Default value for 'exclude' should include '@aws-sdk/*' as AWS SDK v3 becomes widely used

[fredrik]

The current default value for exclude is ['aws-sdk']. This makes sense since the aws-sdk package is included in the AWS Lambda runtime since at least nodejs16.x (and perhaps it makes sense for other reasons too). Since nodejs18.x, however, v3 of the AWS SDK is included by default.

Since moving to the Node 18 runtime on Lambda, our team has added the following to all our serverless projects:

    exclude:
      - '@aws-sdk/*' # The AWS SDK is available in the nodejs18.x runtime.

I think it would make sense to add '@aws-sdk/*' to the default exclude pattern.

[floydspace]

Hi @fredrik

@theburningmonk some day wrote these arguments against using the built-in AWS SDK:

1. The built-in AWS SDK is often out-dated and missing security patches and bug fixes.
2. It invalidates integration tests since the runtime uses a different version of the AWS SDK to what was tested.
3. AWS can update the built-in AWS SDK without notice

See the article

+

SDK v3, the modular packages reduce the bundle size of your application by ~75%, so the bundle size would not be as big issue as it was for SDK v2 anymore

See the blog post

=

So I would vote for against excluding the SDK from bundle, but always bundle the version you expect to use in your lambda.

[fredrik]

Those arguments are fair enough.

We are currently happy to pin our AWS SDK dependencies to 3.188.0 and so the two first points from the monk are not immediately applicable for us, but the third one ("AWS can update the built-in AWS SDK without notice") will almost definitely be an issue at some point with our current strategy.

I'm good to close this but will wait for a moment to give time for anyone else chime in with their opinions.

[fredrik]

I had a conversation with The Monk and his take was that the points quoted above are still valid although rarely a problem in reality. For a library it makes sense to bundle an exact version, so the default should not be to exclude.

Let's close this.

Another thing though: where does this leave us in regards to the current default of excluding aws-sdk? It can't really be changed I'm guessing, but perhaps it's not the right default after all. 😄

[benheymink]

I'm a bit late to the party here, but this change in behavior caught me by surprise when recently updating our project to AWS-SDK V3. I'd much rather the default behavior of serverless-esbuild remained as-is (i.e exclude aws-sdk/*). If nothing else, it removes a potential source of confusion when initially looking at the README for this project - the current text almost implies to newcomers to the ecosystem that the AWS-SDK is going to be exluded by default, without specifying the version.

So in summary, my vote would be for:

• Keep current behavior as-is for both V2 and V3
• Update README.md to highlight reasons why you might not want to exclude the SDK.