-
-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency aws-cdk-lib to v2.80.0 [security] - autoclosed #2599
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Handler Size Report
Base Handler Sizes (kB) (commit e6367b5){
"Lambda": {
"Default Lambda": {
"Standard": 1578,
"Minified": 692
},
"Image Lambda": {
"Standard": 1543,
"Minified": 831
}
},
"Lambda@Edge": {
"Default Lambda": {
"Standard": 1588,
"Minified": 698
},
"Default Lambda V2": {
"Standard": 1580,
"Minified": 694
},
"API Lambda": {
"Standard": 634,
"Minified": 318
},
"Image Lambda": {
"Standard": 1551,
"Minified": 835
},
"Regeneration Lambda": {
"Standard": 1233,
"Minified": 566
},
"Regeneration Lambda V2": {
"Standard": 1307,
"Minified": 596
}
}
} New Handler Sizes (kB) (commit fe5e460){
"Lambda": {
"Default Lambda": {
"Standard": 1578,
"Minified": 692
},
"Image Lambda": {
"Standard": 1543,
"Minified": 831
}
},
"Lambda@Edge": {
"Default Lambda": {
"Standard": 1588,
"Minified": 698
},
"Default Lambda V2": {
"Standard": 1580,
"Minified": 694
},
"API Lambda": {
"Standard": 634,
"Minified": 318
},
"Image Lambda": {
"Standard": 1551,
"Minified": 835
},
"Regeneration Lambda": {
"Standard": 1233,
"Minified": 566
},
"Regeneration Lambda V2": {
"Standard": 1307,
"Minified": 596
}
}
} |
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
June 29, 2023 09:46
bcf4b76
to
35a868a
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
July 6, 2023 14:39
35a868a
to
82f895c
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
July 9, 2023 09:18
82f895c
to
cf88693
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
July 27, 2023 16:49
cf88693
to
30f2470
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
August 1, 2023 14:51
30f2470
to
8d26a5f
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
August 9, 2023 15:28
8d26a5f
to
5eefd9f
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
August 22, 2023 18:30
5eefd9f
to
a246d5c
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
August 27, 2023 09:19
a246d5c
to
6051993
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
September 19, 2023 11:43
6051993
to
f28a955
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
September 26, 2023 16:01
f28a955
to
92ce86e
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
September 28, 2023 12:52
92ce86e
to
3846a50
Compare
renovate
bot
force-pushed
the
renovate/npm-aws-cdk-lib-vulnerability
branch
from
October 1, 2023 07:39
3846a50
to
fe5e460
Compare
renovate
bot
changed the title
chore(deps): update dependency aws-cdk-lib to v2.80.0 [security]
chore(deps): update dependency aws-cdk-lib to v2.80.0 [security] - autoclosed
Oct 2, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.3.0
->2.80.0
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the logs for more information.
GitHub Vulnerability Alerts
CVE-2023-35165
If you are using the
eks.Cluster
oreks.FargateCluster
construct we need you to take action. Other users are not affected and can stop reading.Impact
The AWS Cloud Development Kit (CDK) allows for the definition of Amazon Elastic Container Service for Kubernetes (EKS) clusters.
eks.Cluster
andeks.FargateCluster
constructs create two roles that have an overly permissive trust policy.The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g
KubernetesManifest
,HelmChart
, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.The second, referred to as the default MastersRole, is provisioned only if the
mastersRole
property isn't provided and has permissions to executekubectl
commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate
sts:AssumeRole
permissions to assume it. For example, this can happen if another role in your account hassts:AssumeRole
permissions onResource: "*"
.CreationRole
Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:
*-ClusterCreationRole-*
MastersRole
Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the
mastersRole
property. The role in question can be located in the IAM console. It will have the following name pattern:*-MastersRole-*
Patches
The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.
The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to https://github.com/aws/aws-cdk/issues/25674 for a detailed discussion of options.
Workarounds
CreationRole
There is no workaround available for CreationRole.
MastersRole
To avoid creating the default MastersRole, use the
mastersRole
property to explicitly provide a role. For example:References
https://github.com/aws/aws-cdk/issues/25674
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
Release Notes
aws/aws-cdk (aws-cdk-lib)
v2.80.0
Compare Source
⚠ BREAKING CHANGES
mastersRole
property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriatests:AssumeRole
permissions) to assume it.Features
Bug Fixes
Alpha modules (2.80.0-alpha.0)
v2.79.1
Compare Source
Bug Fixes
Alpha modules (2.79.1-alpha.0)
v2.79.0
Compare Source
Features
Bug Fixes
[Object object]
(#25466) (b3d0d57), closes #25250Alpha modules (2.79.0-alpha.0)
Bug Fixes
[Object object]
(#25250) (b3d0d57)v2.78.0
Compare Source
Features
aws/codebuild/amazonlinux2-aarch64-standard:3.0
(#25351) (0d187c1), closes #25334Bug Fixes
variables
property onStage
resource (#25267) (04427e3), closes #3635ManagedEc2EcsComputeEnvironment
instance role missing managed policy (#25279) (c81d115), closes #25256Alpha modules (2.78.0-alpha.0)
v2.77.0
Compare Source
Features
Bug Fixes
port
property (#25112) (925c9ba), closes #22452BackupVault.fromBackupVaultArn
parses wrong arn format (#25259) (c2082a7), closes #25212previous-parameters
option to bootstrap command (#25219) (02e8758), closes #23780Alpha modules (2.77.0-alpha.0)
v2.76.0
Compare Source
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
The user who are using these two method need to update to use alternative method.
For associateStack, the alternative method is associateApplicationWithStack
For associateAttributeGroup, the alternative method is AttributeGroup.associateWith
The user who are using these two method need to update to use alternative method. For associateStack, the alternative method is associateApplicationWithStack For associateAttributeGroup, the alternative method is AttributeGroup.associateWith
Purpose of this PR:
we need to remove deprecated resource before we moving into stable version The method that we remove is: associateStack and associateAttributeGroup
CHANGES:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Features
Bug Fixes
jobQueueName
returns ARN instead of name (#25093) (a344507), closes #23018Alpha modules (2.76.0-alpha.0)
v2.75.1
Compare Source
Reverts
Alpha modules (2.75.1-alpha.0)
v2.75.0
Compare Source
Features
Alpha modules (2.75.0-alpha.0)
v2.74.0
Compare Source
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
ComputeEnvironment
has been removed and replaced byManagedEc2EcsComputeEnvironment
,ManagedEc2EksComputeEnvironment
, andUnmanagedComputeEnvironment
.JobDefinition
has been removed and replaced byEcsJobDefinition
,EksJobDefinition
, andMultiNodeJobDefinition
Features
EvaluateExpression
(#25002) (f26bfe9)Bug Fixes
p100
statistic is no longer recognized (#24981) (adc1a13), closes #23095 #24976Alpha modules (2.74.0-alpha.0)
v2.73.0
Compare Source
Features
Bug Fixes
Alpha modules (2.73.0-alpha.0)
v2.72.1
Compare Source
Alpha modules (2.72.1-alpha.0)
v2.72.0
Compare Source
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
aws-cdk-lib.aws_ec2.SecurityGroup.determineRuleScope
was changed from a tuple ([SecurityGroupBase, string]
) to a struct with the same values, because tuple types are not supported over the jsii interoperability layer, butjsii@v1
was incorrectly allowing this to be represented as theJSON
primitive type. This made the API unusable in non-JS languages. The type of themetadata
property ofaws-cdk-lib.aws_s3_deployment.BucketDeploymentProps
was changed from an index-only struct to an inline map, becausejsii@v1
silently ignored the index signature (which is otherwise un-supported), resulting in an empty object in non-JS/TS languages. As a consequence, the values of that map can no longer beundefined
(asjsii
does not currently support nullable elements in collections).Features
allowedActionPatterns
parameter to grantWrite (#24211) (5b5c36f), closes #24074Source.dataYaml
helper function (#24579) (d969ddf), closes #24554Bug Fixes
AmazonEMRServicePolicy_v2
(under feature flag) (#23985) (f3fd183), closes #23915Miscellaneous Chores
Alpha modules (2.72.0-alpha.0)
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
ApplicationAssociator
due to share construct id update. After this change, frequent share replacements due to structural change inApplication
construct should be avoided.Application.shareApplication
starts to require construct id (first argument) and share name (added inShareOption
) as input.Bug Fixes
v2.71.0
Compare Source
Features
Bug Fixes
Alpha modules (2.71.0-alpha.0)
v2.70.0
Compare Source
Features
Bug Fixes
undefined/undefined
(#24663) (3e8d8d8)null
(#24717) (413b643), closes #24593Alpha modules (2.70.0-alpha.0)
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
Since the application RAM share name is calculated by the application construct, where one method is added. Integration test detects a breaking change where RAM share will be created. Integration test snapshot is updated to cater this destructive change.
Features
v2.69.0
Compare Source
Features
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.