-dist/ has its own package.json, npm treats that as the project root and never walks up to find the repo-level .npmrc. So the age restriction silently wasn't applied during shrinkwrap generation.

The fix is in #13476 - we've added min-release-age=3 directly to packages/framework-dist/.npmrc and packages/sf-core-installer/.npmrc so future shrinkwrap generations and Dependabot updates will respect the 3-day cooldown for transitive dependencies as well.

The good news is that the current shrinkwrap is still doing its job - 3.972.28 is locked and every install gets that exact version, so there's no drift. The fix just ensures that next time the shrinkwrap is regenerated, newly published transitive packages get the same cooling-off period as direct dependencies.

Thanks for digging into this!