aws-powertools
Maintenance: Replace `lodash.merge` with a custom deep merge utility function
Summary
We're using a third party dependency, lodash.merge on our Logger utility. We would want to replace the dependency on this library and implement our own deep merge utility function.
Why is this needed?
We would ideally want minimal dependency on other third party libraries
Which area does this relate to?
Logger
Solution
No response
Acknowledgment
- [x] This request meets Powertools for AWS Lambda (TypeScript) Tenets
- [ ] Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET
Future readers
Please react with 👍 and your use case to help us understand customer demand.
Good idea, this will also remove the last CJS only dependency from Logger, as well as the last 3P one.
[!note] For those interested in contributing, please leave a comment below so that we can assign the issue to you and make sure we don't duplicate efforts. If you have any further questions, please don't hesitate to ask below or on our Discord server.
![powertools-for-aws-oss-automation[bot] avatar](https://avatars.githubusercontent.com/in/1000630?v=4 "Published by a pub.dev verified publisher"){kind=small}
Sure @jaimellamasi, thanks for the offer. I'll assign it to you.
Regarding the implementation details, I'd assume, for primitives, merging would just be an override from the source to the destination. For arrays/objects, we'd need to merge them recursively preventing circular reference. Our common utilities functions reside in the commons package, which we then use to replace the current lodash.merge implementations on the Logger utility.
Let's make sure we add defences against prototype pollution in this function. In addition to the checks listed here, we should explicitly check for __proto__ and constructor keys and ignore them.
IMO, you're better off implementing with something modern like https://remedajs.com/docs/#mergeDeep
Hi @jaimellamasi, are you still working on this PR? If not, that's perfectly fine - we'll put the issue back in the backlog for someone else to pick up.
I am planning to do it in the next days if that is fine for you.
On Tue, Dec 16, 2025, 18:07 Andrea Amorosi @.***> wrote:
dreamorosi left a comment (aws-powertools/powertools-lambda-typescript#4846) https://github.com/aws-powertools/powertools-lambda-typescript/issues/4846#issuecomment-3661550693
Hi @jaimellamasi https://github.com/jaimellamasi, are you still working on this PR? If not, that's perfectly fine - we'll put the issue back in the backlog for someone else to pick up.
— Reply to this email directly, view it on GitHub https://github.com/aws-powertools/powertools-lambda-typescript/issues/4846#issuecomment-3661550693, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUQ3DJUTAQJ2EHH5QK3JI34CA36HAVCNFSM6AAAAACN7HX7UGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTMNRRGU2TANRZGM . You are receiving this because you were mentioned.Message ID: @.*** .com>
Yes, that's perfectly fine - I just wanted to make sure to follow up, but the timeline is ok.
Let us know if you encounter any problems or have any questions when you start.
As @dreamorosi said, lodash.merge is a CJS only dependency and this is also a nuisance (e.g. we must install the @rollup/plugin-commonjs Rollup plugin is some projects simply for the Powertools Logger).
It would be great news if lodash.merge is gone!
