Update to version v1.4.2

- Upgraded requests to 2.31.0 that addresses the [unintended leak of proxy-authorization header in requests](GHSA-j8r2-6x86-q33q)
aws-solutions · Jun 22, 2023 · 96c68cf · 96c68cf
2 parents a33a12e + f4f913a
commit 96c68cf
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,11 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.2] - 2023-06-22
+
+### Changed
+
+- Upgraded requests to 2.31.0 that addresses the [unintended leak of proxy-authorization header in requests](https://github.com/advisories/GHSA-j8r2-6x86-q33q)
+
 ## [1.4.1] - 2023-04-18
 
 ### Changed
 
-- Enabled Amazon S3 server access logging on the logging bucket
+- Updated the bucket policy on the logging bucket to grant access to the logging service principal (logging.s3.amazonaws.com) for access log delivery.
 - Upgraded CDK version to 2.75.0
 
 ## [1.4.0] - 2023-03-29

diff --git a/...ons/cdk/aws_lambda/cfn_custom_resources/solutions_metrics/src/custom_resources/metrics.py b/...ons/cdk/aws_lambda/cfn_custom_resources/solutions_metrics/src/custom_resources/metrics.py
@@ -23,6 +23,7 @@
 logger = logging.getLogger(__name__)
 helper = CfnResource(log_level=getenv("LOG_LEVEL", "WARNING"))
 METRICS_ENDPOINT = "https://metrics.awssolutionsbuilder.com/generic"
+REQUESTS_TIMEOUT = 10
 
 
 def _sanitize_data(event):
@@ -59,7 +60,7 @@ def send_metrics(event, _):
         }
 
         logger.info(f"Sending payload: {payload}")
-        response = requests.post(METRICS_ENDPOINT, json=payload, headers=headers)
+        response = requests.post(METRICS_ENDPOINT, json=payload, headers=headers, timeout=REQUESTS_TIMEOUT)
         logger.info(f"Response from metrics endpoint: {response.status_code} {response.reason}")
         if "stackTrace" in response.text:
             logger.exception("Error submitting usage data: %s" % response.text)

diff --git a/...k/aws_lambda/cfn_custom_resources/solutions_metrics/src/custom_resources/requirements.txt b/...k/aws_lambda/cfn_custom_resources/solutions_metrics/src/custom_resources/requirements.txt
@@ -1,2 +1,2 @@
-requests==2.28.1
+requests==2.31.0
 crhelper==2.0.11
diff --git a/...k/aws_solutions/cdk/aws_lambda/layers/aws_lambda_powertools/requirements/requirements.txt b/...k/aws_solutions/cdk/aws_lambda/layers/aws_lambda_powertools/requirements/requirements.txt
@@ -1,2 +1,2 @@
-aws-lambda-powertools==2.14.0
+aws-lambda-powertools==2.15.0
 aws-xray-sdk==2.12.0
diff --git a/source/cdk_solution_helper_py/helpers_cdk/setup.py b/source/cdk_solution_helper_py/helpers_cdk/setup.py
@@ -53,7 +53,7 @@ def get_version():
         "aws_cdk_lib==2.75.0",
         "Click==8.1.3",
         "boto3==1.26.47",
-        "requests==2.28.1",
+        "requests==2.31.0",
         "crhelper==2.0.11",
     ],
     entry_points="""

diff --git a/source/cdk_solution_helper_py/requirements-dev.txt b/source/cdk_solution_helper_py/requirements-dev.txt
@@ -2,7 +2,7 @@ aws_cdk_lib==2.75.0
 aws-cdk.aws-servicecatalogappregistry-alpha==2.75.0a0
 black
 boto3==1.26.47
-requests==2.28.1
+requests==2.31.0
 crhelper==2.0.11
 Click
 moto

diff --git a/source/infrastructure/cdk.json b/source/infrastructure/cdk.json
@@ -3,7 +3,7 @@
   "context": {
     "SOLUTION_NAME": "Maintaining Personalized Experiences with Machine Learning",
     "SOLUTION_ID": "SO0170",
-    "SOLUTION_VERSION": "v1.4.1",
+    "SOLUTION_VERSION": "v1.4.2",
     "APP_REGISTRY_NAME": "personalized-experiences-ML",
     "APPLICATION_TYPE": "AWS-Solutions",
     "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true

diff --git a/source/requirements-dev.txt b/source/requirements-dev.txt
@@ -4,7 +4,7 @@ boto3==1.26.47
 aws_cdk_lib==2.75.0
 aws_solutions_constructs.aws_lambda_sns==2.38.0
 aws-cdk.aws-servicecatalogappregistry-alpha==2.75.0a0
-requests==2.28.1
+requests==2.31.0
 crhelper==2.0.11
 cronex==0.1.3.1
 moto==2.3.0

diff --git a/source/scheduler/common/setup.py b/source/scheduler/common/setup.py
@@ -43,13 +43,13 @@ def get_version():
     packages=setuptools.find_namespace_packages(exclude=["build*"]),
     install_requires=[
         "pip>=22.3.1",
-        "aws-lambda-powertools==2.14.0",
+        "aws-lambda-powertools==2.15.0",
         "aws-xray-sdk==2.12.0",
         "aws-solutions-python==2.0.0",
         "click==8.1.3",
         "cronex==0.1.3.1",
         "boto3==1.26.47",
-        "requests==2.28.1",
+        "requests==2.31.0",
         "crhelper==2.0.11",
         "rich==12.6.0",
     ],

diff --git a/source/tests/aspects/test_personalize_app_stack.py b/source/tests/aspects/test_personalize_app_stack.py
@@ -67,11 +67,11 @@ def test_service_catalog_registry_application(synth_template):
             "Tags": {
                 "SOLUTION_ID": "SO0170",
                 "SOLUTION_NAME": "Maintaining Personalized Experiences with Machine Learning",
-                "SOLUTION_VERSION": "v1.4.1",
+                "SOLUTION_VERSION": "v1.4.2",
                 "Solutions:ApplicationType": "AWS-Solutions",
                 "Solutions:SolutionID": "SO0170",
                 "Solutions:SolutionName": "Maintaining Personalized Experiences with Machine Learning",
-                "Solutions:SolutionVersion": "v1.4.1",
+                "Solutions:SolutionVersion": "v1.4.2",
             },
         },
     )