fix: silence DEP0169 url.parse deprecation from bundled aws-sdk v2#6
Merged
kurok merged 1 commit intofeat/al2023-supportfrom Apr 20, 2026
Merged
Conversation
The bundled aws-sdk v2 (^2.809.0 resolved to 2.814.0) uses url.parse()
internally for endpoint URL parsing. On node24 that triggers DEP0169
on every action invocation, surfacing as a warning on every consumer's
CI page:
(node:PID) [DEP0169] DeprecationWarning: `url.parse()` behavior
is not standardized and prone to errors that have security
implications. Use the WHATWG URL API instead.
Three call sites verified in the bundled dist/: AWS.CloudFront's
getRtmpUrl, AWS.CloudFront.Signer.getSignedUrl, and AWS.util.urlParse.
Only the last runs at runtime (every EC2 API call parses its
endpoint). Upgrading aws-sdk to latest v2.1693 does not fix this —
the v2 SDK is in maintenance mode.
Migrating to aws-sdk v3 would rewrite src/aws.js entirely, far
beyond the scope of silencing a benign deprecation for trusted
EC2 endpoint URLs we control.
Instead, wrap process.emitWarning once at the top of src/index.js
and drop only the DEP0169 code. Every other warning — including
future new deprecations, user-installed 'warning' listeners, and
Node's default stderr formatter — is preserved by delegating to
the original emitWarning. Handles both call shapes:
process.emitWarning(msg, type, code, ctor) // positional
process.emitWarning(msg, { code, type }) // options object
Smoke-tested locally with three call patterns:
- DEP0169 (filtered, silent)
- DEP0123 options form (passed through, Node's default format)
- Plain 2-arg Warning (passed through)
Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
kurok
added a commit
that referenced
this pull request
Apr 21, 2026
* feat: migrate aws-sdk v2 to @aws-sdk/client-ec2 v3 (Phase 1) Completes Phase 1 (issue #7) of the modernization plan. ## Dependency changes - Remove 'aws-sdk' ^2.809.0 (in maintenance mode since late 2024; end-of-support announced for Nov 2025; emits DEP0169 on url.parse() in modern Node). - Add '@aws-sdk/client-ec2' 3.1033.0 pinned exact. Per-service package is dramatically smaller than v2's monolithic bundle. - Bump '@vercel/ncc' 0.25.1 -> 0.38.4. The old ncc couldn't parse modern JS (private class fields in v3's transitive deps); 0.38 is webpack-5-based and handles current syntax. ## Code changes (src/aws.js) Rewrite on the EC2Client + Command pattern: - EC2Client({}) replaces 'new AWS.EC2()'. Reads region + creds from env (same behavior, same source — configure-aws-credentials or instance profile). - client.send(new DescribeImagesCommand(params)) replaces ec2.describeImages(params).promise(). - client.send(new RunInstancesCommand(params)) replaces ec2.runInstances(params).promise(). - client.send(new TerminateInstancesCommand(params)) replaces ec2.terminateInstances(params).promise(). - client.send(new AssociateAddressCommand(params)) replaces ec2.associateAddress(params).promise(). - waitUntilInstanceRunning({client, maxWaitTime: 300}, {InstanceIds}) replaces ec2.waitFor('instanceRunning', ...).promise(). External action contract (inputs + outputs) is unchanged. Consumer workflows (notably terraform-provider-namecheap) do not need any change beyond rotating their SHA pin. ## Bundle + CI - 'npm run package' no longer needs NODE_OPTIONS=--openssl-legacy-provider (ncc 0.38 + webpack 5 don't use the legacy module-hash MD4 path). - dist/ now contains code-split chunk files (136.index.js, 360.index.js, etc.) alongside dist/index.js. All must be committed; the verify-dist CI check in pr.yml is broadened to diff the whole dist/ tree. - Bundle size: 7.9 MB -> 3.4 MB main (+ ~3.3 MB in chunks). Net smaller than v2. ## Backward compatibility The DEP0169 process.emitWarning filter added in #6 stays in place. The v3 bundle doesn't emit DEP0169, so the filter is effectively inert on the current tip — cleanup is a follow-up, not part of this PR's scope. ## Verification - npm test: 21 tests pass across tests/utils.test.js + tests/config.test.js (no aws.js tests yet; those land as Phase 8.b after Phase 4/5 stop rewriting aws.js). - npm run lint: clean. - Bundle builds cleanly on Node 20 without OpenSSL legacy provider. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com> * chore: add .gitattributes to normalize line endings in dist/ ncc 0.38's output contains 451 source-embedded CR bytes inside string literals (aws-sdk transitive deps). When dist/ is committed through git's default line-ending normalization, those CRs are stripped into the blob, but every subsequent 'npm run package' reproduces them — creating a permanent, symmetric 451/451 diff that the verify-dist CI gate correctly flagged as drift. Mark the whole dist/ tree as binary via .gitattributes so git never converts line endings in that path. What ncc writes is what git stores; CI's rebuild produces byte-identical output. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com> --------- Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Filter only
DEP0169(url.parse()deprecation) atprocess.emitWarning. 15-line change insrc/index.js, equivalent 15-line diff in rebuiltdist/index.js. No dependency updates.What surfaces the warning
The bundled
aws-sdkv2 (^2.809.0→ resolves to 2.814.0) callsurl.parse()in three places in its distributed bundle. OnlyAWS.util.urlParseruns at runtime — it's called on every EC2 API invocation to parse service endpoints. Node 24 emits the deprecation on each call:Screenshot trail: the warning appeared on the very run that verified #4 / #5 landed and silenced the earlier
::set-outputandnode20deprecations. One warning dies, the next surfaces.Why not bump aws-sdk or migrate to v3
2.1693.0) was tested — same threeurl.parse()sites still present. SDK v2 is in maintenance mode (end-of-support Nov 2025 per AWS), so this warning will not be fixed upstream.@aws-sdk/client-ec2+new EC2Client({...})+send(new RunInstancesCommand({...}))). Migratingsrc/aws.jsis a project unto itself, far beyond the scope of silencing a benign deprecation for fully-trusted EC2 endpoint URLs we construct ourselves.Why the
process.emitWarningoverrideA
process.on('warning', ...)listener would be additive — Node's default stderr formatter is not a removable listener but a built-in path triggered fromprocess.emit('warning', ...)regardless. To actually suppress the emission, we have to intercept at the source.The override:
codefrom both supported call shapes: positional(msg, type, code, ctor)and options-object(msg, { code, type }).'DEP0169'.process.emitWarning, which means user listeners, Node's default formatter,--trace-deprecation,--throw-deprecation, and any other machinery all continue to work for every other warning code.Verification
Local smoke test (three call shapes):
verify-distCI job (added in #3) confirms the rebuild is reproducible:NODE_OPTIONS=--openssl-legacy-provider npm run packageproduces exactly the committeddist/index.js.Consumer follow-up
Per the pattern established in #4 and #5,
namecheap/terraform-provider-namecheapwill rotate its SHA pin to the newfeat/al2023-supporttip after this merges. Two-line diff in itsci.yml.