chore: update dependencies to avoid vulnerabilities

.env.with-ssm

@@ -1 +0,0 @@
-PASSWORD=SSM:/test/hfd/rds/DB_USER

README.md

@@ -25,7 +25,7 @@ that get resolved at runtime.
 ## Installation
 
 ```bash
-npm install -g @0morten-olsen/with-ssm
+npm install -g @morten-olsen/with-ssm
 ```
 
 ## Quick Start
@@ -117,7 +117,7 @@ override the SSM-resolved values. To avoid this:
 
 - Use `.env.with-ssm` instead of `.env` for SSM references
 - Or use environment variable substitution if your app supports it:
-  `${API_KEY:-SSM:/myapp/api-key}`
+  `API_KEY=${API_KEY:-SSM:/myapp/api-key}`
 
 ### 🚀 Deployment Considerations
 

bin/bin.js

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-import '../dist/start.js';
+import '../dist/index.js';

package.json

@@ -6,37 +6,37 @@
   "license": "GPL-3.0",
   "scripts": {
     "test:lint": "eslint",
-    "build": "tsc --build",
+    "build": "ncc build src/start.ts -s -o dist",
-    "build:dev": "tsc --build --watch",
+    "build:dev": "ncc build src/start.ts -s -o dist --watch",
     "test:unit": "vitest --run --passWithNoTests",
     "test": "pnpm run \"/^test:/\""
   },
-  "packageManager": "pnpm@10.6.0",
+  "packageManager": "pnpm@10.17.0",
   "files": [
     "dist"
   ],
   "devDependencies": {
+    "@aws-sdk/client-ssm": "^3.947.0",
+    "@aws-sdk/client-sts": "^3.947.0",
+    "@dotenvx/dotenvx": "^1.51.1",
     "@eslint/eslintrc": "3.3.1",
-    "@eslint/js": "9.32.0",
+    "@eslint/js": "9.36.0",
     "@pnpm/find-workspace-packages": "6.0.9",
-    "@types/node": "24.2.0",
+    "@types/node": "24.6.2",
-    "@types/yargs": "^17.0.33",
+    "@types/yargs": "^17.0.35",
+    "@vercel/ncc": "^0.38.4",
     "@vitest/coverage-v8": "3.2.4",
-    "eslint": "9.32.0",
+    "eslint": "9.36.0",
     "eslint-config-prettier": "10.1.8",
     "eslint-plugin-import": "2.32.0",
     "eslint-plugin-prettier": "5.5.4",
+    "execa": "^9.6.1",
     "prettier": "3.6.2",
-    "typescript": "5.9.2",
+    "typescript": "5.9.3",
-    "typescript-eslint": "8.39.0",
+    "typescript-eslint": "8.45.0",
-    "vitest": "3.2.4"
+    "vitest": "3.2.4",
+    "yargs": "^18.0.0"
   },
   "name": "@morten-olsen/with-ssm",
-  "version": "1.0.0",
+  "version": "1.0.0"
-  "dependencies": {
+}
-    "@aws-sdk/client-ssm": "^3.859.0",
-    "dotenv": "^17.2.1",
-    "execa": "^9.6.0",
-    "yargs": "^18.0.0"
-  }
-}

pnpm-workspace.yaml

@@ -0,0 +1,2 @@
+onlyBuiltDependencies:
+  - esbuild

src/start.ts

@@ -19,7 +19,7 @@ const argv = await yargs(hideBin(process.argv))
     alias: 'f',
     type: 'string',
     description: 'The file to use for environment variables. (multiple files can be specified)',
-    default: ['.env', '.env.with-ssm'],
+    default: ['.env.with-ssm', '.env'],
   })
   .demandCommand(1, 'Error: You must provide a command to execute after --')
   .alias('h', 'help')
@@ -36,7 +36,10 @@ if (!command) {
 
 const files = argv.file && Array.isArray(argv.file) ? argv.file : [argv.file];
 const hostEnv = await getEnv(files);
-const env = await replaceParams(hostEnv);
+const env = await replaceParams(hostEnv, {
+  region: argv.region,
+  profile: argv.profile,
+});
 
 exec({
   command,

src/utils/aws.ts

@@ -0,0 +1,20 @@
+import { STSClient, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
+
+const ensureAWS = async (region?: string, profile?: string) => {
+  const sts = new STSClient({
+    region,
+    profile,
+  });
+
+  const command = new GetCallerIdentityCommand({});
+
+  try {
+    await sts.send(command);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+    console.error('Failed to get caller identity', errorMessage);
+    process.exit(1);
+  }
+};
+
+export { ensureAWS };

src/utils/cli.ts

@@ -1,14 +0,0 @@
-const splitArgs = (args: string[]) => {
-  const separatorIndex = args.indexOf('--');
-  const actionArgs = args.slice(0, separatorIndex);
-  const command = args[separatorIndex + 1];
-  const commandArgs = args.slice(separatorIndex + 2);
-
-  return {
-    actionArgs,
-    command,
-    commandArgs,
-  };
-};
-
-export { splitArgs };

src/utils/env.ts

@@ -2,7 +2,7 @@ import { existsSync } from 'node:fs';
 import { readFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
 
-import { parse } from 'dotenv';
+import { parse } from '@dotenvx/dotenvx';
 
 import { debug } from './debug.js';
 

src/utils/ssm.ts

@@ -1,6 +1,7 @@
-import { GetParametersCommand, SSMClient } from '@aws-sdk/client-ssm';
+import { GetParametersCommand, SSMClient, type Parameter } from '@aws-sdk/client-ssm';
 
 import { debug } from './debug.js';
+import { ensureAWS } from './aws.js';
 
 const PREFIX = 'SSM:';
 
@@ -13,11 +14,6 @@ const replaceParams = async (
   env: Record<string, string | undefined>,
   { region, profile }: ReplaceParamsOptions = {},
 ) => {
-  const ssm = new SSMClient({
-    region,
-    profile,
-  });
-
   const names = Object.entries(env)
     .filter(([, value]) => value?.startsWith(PREFIX))
     .map(([, value]) => value?.slice(PREFIX.length))
@@ -30,18 +26,47 @@ const replaceParams = async (
     return env;
   }
 
-  const command = new GetParametersCommand({
+  await ensureAWS(region, profile);
-    Names: names,
+  const ssm = new SSMClient({
-    WithDecryption: true,
+    region,
+    profile,
   });
+  // Chunk names into groups of 10 (AWS SSM GetParametersCommand limit)
+  const chunks: string[][] = [];
+  debug(`Chunking ${names.length} names into groups of 10`);
+  for (let i = 0; i < names.length; i += 10) {
+    chunks.push(names.slice(i, i + 10));
+  }
 
-  const response = await ssm.send(command);
+  debug(`Processing ${chunks.length} chunks`);
-  if (response.InvalidParameters?.length || 0 > 0) {
+
-    console.error('Invalid SSM parameters', response.InvalidParameters);
+  // Fetch parameters in chunks and combine results
+  const allParams: Parameter[] = [];
+  const allInvalidParams: string[] = [];
+
+  for (const chunk of chunks) {
+    const command = new GetParametersCommand({
+      Names: chunk,
+      WithDecryption: true,
+    });
+
+    const response = await ssm.send(command);
+
+    if (response.Parameters) {
+      allParams.push(...response.Parameters);
+    }
+
+    if (response.InvalidParameters) {
+      allInvalidParams.push(...response.InvalidParameters);
+    }
+  }
+
+  if (allInvalidParams.length > 0) {
+    console.error('Invalid SSM parameters', allInvalidParams);
     process.exit(1);
   }
 
-  const params = response.Parameters ?? [];
+  const params = allParams;
 
   return Object.fromEntries(
     Object.entries(env).map(([key, value]) => {

tsconfig.json

@@ -10,6 +10,7 @@
     "resolveJsonModule": true,
     "allowSyntheticDefaultImports": true,
     "skipLibCheck": true,
+    "noEmit": true,
     "outDir": "dist",
     "jsx": "react-jsx",
     "isolatedModules": true,