feat: remove the axios runtime dependency#366
Merged
Conversation
Analyzes the two call sites that import axios today (src/lambda/auth.ts and src/tests/integ-test-util.ts), proposes a two-phase replacement with native fetch, and lays out the API and breaking-change implications for IntegTestUtil consumers. https://claude.ai/code/session_01LbWtFPLw9GBJxkZfPis5Lo
Replace axios with the platform-native fetch API across the library:
- src/lambda/auth.ts: JWKS and well-known issuer lookups now use fetch
with a 5s AbortSignal timeout. Errors surface as Error instead of
AxiosError; visible authorizer behavior is unchanged.
- src/tests/integ-test-util.ts: getClient() and getAuthenticatedClient()
now return a small HttpClient backed by fetch (BREAKING). The new
client exposes get/post/put/patch/delete; response shape changes from
axios's { data, status } to { body, status, ok, headers, json() }.
- src/tests/http-client.ts: new minimal HttpClient with baseURL and
default-header support.
- package.json / .projenrc.ts: drop axios from runtime dependencies.
Motivation is supply-chain security: axios has had repeated security
advisories and removing it permanently is cheaper than chasing CVE
upgrades. Lambda already runs Node 22 (Runtime.NODEJS_LATEST), so
fetch is available natively.
Migration notes for IntegTestUtil consumers are documented in README.
https://claude.ai/code/session_01LbWtFPLw9GBJxkZfPis5Lo
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hoegertn
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Spec document analyzing whether the
axiosruntime dependency can be removed fromcdk-serverless.TL;DR: Yes — axios is used in exactly two files (
src/lambda/auth.tsandsrc/tests/integ-test-util.ts) and can be replaced with the platform-nativefetchAPI. Lambda already runs onNODEJS_LATEST(Node 22), so the runtime requirement is met without any minimum-version bump.The spec lays out:
auth.ts) — pure internal refactor, non-breaking, removes axios from every Lambda bundle that pulls incdk-serverless/lambda.IntegTestUtil) — touches the public API (getClient/getAuthenticatedClientreturn anAxiosinstance today). Two options presented:fetch-basedHttpClient. Cleaner end state, breaking change for test consumers.IntegTestUtilbut move it topeerDependenciesso it stops being pulled into Lambda consumers transitively..data→.json(), etc.).node-fetch,undicidirectly, vendored wrapper).AbortSignal.timeout).Recommendation in the spec is Option A in a
feat!:major bump, with Phase 1 landed first as a non-breaking step.Review request
Please review the spec at
specs/remove-axios-dependency.md. Particularly interested in:IntegTestUtil— willing to take the breaking change, or keep axios as a peer dep there?AbortSignal.timeout(5000)on the JWKS/well-known fetches as part of Phase 1, or keep behavior-parity and file separately?fetchin the AWS Lambda Node runtime that I haven't accounted for?Once approved, I'll implement the chosen approach in a follow-up PR.
https://claude.ai/code/session_01LbWtFPLw9GBJxkZfPis5Lo
Generated by Claude Code