fix(amplify-category-function): pin jstreemap to 1.28.2 (self is not …#14922
Open
adrianjoshua-strutt wants to merge 1 commit into
Open
fix(amplify-category-function): pin jstreemap to 1.28.2 (self is not …#14922adrianjoshua-strutt wants to merge 1 commit into
adrianjoshua-strutt wants to merge 1 commit into
Conversation
Simone319
previously approved these changes
Jun 22, 2026
sarayev
previously approved these changes
Jun 22, 2026
adrianjoshua-strutt
dismissed stale reviews from sarayev and Simone319
via
02986af
adrianjoshua-strutt
force-pushed
the
fix/pin-jstreemap-self-not-defined
branch
from
c0c700c to
02986af
Compare
6 tasks
sarayev
added a commit
that referenced
this pull request
Jun 24, 2026
jstreemap releases 1.29.1-1.29.3 shipped a broken UMD bundle that threw "ReferenceError: self is not defined" on Node, crashing amplify-category-function during `amplify init` and causing SEV-2s. PR #14922 mitigated this by pinning jstreemap to 1.28.2, but the risk vector remained. The package only used jstreemap's TreeSet, and solely for membership checks and a single max-value lookup. These are trivially served by the native Set: all `new TreeSet()` instances become `new Set<number>()`, the `TreeSet<number>` type annotations become `Set<number>`, and the one `daysOfMonth.last()` call becomes `Math.max(...this.daysOfMonth)`. Removing the dependency entirely permanently eliminates the broken-bundle risk. Removed the `jstreemap` entry from the package manifest and regenerated yarn.lock to drop all jstreemap entries. Testing: tsc clean, cron expression tests 7/7 passing, and zero remaining jstreemap/TreeSet references across the package. --- Prompt: Can we get rid of jstreemap in our repo (amplify-cli) completely? Implement that! Prepare a PR for it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
jstreemap 1.29.1/1.29.2/1.29.3 (published 2026-06-19) ships a broken UMD bundle that references bare
self— undefined in Node.js — causing a ReferenceError at require('jstreemap') time. This crashes amplify-category- function duringamplify initon every Node version (18 and 22 confirmed).Root cause: jstreemap changed their UMD guard from the safe pattern
typeof self !== 'undefined' ? self : this
to bare
self, which is only defined in browser/ServiceWorker contexts.Impact: Every
amplify initthat loads the function category throwsReferenceError: self is not defined
making the Gen1 CLI completely unusable for function workflows. Canary SEV-2s: P457496122 / P457522624 / P457523805 Timeline: jstreemap 1.29.1 published 15:44 UTC June 19; canaries red by 16:00 UTC.
Fix:
The upstream jstreemap package should guard
selfwith typeof before accessing it; a separate upstream issue should be filed.Description of changes
Issue #, if available
Description of how you validated changes
Checklist
yarn testpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.