inflight:This module is not supported, and leaks memory

[sholtomaud]

Describe the bug

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.174.0 (build 9604329)

Expected Behavior

no deprecations or leaks memory

Current Behavior

deprecations & leaks memory

Reproduction Steps

cdk init app --language=typescript

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

CDK 2.174.0 (build 9604329)

Framework Version

No response

Node.js Version

Node v22.12.0

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

@sholtomaud Good afternoon. Thanks for reporting the issue. Have you tried using latest version of CDK (currently 2.174.1) and corresponding packages in package.json? Using this version of packages and running npm install doesn't give any vulnerability warning.

• Installed latest version of CDK CLI using command sudo npm install -g aws-cdk.
• Output of cdk --version is 2.174.1 (build f353fc7).
• Updated CDK package versions in package.json to 2.174.1 (both in devDependencies and dependencies. Ran npm install:

  changed 16 packages, and audited 442 packages in 8s
  
  64 packages are looking for funding
    run `npm fund` for details
  
  found 0 vulnerabilities
  

Below is package.json on my end for reference:

{
  "name": "cdktest",
  "version": "0.1.0",
  "bin": {
    "cdktest": "bin/cdktest.js"
  },
  "scripts": {
    "build": "tsc",
    "watch": "tsc -w",
    "test": "jest",
    "cdk": "cdk",
    "integ-test": "integ-runner"
  },
  "devDependencies": {
    "@eslint/js": "^9.14.0",
    "@types/jest": "^29.5.12",
    "@types/node": "20.14.9",
    "aws-cdk": "2.174.1",
    "eslint": "^9.14.0",
    "globals": "^15.12.0",
    "jest": "^29.7.0",
    "ts-jest": "^29.1.5",
    "ts-node": "^10.9.2",
    "typescript": "~5.5.3",
    "typescript-eslint": "^8.13.0"
  },
  "dependencies": {
    "@aws-cdk/aws-amplify-alpha": "2.174.1-alpha.0",
    "@aws-cdk/aws-redshift-alpha": "2.174.1-alpha.0",
    "@aws-cdk/aws-scheduler-alpha": "2.174.1-alpha.0",
    "@aws-cdk/aws-scheduler-targets-alpha": "2.174.1-alpha.0",
    "@aws-cdk/aws-glue-alpha": "2.174.1-alpha.0",
    "@aws-cdk/integ-runner": "^2.174.1-alpha.0",
    "@aws-cdk/aws-lambda-go-alpha": "2.174.1-alpha.0",
    "@aws-cdk/aws-lambda-python-alpha": "2.174.1-alpha.0",
    "@aws-cdk/integ-tests-alpha": "^2.174.1-alpha.0",
    "@aws-cdk/lambda-layer-kubectl-v24": "2.0.242",
    "aws-cdk-lib": "2.174.1",
    "@aws-cdk/cloud-assembly-schema": "39.1.38",
    "constructs": "^10.0.0",
    "source-map-support": "^0.5.21"
  }
}

Thanks,
Ashish

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[sholtomaud]

@ashishdhingra yes, I have.

[ashishdhingra]

@ashishdhingra yes, I have.

@sholtomaud Could you please share your package.json?

Thanks,
Ashish

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[sholtomaud]

No it is the standard package.json that you provide as a part of the npx cdk init

[ashishdhingra]

No it is the standard package.json that you provide as a part of the npx cdk init

@sholtomaud Good afternoon. It might be the case that the project generated by cdk init is referencing the old version of aws-cdk and aws-cdk-lib (and some other experimental CDK packages). Please use the following steps if this is the case:

• Upgrade your CDK CLI version to latest one using command sudo npm install -g aws-cdk.
• Use command cdk --version to find the CDK version (e.g. 2.176.0 (build 899965d)).
• Update CDK package(s) version in package.json to the latest version (e.g. 2.176.0).
• Run npm install to re-install all the packages in package.json.

Thanks,
Ashish

[sholtomaud]

Generally i do npx cdk init. Are you saying that npx will install outdated versions?

[ashishdhingra]

Generally i do npx cdk init. Are you saying that npx will install outdated versions?

@sholtomaud I didn't test using npx. But upgrading to latest CDK version in package.json and re-installing NPM packages should get rid of vulnerability warnings. Feel free to share your package.json for analysis.

[sholtomaud]

run npx cdk init. that's the recommended approach.

[ashishdhingra]

Issue reproducible when using npx cdk init app --language=typescript:

Applying project template app for typescript
# Welcome to your CDK TypeScript project

This is a blank project for CDK development with TypeScript.

The `cdk.json` file tells the CDK Toolkit how to execute your app.

## Useful commands

* `npm run build`   compile typescript to js
* `npm run watch`   watch for changes and compile
* `npm run test`    perform the jest unit tests
* `npx cdk deploy`  deploy this stack to your default AWS account/region
* `npx cdk diff`    compare deployed stack with current state
* `npx cdk synth`   emits the synthesized CloudFormation template

Initializing a new git repository...
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Executing npm install...
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
✅ All done!

inflight dependency is introduced by jest. Below is the output of npm ls inflight:

cdknpxtest@0.1.0 /Users/ashdhin/dev/repros/cdk/cdknpxtest
└─┬ jest@29.7.0
  └─┬ @jest/core@29.7.0
    └─┬ @jest/reporters@29.7.0
      └─┬ glob@7.2.3
        └── inflight@1.0.6

glob has the below dependency tree based on output of npm ls glob:

cdknpxtest@0.1.0 /Users/ashdhin/dev/repros/cdk/cdknpxtest
├─┬ jest@29.7.0
│ └─┬ @jest/core@29.7.0
│   ├─┬ @jest/reporters@29.7.0
│   │ └── glob@7.2.3
│   ├─┬ jest-config@29.7.0
│   │ └── glob@7.2.3 deduped
│   └─┬ jest-runtime@29.7.0
│     └── glob@7.2.3 deduped
└─┬ ts-jest@29.2.5
  └─┬ @jest/transform@29.7.0
    └─┬ babel-plugin-istanbul@6.1.1
      └─┬ test-exclude@6.0.0
        └── glob@7.2.3 deduped

glob 7.2.3 is deprecated and it depends on inflight. inflight package itself has been deprecated.

While glob has non-deprecated versions starting from 9.0.0, jest, as of now, is yet to release stable version later than 29.7.0 which doesn't indirectly depends on inflight package.

[sholtomaud]

"share your package.json"