shep 正在参加 2021 年度 OSC 中国开源项目评选,请投票支持!
shep 在 2021 年度 OSC 中国开源项目评选 中已获得 {{ projectVoteCount }} 票,请投票支持!
2021 年度 OSC 中国开源项目评选 正在火热进行中,快来投票支持你喜欢的开源项目!
2021 年度 OSC 中国开源项目评选 >>> 中场回顾
shep 获得 2021 年度 OSC 中国开源项目评选「最佳人气项目」 !
授权协议 MIT License
开发语言 JavaScript
操作系统 跨平台
软件类型 开源软件
所属分类 云计算Serverless 系统
地区 不详
投 递 者 首席测试
适用人群 未知
收录时间 2021-12-02


Build Status Code Climate

A framework for building JavaScript Applications with AWS API Gateway and Lambda

Make "Serverless" Simple

Amazon Web Services API gateway and Lambda are great tools for building and deploying "serverless" applications. But using them to deploy more than a couple functions/endpoints involves an excessive amount of manual work such as zipping files, uploading via the web UI, configuring paths and function names, etc. Shep is built to automate as many of these tasks as possible, giving you the ability to deploy an entire API and suite of lambda functions with one CLI command.

Getting Started With Shep


It will be helpful to have some existing experience with API gateway and Lambda. If you have never used either of these tools before, it is recommended to setup a function manually to see how things are done. Please refer to Amazon's own getting started guide

AWS credentials

Shep will require your amazon credentials and will load them using the same methods as the AWS CLI tool meaning you must have setup the AWS CLI tool before using shep. Consult Amazon's CLI documentation for instructions.

AWS S3 Build Artifacts

Shep stores build artifacts on S3 so it can skip the upload step when your functions don't change. By default, Lambda won't update the version of an alias unless the function has changed - so this will come into effect for deploys of config changes. This isn't enabled by default, to enable it add the name of the S3 bucket to the "bucket" field in the shep version of your package.json.


npm install -g shep
// Optionally install shep in your project. The global shep will run the project's shep
npm install --save-dev shep

Add a few lines to your package.json. Your account id can be found on the billing page of your aws account.

  "name": "my-great-package",
    "shep": {
      "accountId": "XXXXX",
      "region": "us-east-1",
      "bucket": "my-great-bucket", // optional upload builds to s3 instead of directly to lambda
      "dist": "dist" // optional, customize the dist folder location


Environments for a shep project are defined by the aliases on the functions associated with a project. Environments are created through shep deploy --env new_env and managed by using the shep config commands. Shep takes a strong stance against having different environments for different functions within a project. If you attempt a command which requires the listing of environments and there is a mismatch detected, then shep will throw a EnvironmentMistmach error until you remedy the issue. Most issues can be automatically fixed by using shep config sync, the only issues this can't solve are conflicting environment variable values. Conflicting value issues can be solved by using shep config set my_env CONFLICT_VARIABLE=value.

Custom Builds Commands

By default shep builds all your functions using webpack. If your project requires a different build process, then edit your package.json. Before running your build command, shep populates the PATTERN environment variable which can be accessed as process.env.PATTERN in your build command. Be aware that using your own build process will break pattern matching for shep build unless your build command respects the PATTERN variable.

  "shep": {
    "buildCommand": "custom-build --with-flag"

Creating a new API

1. Configure AWS

Since Shep uses the same credentials as the AWS CLI, all you need to do is configure the cli. This can be accomplished via aws configure.

2. Create a new Shep project

Run shep new my-project
This will create and configure a Shep project called 'my-project' in the my-project directory. Change into this directory.

3. Create a new endpoint and function

Run shep generate endpoint /hello and follow the prompts.
This creates a new endpoint as well as a new function for that endpoint. Specifically, it adds a path to api.json that is configured to trigger the newly created function.

4. Deploy

Run shep deploy --env development
This command does a couple things in order to deploy your project:

  • Uses webpack to build your functions. This is equivalent to running shep build.
  • Creates or updates the Lambda functions associated with your project. This includes creating a new version of the function as well as updating the alias such that development will point to the version you just created. For more on versioning please consult Amazon's own documentation.
  • Creates or updates the API Gateway associated with your project and deploys it to the specified stage, development in this case.

You can test your endpoint by visiting the API URL printed out after the project is deployed. Visiting the /hello endpoint which should show success!.

CLI Documentation

CLI documentation can be found in


Read the migration docs for information on upgrading major version changes

Why the name 'shep'?

It was called 'shepherd' at first because it was helpful for dealing with lambda but everyone kept shortening it to 'shep' so we changed the name

Other Tools

Serverless Apex Gordon DEEP Claudia.js


Pull requests welcome!

Test: npm test

Rebuild on file change: npm run compile -- -w

Publish: npm run pub "publish" is reserved by npm




{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
{{o.pubDate | formatDate}}


{{parseInt(o.replyCount) | bigNumberTransform}}
{{parseInt(o.viewCount) | bigNumberTransform}}
Yargs Y18n 输入验证错误漏洞
Yargs Y18n是Yargs个人开发者的一个类似I18n的由Js编写的代码库。 y18n before 3.2.2, 4.0.1 and 5.0.5版本存在输入验证错误漏洞,该漏洞源于网络系统或产品未对输入的数据进行正确的验证。
CVE-2020-7774 MPS-2020-17543
2022-08-08 19:28
minimist 输入验证错误漏洞
minimist是一款命令行参数解析工具。 minimist 1.2.2之前版本存在输入验证错误漏洞。攻击者可借助‘constructor’和‘__proto__’ payload利用该漏洞添加或修改Object.prototype的属性。
CVE-2020-7598 MPS-2020-3516
2022-08-08 19:28
Amazon Aws-sdk-js 安全漏洞
Amazon Aws-sdk-js是美国亚马逊(Amazon)公司的一个基于Javascript用于为nodejs应用提供AWS服务支持的开发包。 Amazon Aws-sdk-js before 1.0.0-rc.9 存在安全漏洞,攻击者可利用该漏洞向应用程序提交恶意的INI文件,根据上下文进一步加以利用。
CVE-2020-28472 MPS-2021-0649
2022-08-08 19:28
lodash 存在拒绝服务漏洞
lodash 是一个现代 JavaScript 实用程序库,提供模块化、性能和附加功能。此软件包的受影响版本容易通过 setWith 和 set 函数受到原型污染。
2022-08-08 19:28
lodash node模块安全漏洞
lodash node module是一款开源的JavaScript实用程序库,它主要提供模块化等功能。 lodash node模块4.17.5之前版本中存在安全漏洞。远程攻击者可借助‘defaultsDeep’、‘merge’和‘mergeWith’函数利用该漏洞造成拒绝服务(崩溃或返回500错误)并可能执行代码。
CVE-2018-3721 MPS-2018-7315
2022-08-08 19:28
lodash是一款开源的JavaScript实用程序库。 lodash 4.17.15及之前版本中存在输入验证错误漏洞。远程攻击者可借助'merge'、'mergeWith'和'defaultsDeep'函数利用该漏洞在系统上执行任意代码。
CVE-2020-8203 MPS-2020-15679
2022-08-08 19:28
npm dot-prop 安全漏洞
4.2.1 之前的 dot-prop npm 包版本和 5.1.1 之前的 5.x 版本中的原型污染漏洞允许攻击者向 JavaScript 语言构造(例如对象)添加任意属性。
CVE-2020-8116 MPS-2020-1734
2022-08-08 19:28
nodejs 资源管理错误漏洞
nodejs是是一个基于ChromeV8引擎的JavaScript运行环境通过对Chromev8引擎进行了封装以及使用事件驱动和非阻塞IO的应用让Javascript开发高性能的后台应用成为了可能。 nodejs-glob-parent 存在安全漏洞,该漏洞源于正则表达式拒绝服务。
CVE-2020-28469 MPS-2021-7827
2022-08-08 19:28
lodash 原型污染漏洞
lodash是一款开源的JavaScript实用程序库。 lodash 4.17.11之前版本中由于函数merge,mergeWith和defaultsDeep可以添加或修改Object.prototype导致原型污染漏洞,。 这会造成通过触发 JavaScript 异常来拒绝服务,或者篡改应用程序源代码以强制攻击者注入的代码路径,从而导致远程代码执行
CVE-2018-16487 MPS-2019-1228
2022-08-08 19:28
Ajv 输入验证错误漏洞
Ajv 6.12.2版本中的ajv.validate()函数中存在输入验证错误漏洞。攻击者可利用该漏洞执行代码或造成拒绝服务。
CVE-2020-15366 MPS-2020-10525
2022-08-08 19:28
jsonpointer是开源的一个简单的JSON寻址的软件包。jsonpointer存在安全漏洞,该漏洞源于网络系统或产品的代码开发过程中存在设计或实现不当的问题。 目前没有详细的漏洞细节提供。
CVE-2021-23807 MPS-2021-19846
2022-08-08 19:28
lodash 命令注入漏洞
lodash是一个提供模块化、性能和附加功能的现代 JavaScript 实用程序库。 4.17.21 之前的 Lodash 版本容易通过模板函数进行命令注入。
CVE-2021-23337 MPS-2021-2638
2022-08-08 19:28
Npm is-my-json-valid 资源管理错误漏洞
Npm is-my-json-valid是美国Npm公司的一个应用程序。一个JSONSchema使用代码生成机制是非常快速的验证。 is-my-json-valid 存在资源管理错误漏洞,该漏洞源于使用了一个低效的正则表达式来验证定义为电子邮件格式的JSON字段。
CVE-2018-1107 MPS-2021-3563
2022-08-08 19:28
lodash 存在拒绝服务漏洞
lodash 是一个现代 JavaScript 实用程序库,提供模块化、性能和附加功能。由于对 CVE-2020-8203 的修复不完整,此软件包的受影响版本容易受到 zipObjectDeep 中的原型污染。
2022-08-08 19:28
eslint 存在拒绝服务漏洞
eslint 是一个用于 JavaScript 和 JSX 的可插拔 linting 实用程序。此软件包的受影响版本容易受到正则表达式拒绝服务 (ReDoS) 的攻击。
2022-08-08 19:28
is-my-json-valid 存在代码注入漏洞
is-my-json-valid 是一个 JSONSchema / 有序验证器,它使用代码生成非常快。此软件包的受影响版本容易通过 formatName 函数执行任意代码。
2022-08-08 19:28
js-yaml 存在拒绝服务漏洞
js-yaml 是一种人性化的数据序列化语言。此软件包的受影响版本容易受到拒绝服务 (DoS) 的攻击。
2022-08-08 19:28
Growl是一套支持Node.js的通知系统。 Growl 1.10.2之前版本中存在安全漏洞,该漏洞源于在将输入传递到shell命令之前,程序未能正确的对其进行过滤。攻击者可利用该漏洞执行任意命令。
CVE-2017-16042 MPS-2018-7026
2022-08-08 19:28
pathval 输入验证错误漏洞
pathval是Chai.js团队的一个用于基于 String 字符串来检索和设置对象的 Npm 代码库 pathval 1.1.1之前版本存在输入验证错误漏洞。该漏洞源于网络系统或产品未对输入的数据进行正确的验证。
CVE-2020-7751 MPS-2020-15246
2022-08-08 19:28
shelljs 安全漏洞
shelljs是基于Node.js API 的 Unix shell 命令的可移植(Windows/Linux/OS X)实现。 shelljs存在安全漏洞,该漏洞源于不适当的权限管理,攻击者可利用该漏洞进行越权访问。
CVE-2022-0144 MPS-2022-0508
2022-08-08 19:28
0 评论
0 收藏