Merge pull request #334 from aws-solutions/feature/v2.4.1

Update to version v2.4.1

Author: jangidms

.gitignore

@@ -1,7 +1,7 @@
 # Typescript
 source/*/*.js
+source/constructs/**/*.js
 *.d.ts
-*.js
 !.nightswatch/**/*.js
 node_modules/
 
@@ -81,4 +81,7 @@ venv.bak/
 *.mmdb
 
 #requirement files
-source/constructs/**/*requirement*.txt
+source/constructs/**/*requirement*.txt
+
+#Build
+build

CHANGELOG.md

@@ -5,9 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.1] - 2025-07-29
+
+### Security
+
+- Updated form-data package to address [CVE-2025-7783](https://avd.aquasec.com/nvd/2025/cve-2025-7783/)
+- Updated urllib3 package to address [CVE-2025-50182](https://avd.aquasec.com/nvd/2025/cve-2025-50182/)
+- Updated requests package to address [CVE-2024-47081](https://avd.aquasec.com/nvd/2024/cve-2024-47081/)
+
 ## [2.4.0] - 2025-05-22
 
-### Added 
+### Added
 
 - Anonymized operational metrics collection
 

NOTICE.txt

@@ -1737,6 +1737,46 @@ commonlib under the 0BSD license.
 pyopenssl under the Apache-2.0 license.
 wsgiref under the PSF or ZPL license(s).
 yum-metadata-parser under the MIT license.
+get-proto under the MIT license.
+math-intrinsics under the MIT license.
+is-inside-container under the MIT license.
+default-browser under the MIT license.
+bundle-name under the MIT license.
+run-applescript under the MIT license.
+default-browser-id under the MIT license.
+is-network-error under the MIT license.
+@jest/pattern under the MIT license.
+@jest/get-type under the MIT license.
+@jest/diff-sequences under the MIT license.
+@jest/snapshot-utils under the MIT license.
+unrs-resolver under the MIT license.
+napi-postinstall under the MIT license.
+@unrs/resolver-binding-freebsd-x64 under the MIT license.
+@unrs/resolver-binding-win32-ia32-msvc under the MIT license.
+@unrs/resolver-binding-win32-arm64-msvc under the MIT license.
+@unrs/resolver-binding-linux-arm-musleabihf under the MIT license.
+@unrs/resolver-binding-android-arm-eabi under the MIT license.
+@unrs/resolver-binding-android-arm64 under the MIT license.
+@unrs/resolver-binding-linux-s390x-gnu under the MIT license.
+@unrs/resolver-binding-linux-riscv64-gnu under the MIT license.
+@unrs/resolver-binding-linux-riscv64-musl under the MIT license.
+@unrs/resolver-binding-linux-ppc64-gnu under the MIT license.
+@unrs/resolver-binding-linux-arm-gnueabihf under the MIT license.
+@unrs/resolver-binding-linux-x64-gnu under the MIT license.
+@unrs/resolver-binding-darwin-x64 under the MIT license.
+@unrs/resolver-binding-linux-arm64-musl under the MIT license.
+@unrs/resolver-binding-wasm32-wasi under the MIT license.
+@napi-rs/wasm-runtime under the MIT license.
+@emnapi/core under the MIT license.
+@emnapi/wasi-threads under the MIT license.
+@emnapi/runtime under the MIT license.
+@tybys/wasm-util under the MIT license.
+@unrs/resolver-binding-darwin-arm64 under the MIT license.
+@unrs/resolver-binding-win32-x64-msvc under the MIT license.
+@unrs/resolver-binding-linux-arm64-gnu under the MIT license.
+@unrs/resolver-binding-linux-x64-musl under the MIT license.
+exit-x under the MIT license.
+pygments under the 0BSD license.
 
 ********************
 OPEN SOURCE LICENSES

deployment/cdk-solution-helper/index.js

@@ -0,0 +1,155 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Imports
+const fs = require('fs');
+const _regex = /[\w]*AssetParameters/g; //this regular express also takes into account lambda functions defined in nested stacks
+
+// Paths
+const global_s3_assets = '../global-s3-assets';
+
+// For each template in global_s3_assets ...
+fs.readdirSync(global_s3_assets).forEach(file => {
+
+  // Import and parse template file
+  const raw_template = fs.readFileSync(`${global_s3_assets}/${file}`);
+  let template = JSON.parse(raw_template);
+
+  // Clean-up Lambda function code dependencies
+  const resources = (template.Resources) ? template.Resources : {};
+  const lambdaFunctions = Object.keys(resources).filter(function (key) {
+    return resources[key].Type === "AWS::Lambda::Function";
+  });
+  lambdaFunctions.forEach(function (f) {
+    const fn = template.Resources[f];
+    if (fn.Properties.Code.hasOwnProperty('S3Bucket')) {
+      // Set the S3 key reference
+      let s3Key = Object.assign(fn.Properties.Code.S3Key);
+      // https://github.com/aws/aws-cdk/issues/10608
+      if (!s3Key.endsWith('.zip')) {
+        fn.Properties.Code.S3Key = `%%SOLUTION_NAME%%/%%VERSION%%/${s3Key}.zip`;
+      } else {
+        fn.Properties.Code.S3Key = `%%SOLUTION_NAME%%/%%VERSION%%/${s3Key}`;
+      }
+      // Set the S3 bucket reference
+      fn.Properties.Code.S3Bucket = {
+        'Fn::Sub': '%%BUCKET_NAME%%-${AWS::Region}'
+      };
+    }
+  });
+
+  // Clean-up Lambda Layer code dependencies
+  const lambdaLayers = Object.keys(resources).filter(function (key) {
+    return resources[key].Type === "AWS::Lambda::LayerVersion";
+  })
+  lambdaLayers.forEach(function (l) {
+    const layer = template.Resources[l];
+    if (layer.Properties.Content.hasOwnProperty('S3Bucket')) {
+      let s3Key = Object.assign(layer.Properties.Content.S3Key);
+      layer.Properties.Content.S3Key = `%%SOLUTION_NAME%%/%%VERSION%%/${s3Key}`;
+      layer.Properties.Content.S3Bucket = {
+        'Fn::Sub': '%%BUCKET_NAME%%-${AWS::Region}'
+      }
+    }
+  })
+
+  // Clean-up Custom::CDKBucketDeployment
+  const bucketDeployments = Object.keys(resources).filter(function (key) {
+    return resources[key].Type === "Custom::CDKBucketDeployment"
+  })
+  bucketDeployments.forEach(function (d) {
+    const deployment = template.Resources[d];
+    if (deployment.Properties.hasOwnProperty('SourceBucketNames')) {
+      let s3Key = Object.assign(deployment.Properties.SourceObjectKeys[0]);
+      deployment.Properties.SourceObjectKeys = [
+        `%%SOLUTION_NAME%%/%%VERSION%%/${s3Key}`
+      ]
+      deployment.Properties.SourceBucketNames = [
+        {
+          'Fn::Sub': '%%BUCKET_NAME%%-${AWS::Region}'
+        }
+      ]
+    }
+  })
+
+  // Clean-up CustomCDKBucketDeployment Policy
+  const bucketDeploymentsPolicy = Object.keys(resources).filter(function (key) {
+    return key.startsWith("CustomCDKBucketDeployment") && resources[key].Type === "AWS::IAM::Policy"
+  })
+
+  bucketDeploymentsPolicy.forEach(function (d) {
+    const policy = template.Resources[d];
+    let resources = policy.Properties.PolicyDocument.Statement[0].Resource
+    resources.forEach((res) => {
+      res['Fn::Join'].forEach((key) => {
+        if (key[2] == ':s3:::') {
+          key[3]['Fn::Sub'] = '%%BUCKET_NAME%%-${AWS::Region}'
+        }
+      })
+    })
+  })
+
+	const nestedStacks = Object.keys(resources).filter(function (key) {
+		return resources[key].Type === "AWS::CloudFormation::Stack";
+	});
+
+	nestedStacks.forEach(function (f) {
+		const fn = template.Resources[f];
+		if (!fn.Metadata.hasOwnProperty("aws:asset:path")) {
+			throw new Error("Nested stack construct missing file name metadata");
+		}
+		fn.Properties.TemplateURL = {
+			"Fn::Join": [
+				"",
+				[
+					"https://%%TEMPLATE_BUCKET_NAME%%.s3.",
+					{
+						Ref: "AWS::URLSuffix",
+					},
+					"/",
+					`%%SOLUTION_NAME%%/%%VERSION%%/${fn.Metadata["aws:asset:path"].slice(0, -".json".length)}`,
+				],
+			],
+		};
+
+		const params = fn.Properties.Parameters ? fn.Properties.Parameters : {};
+		const nestedStackParameters = Object.keys(params).filter(function (key) {
+			if (key.search(_regex) > -1) {
+				return true;
+			}
+			return false;
+		});
+
+		nestedStackParameters.forEach(function (stkParam) {
+			fn.Properties.Parameters[stkParam] = undefined;
+		});
+	});  
+
+  // Clean-up parameters section
+  const parameters = (template.Parameters) ? template.Parameters : {};
+  const assetParameters = Object.keys(parameters).filter(function (key) {
+    if (key.search(_regex) > -1) {
+      return true;
+    }
+    return false;
+  });
+  assetParameters.forEach(function (a) {
+    template.Parameters[a] = undefined;
+  });
+
+  // Clean-up BootstrapVersion parameter
+  if (parameters.hasOwnProperty('BootstrapVersion')) {
+    parameters.BootstrapVersion = undefined
+  }
+
+  // Clean-up CheckBootstrapVersion Rule
+  const rules = (template.Rules) ? template.Rules : {};
+  if (rules.hasOwnProperty('CheckBootstrapVersion')) {
+    rules.CheckBootstrapVersion = undefined
+  }
+
+
+  // Output modified template file
+  const output_template = JSON.stringify(template, null, 2);
+  fs.writeFileSync(`${global_s3_assets}/${file}`, output_template);
+});

deployment/ecr/clo-logging-syslog/Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/aws-observability/aws-for-fluent-bit:2.32.5.20250422
+FROM public.ecr.aws/aws-observability/aws-for-fluent-bit:2.33.0
 
 RUN yum update -y && yum install -y unzip
 

deployment/ecr/clo-s3-list-objects/Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/python:3.12.2025.04.03.11 AS builder
+FROM public.ecr.aws/lambda/python:3.12.2025.07.27.11 AS builder
 
 WORKDIR /build
 
@@ -14,7 +14,7 @@ RUN python -m venv .venv && \
     cd common-lib && \
     poetry build
 
-FROM public.ecr.aws/lambda/python:3.12.2025.04.03.11
+FROM public.ecr.aws/lambda/python:3.12.2025.07.27.11
 
 WORKDIR /ws