Skip to content

v1.3.70

Latest

Choose a tag to compare

@Nahuel990 Nahuel990 released this 30 Jun 18:30
cfcf0be

What's Changed

New Contributors

[1.3.70] — 2026-06-30

Added

  • CloudFormation — SAM transform (AWS::Serverless-2016-10-31) templates are expanded into native CloudFormation — a template carrying Transform: AWS::Serverless-2016-10-31 now has its SAM resources expanded into native CloudFormation before provisioning, via the canonical aws-sam-translator, matching AWS's server-side expansion on CreateStack, UpdateStack, and CreateChangeSet. The dependency is optional and ships in the full image only; a lean image that receives a SAM template returns a clear error pointing to the full image instead of silently failing to expand. Contributed by @maximoosemine.
  • IAM — group policy attach/detach and inline group policiesAttachGroupPolicy, DetachGroupPolicy, ListAttachedGroupPolicies, PutGroupPolicy, GetGroupPolicy, DeleteGroupPolicy, and ListGroupPolicies are now implemented, matching the existing User and Role coverage, so the create-group then attach-managed-and-inline-policy pattern works instead of returning InvalidAction: Unknown IAM action. Contributed by @maxflorentin.
  • SNS — mobile-push endpoint lifecycle: GetEndpointAttributes, SetEndpointAttributes, DeleteEndpoint, DeletePlatformApplication — completes the platform-endpoint flow on top of the existing CreatePlatformApplication/CreatePlatformEndpoint. CreatePlatformEndpoint now dedups by device token within a platform application (AWS behavior): re-requesting the same Token returns the existing endpoint ARN when CustomUserData matches, and raises InvalidParameter "Endpoint <arn> already exists with the same Token, but different attributes." when it differs — so callers can parse the ARN and reconcile. Publish to a platform-endpoint TargetArn now succeeds (stub delivery) instead of returning Topic does not exist, and DeletePlatformApplication is idempotent and drops the application's endpoints. This lets app push-token registration flows (register → read/update attributes → delete) run end-to-end against MiniStack. Contributed by @sjincho.

Fixed

  • S3 — S3 → EventBridge events use AWS-conformant detail-type, reason, and deletion-type — S3 → EventBridge delivery built the detail-type by string-mangling the granular notification event name (Object ObjectCreated Put instead of AWS's fixed Object Created), hardcoded detail.reason to PutObject for every event, and omitted detail.deletion-type on deletes. Because EventBridge rules match on detail-type, any rule written to the AWS-documented type (e.g. ["Object Created"]) silently never matched. Each S3 event family now maps to its fixed EventBridge detail-type, with the per-API reason (PutObject/POST Object/CopyObject/CompleteMultipartUpload/DeleteObject) and a deletion-type on Object Deleted. Contributed by @lucasmfraser.
  • API Gateway — failed OIDC discovery is negative-cached so a transient failure no longer causes a 2 hour auth outage_fetch_oidc_jwks_uri cached the result of OIDC discovery unconditionally, so a single transient failure cached jwks_uri = None for the full 7200s TTL and every subsequent JWT validation for that issuer fell back to the wrong default path and returned 401/404 for up to two hours, recoverable only by a restart. Discovery now writes the 7200s cache only on success and a short 60s negative cache on failure, so auth recovers within a minute of the issuer becoming reachable while still avoiding a re-run on every request. Contributed by @Pratham2703005.
  • Lambda — worker respawn cleans up the previous tmpdir and terminates the dead process — when a Lambda worker died between invocations, _spawn() created a fresh tmpdir without removing the previous one (leaking the extracted function code and layers on disk) and an errored handler set self._proc = None without terminating the subprocess (leaking ~68 MB per orphaned worker). Respawn now removes the old tmpdir and terminates the previous process first. Contributed by @hiddengearz.
  • Cognito — OAuth2 Basic-auth client secret containing + is no longer corrupted — the Authorization: Basic credential decode used unquote_plus, which turns a literal + in a Cognito-generated secret into a space, so client_secret_basic failed with invalid_client for the roughly half of generated secrets that contain a +. It now uses unquote, preserving + while still decoding %2F/%2B. Contributed by @jgrumboe.