Add package.json

[marcelobern]

I am updating an open PR for serverless to use git-lambda-layer instead of lambda-git.

Having a package.json is required by npm when I add git-lambda-layer as a github dev-dependency.

Would it be to much trouble to add a package.json?

If you prefer I can do it in a PR so you just have to merge it ;-)

Thanks in advance!

[mhart]

Is it just a package.json that's required, or does it need to be published to npm?

[marcelobern]

The package.json allows me to include it as a dependency straight from github (see below).

{
  "name": "aws-git-client-nodejs",
  "version": "1.0.0",
  "description": "CodeCommit example using git client",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "dependencies": {
    "async": "^2.6.1",
    "simple-git": "^1.95.0"
  },
  "devDependencies": {
    "git-lambda-layer": "lambci/git-lambda-layer",
    "serverless": "^1.35.0"
  },
  "author": "Marcelo Bernardes (https://github.com/marcelobern)",
  "license": "MIT"
}

Publishing on npm would allow users to specify which version they want to have as a dependency, so it is probably better.

As I thought about this, we probably will need a boiler plate index.js (something just with console.info() with a message to indicate this module should be run as a lambda layer).

[marcelobern]

@mhart Happy New Year!!!

Wanted to follow up and check if you want me to create a PR for this.

I am hoping to wrap up the serverless PR changes by this weekend as lambda-git is now deprecated in favor of this project.

[marcelobern]

Hi @mhart I figured you have been tied up elsewhere so I went ahead and:

• Ppened PR Adding package.json and boiler plate index.js #6.
• Added this as a npm package.

I will be more than happy to transfer the npm package ownership if you can provide me a npm username for the new owner.

[mhart]

Just thinking about this some more – why do you want this as a devDependency in your package.json? That feels like a bug – devDependencies are supposed to be Node.js modules, and this isn't one.

[mhart]

Here's the documentation on layers in the serverless framework, and it doesn't mention anything about package.json or anything like that, you just use the layer ARN: https://serverless.com/framework/docs/providers/aws/guide/layers#using-your-layers

[marcelobern]

Thanks for taking the time to look this through.

You are correct. If one will use an existing layer (e.g. the arns provided as part of git-lambda-layer) no package.json is needed.

As I far as I know, given a layer's arn one cannot inspect its code (e.g. for an audit). So if there are security/traceability concerns it might be necessary to deploy one's own git-lambda-layer (instead of using the arns provided in the git-lambda-layer README.md).

When using serverless to deploy the layer the zip bundle should be local so it can be uploaded as part of the serverless service.

That is where the devDependencies come up: so the git-lambda-layer zip bundle can be present locally to upload it along side a serverless service.

Hopefully this clarifies the use case and need for package.json

Please let me know in case you have any further questions.

[mhart]

You can absolutely inspect layers, eg:

$ aws lambda get-layer-version --layer-name 'arn:aws:lambda:us-east-1:800406105498:layer:nsolid-node-8' --version-number 3

(replace with the git-lambda-layer ARN or any other public layer)

That will give you a url in Content.Location where you can download the layer to inspect and audit.

The reason I'm pushing back on this is that I don't really want people to npm install this – it's not the correct way to use it – even with the serverless framework AFAICT – much easier just to use the ARNs.

[marcelobern]

Good, I am fine with that.

Thanks for pointing out how to get the layer code.

[mhart]

No probs, thanks for understanding 👍