Introduce Official Bandit Images #1088
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Folks are using various bandit images kindly built by others, but we should really start providing one of our that builds directly from source (the others use pip install). Should a different container image be subjected to some sort of attack (maintainer take over), this could lead to some serious problems for those using Bandit. This PR includes an action to build, publish and sign the image using sigstore cosign. This way (should they wish) users can verify the source of origin for these images were the offcial repo. You can see an example of this below, where I tested the action in my own test fork (bandit-test): https://search.sigstore.dev/?logIndex=61918446 Signed-off-by: Luke Hinds <luke@stacklok.com>
Signed-off-by: Luke Hinds <luke@stacklok.com>
sigmavirus24
reviewed
Jan 7, 2024
README.rst
Outdated
Comment on lines
109
to
113
| * 3.8 (py38-amd64) | ||
| * 3.9 (py39-amd64) | ||
| * 3.10 (py310-amd64) | ||
| * 3.11 (py311-amd64) | ||
| * 3.12 (py312-amd64) |
There was a problem hiding this comment.
tl;dr:
- We should list supported versions without tag names or with both tag names
- I would prefer we provide one version of Python (until we have an overwhelming demand for more versions) and it only be latest 3.12
- I think we need a way to manually rebuild an image with the latest version of the base image to ensure security vulnerabilities are updated/patched in the image. So we'd need something like
<bandit-version>-<image-version-starting-at-0-or-1>-py<ver>-<arch>for best effort of providing a secure image to users
Above we say arm64 and amd64 but here we're only listing the x86 versions.
Further, why do we want to do this for all the different versions of Python? That seems... unnecessary. I know the AST, standard-library, etc. are all different across things but the AST isn't so radically backwards incompatible that only providing an image against 3.12 would be bad.
Finally, my last concern here is that by having this many images, imagine the scenario where someone discloses a CPython vulnerability that affects everything before 3.12.(latest). If we genuinely care about what we're providing, we should be able to republish against the latest versions of the alpine images with patched CPython, but I don't think we have a good way of doing that today with this setup.
There was a problem hiding this comment.
I am good with just providing 3.12
How about I remove everything save 3.12 as amd64 / arm64 arch builds?
There was a problem hiding this comment.
I agree, just py3.12 is a nice choice. As for architectures, we never had to be concerned with it before, but now would need to with the base image. I guess now we might be excluding other architectures (https://wiki.alpinelinux.org/wiki/Architecture). That's probably okay, but who knows, there might be users on PPC64.
There was a problem hiding this comment.
There are very few people on ppc64 for the usecase we're carrying about here (CI/CD that relies primarily on container images). The ppc64 people are also usually very hostile (and have harassed people out of the python community) so I'm not inclined to support them anyway.
ericwb
reviewed
Jan 7, 2024
README.rst
Outdated
Comment on lines
109
to
113
| * 3.8 (py38-amd64) | ||
| * 3.9 (py39-amd64) | ||
| * 3.10 (py310-amd64) | ||
| * 3.11 (py311-amd64) | ||
| * 3.12 (py312-amd64) |
There was a problem hiding this comment.
I agree, just py3.12 is a nice choice. As for architectures, we never had to be concerned with it before, but now would need to with the base image. I guess now we might be excluding other architectures (https://wiki.alpinelinux.org/wiki/Architecture). That's probably okay, but who knows, there might be users on PPC64.
|
Thanks for the review points @sigmavirus24 / @ericwb I will round everything up in a commit tomorrow. |
|
FYI, I believe this PR also satisfies #697 |
Signed-off-by: Luke Hinds <luke@stacklok.com>
Signed-off-by: Luke Hinds <luke@stacklok.com>
|
Round up on: 9e97dd2
I also had a brain fart and pushed changes over two commits, so 475408c covers the above as well. |
sigmavirus24
reviewed
Jan 8, 2024
| push: true | ||
| tags: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }} | ||
| platforms: linux/${{ matrix.architecture }} | ||
| tags: ghcr.io/${{ github.repository }}/bandit:latest |
There was a problem hiding this comment.
We can specify a list here, do we want to try to do that?
For example, we could do use the current date too so that we're tagging both latest and the current date, e.g., 2024-01-08 to help with folks wanting stable-ish tags.
There was a problem hiding this comment.
I also don't see us including the version of Bandit here but maybe that's because we are using the same action on a schedule and for releases?
There was a problem hiding this comment.
Oh, also, if we're doing this on a schedule like this, does that mean we're publishing the head of main every week? Do we want to ensure we're only publishing the last released version with the new image?
There was a problem hiding this comment.
That is actually a very good point, with a schedule we end up pushing main and not a release (I am not at my best this morning!). Let me dwell on if there is a better method for this (I am not sure there is) unless we get into trying to predict what the last release was
There was a problem hiding this comment.
I also thought it best to not use bandit releases, latest should always be usable.
There was a problem hiding this comment.
I wonder, also if we want to add labels here to the image, e.g., git_commit=... and version=... and maybe org.pycqa.bandit.version=... equivalents?
If we're running a schedule, could we find the latest tag, check that out and rebuild? I assume the scheduled rebuild is to address vulnerabilities in the base image like I raised as a concern?
There was a problem hiding this comment.
Getting back on to this , apologies for the haitus.
If we're running a schedule, could we find the latest tag, check that out and rebuild? I assume the scheduled rebuild is to address vulnerabilities in the base image like I raised as a concern?
Yes, this rebuild the entire image every sunday at midnight. This covers off any CVEs in the base image that have collected since our last release.
I am going to push another commit now with a workflow_dispatch. this will allow us to manually start the action if anything particular comes out nasty between the scheduled runs.
sigmavirus24
reviewed
Jan 8, 2024
sigmavirus24
reviewed
Jan 8, 2024
Signed-off-by: Luke Hinds <luke@stacklok.com>
Signed-off-by: Luke Hinds <luke@stacklok.com>
Signed-off-by: Luke Hinds <luke@stacklok.com>
|
Start a new comment thread for 50ce0c9 👁️ @sigmavirus24 / @ericwb This now has the following logic.
This way someone users can always take I recommend for anyone who wants to stick to a certain version, they pin to the container digest. 
|
Closed
| run: | | ||
| TAG=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name) | ||
| echo "Latest tag is $TAG" | ||
| echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV |
There was a problem hiding this comment.
I've never seen this construct before, is it possible that GITHUB_ENV does not have a terminating \n in it? Is that potentially something someone could exploit to publish unreleased code?
There was a problem hiding this comment.
It's a pretty standard approach for setting key values in actions:
https://github.com/lukehinds/testrepo/actions/runs/7612691776/job/20730842060
https://github.com/lukehinds/testrepo/blob/main/.github/workflows/test-termination.yml
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Log in to GitHub Container Registry | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
Can we use hashes here? I believe the OSSF score card prefers those and dependabot will still properly send updates for them.
There was a problem hiding this comment.
Sure, I will pass https://github.com/stacklok/frizbee against this
I was planning on introducing https://github.com/stacklok/minder at some point too, but we can discuss that on discord. With minder, we replace tags with digests as a remediation step.
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} |
There was a problem hiding this comment.
I wonder if after this we should set something up for adding to the docker image as a label. But we can probably do that as a fast follow to this change
| jobs: | ||
| build-and-publish: | ||
| runs-on: ubuntu-latest | ||
| permissions: |
There was a problem hiding this comment.
Do we also want to do this in a specific environment for the project to make it harder for untrusted folks to publish? https://github.com/urllib3/urllib3/blob/8beb3502cf6c945485174d96d90f2f5e5929bcbd/.github/workflows/publish.yml#L15-L16 I believe urllib3 has it such that only a handful of the core maintainers can actually publish a release. I need to see if I can find Seth's blog post on the benefits
There was a problem hiding this comment.
Sounds good
Could we take this as a follow up?
sigmavirus24
approved these changes
Jan 22, 2024
|
OK to merge @ericwb ? |
coilysiren
referenced
this pull request
in HHS/simpler-grants-gov
Feb 26, 2024
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [SQLAlchemy](https://www.sqlalchemy.org)
([changelog](https://docs.sqlalchemy.org/en/latest/changelog/)) |
`2.0.25` -> `2.0.27` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [bandit](https://bandit.readthedocs.io/)
([source](https://togithub.com/PyCQA/bandit),
[changelog](https://togithub.com/PyCQA/bandit/releases)) | `1.7.6` ->
`1.7.7` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [boto3](https://togithub.com/boto/boto3) | `1.34.23` -> `1.34.50` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [botocore](https://togithub.com/boto/botocore) | `1.34.23` ->
`1.34.50` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [coverage](https://togithub.com/nedbat/coveragepy) | `7.4.0` ->
`7.4.3` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [marshmallow](https://togithub.com/marshmallow-code/marshmallow)
([changelog](https://marshmallow.readthedocs.io/en/latest/changelog.html))
| `3.20.2` -> `3.21.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [moto](https://togithub.com/getmoto/moto)
([changelog](https://togithub.com/getmoto/moto/blob/master/CHANGELOG.md))
| `4.2.13` -> `4.2.14` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [psycopg](https://psycopg.org/psycopg3/)
([source](https://togithub.com/psycopg/psycopg),
[changelog](https://psycopg.org/psycopg3/docs/news.html)) | `3.1.17` ->
`3.1.18` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [pydantic](https://togithub.com/pydantic/pydantic)
([changelog](https://docs.pydantic.dev/latest/changelog/)) | `2.5.3` ->
`2.6.2` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [pydantic-settings](https://togithub.com/pydantic/pydantic-settings)
([changelog](https://togithub.com/pydantic/pydantic-settings/releases))
| `2.1.0` -> `2.2.1` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [python-dotenv](https://togithub.com/theskumar/python-dotenv) |
`1.0.0` -> `1.0.1` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
<details>
<summary>PyCQA/bandit (bandit)</summary>
### [`v1.7.7`](https://togithub.com/PyCQA/bandit/releases/tag/1.7.7)
[Compare
Source](https://togithub.com/PyCQA/bandit/compare/1.7.6...1.7.7)
#### What's Changed
- Add the new release to bandit versions of bug template by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1075](https://togithub.com/PyCQA/bandit/pull/1075)
- Bump actions/setup-python from 4 to 5 by
[@​dependabot](https://togithub.com/dependabot) in
[https://github.com/PyCQA/bandit/pull/1076](https://togithub.com/PyCQA/bandit/pull/1076)
- Handle variant in how policy is passed in paramiko by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1078](https://togithub.com/PyCQA/bandit/pull/1078)
- Flag str.replace as possible sql injection by
[@​costaparas](https://togithub.com/costaparas) in
[https://github.com/PyCQA/bandit/pull/1044](https://togithub.com/PyCQA/bandit/pull/1044)
- defusedxml: Show correct module name by
[@​kajinamit](https://togithub.com/kajinamit) in
[https://github.com/PyCQA/bandit/pull/1081](https://togithub.com/PyCQA/bandit/pull/1081)
- Add tidelift to the sponsor funding list by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1089](https://togithub.com/PyCQA/bandit/pull/1089)
- Create a security policy by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1091](https://togithub.com/PyCQA/bandit/pull/1091)
- Fix up issues found running Bandit on itself by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1093](https://togithub.com/PyCQA/bandit/pull/1093)
- Add random.randbytes to blacklist calls by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1096](https://togithub.com/PyCQA/bandit/pull/1096)
- Prepend ./ for files specified as CLI args by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1094](https://togithub.com/PyCQA/bandit/pull/1094)
- Rework GitPython dependency to be an extra for bandit-baseline by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1099](https://togithub.com/PyCQA/bandit/pull/1099)
- Bump actions/dependency-review-action from 3 to 4 by
[@​dependabot](https://togithub.com/dependabot) in
[https://github.com/PyCQA/bandit/pull/1101](https://togithub.com/PyCQA/bandit/pull/1101)
- Introduce Official Bandit Images by
[@​lukehinds](https://togithub.com/lukehinds) in
[https://github.com/PyCQA/bandit/pull/1088](https://togithub.com/PyCQA/bandit/pull/1088)
- Remove markdown formatting in reStructuredText formatted README by
[@​ericwb](https://togithub.com/ericwb) in
[https://github.com/PyCQA/bandit/pull/1103](https://togithub.com/PyCQA/bandit/pull/1103)
- Downsize the org:repo name by
[@​lukehinds](https://togithub.com/lukehinds) in
[https://github.com/PyCQA/bandit/pull/1104](https://togithub.com/PyCQA/bandit/pull/1104)
#### New Contributors
- [@​kajinamit](https://togithub.com/kajinamit) made their first
contribution in
[https://github.com/PyCQA/bandit/pull/1081](https://togithub.com/PyCQA/bandit/pull/1081)
**Full Changelog**:
https://github.com/PyCQA/bandit/compare/1.7.6...1.7.7
</details>
<details>
<summary>boto/boto3 (boto3)</summary>
###
[`v1.34.50`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13450)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.49...1.34.50)
\=======
- api-change:`apigateway`: \[`botocore`] Documentation updates for
Amazon API Gateway.
- api-change:`drs`: \[`botocore`] Added volume status to
DescribeSourceServer replicated volumes.
- api-change:`kafkaconnect`: \[`botocore`] Adds support for tagging,
with new TagResource, UntagResource and ListTagsForResource APIs to
manage tags and updates to existing APIs to allow tag on create. This
release also adds support for the new DeleteWorkerConfiguration API.
- api-change:`rds`: \[`botocore`] This release adds support for gp3 data
volumes for Multi-AZ DB Clusters.
###
[`v1.34.49`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13449)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.48...1.34.49)
\=======
- api-change:`appsync`: \[`botocore`] Documentation only updates for
AppSync
- api-change:`qldb`: \[`botocore`] Clarify possible values for KmsKeyArn
and EncryptionDescription.
- api-change:`rds`: \[`botocore`] Add pattern and length based
validations for DBShardGroupIdentifier
- api-change:`rum`: \[`botocore`] Doc-only update for new RUM metrics
that were added
###
[`v1.34.48`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13448)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.47...1.34.48)
\=======
- api-change:`internetmonitor`: \[`botocore`] This release adds IPv4
prefixes to health events
- api-change:`kinesisvideo`: \[`botocore`] Increasing NextToken
parameter length restriction for List APIs from 512 to 1024.
###
[`v1.34.47`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13447)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.46...1.34.47)
\=======
- api-change:`iotevents`: \[`botocore`] Increase the maximum length of
descriptions for Inputs, Detector Models, and Alarm Models
- api-change:`lookoutequipment`: \[`botocore`] This release adds a field
exposing model quality to read APIs for models. It also adds a model
quality field to the API response when creating an inference scheduler.
- api-change:`medialive`: \[`botocore`] MediaLive now supports the
ability to restart pipelines in a running channel.
- api-change:`ssm`: \[`botocore`] This release adds support for sharing
Systems Manager parameters with other AWS accounts.
###
[`v1.34.46`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13446)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.45...1.34.46)
\=======
- api-change:`dynamodb`: \[`botocore`] Publishing quick fix for doc only
update.
- api-change:`firehose`: \[`botocore`] This release updates a few
Firehose related APIs.
- api-change:`lambda`: \[`botocore`] Add .NET 8 (dotnet8) Runtime
support to AWS Lambda.
###
[`v1.34.45`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13445)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.44...1.34.45)
\=======
- api-change:`amplify`: \[`botocore`] This release contains API changes
that enable users to configure their Amplify domains with their own
custom SSL/TLS certificate.
- api-change:`chatbot`: \[`botocore`] This release adds support for AWS
Chatbot. You can now monitor, operate, and troubleshoot your AWS
resources with interactive ChatOps using the AWS SDK.
- api-change:`config`: \[`botocore`] Documentation updates for the AWS
Config CLI
- api-change:`ivs`: \[`botocore`] Changed description for latencyMode in
Create/UpdateChannel and Channel/ChannelSummary.
- api-change:`keyspaces`: \[`botocore`] Documentation updates for Amazon
Keyspaces
- api-change:`mediatailor`: \[`botocore`] MediaTailor: marking
#AdBreak.OffsetMillis as required.
###
[`v1.34.44`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13444)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.43...1.34.44)
\=======
- api-change:`connectparticipant`: \[`botocore`] Doc only update to
GetTranscript API reference guide to inform users about presence of
events in the chat transcript.
- api-change:`emr`: \[`botocore`] adds fine grained control over
Unhealthy Node Replacement to Amazon ElasticMapReduce
- api-change:`firehose`: \[`botocore`] This release adds support for
Data Message Extraction for decompressed CloudWatch logs, and to use a
custom file extension or time zone for S3 destinations.
- api-change:`lambda`: \[`botocore`] Documentation-only updates for
Lambda to clarify a number of existing actions and properties.
- api-change:`rds`: \[`botocore`] Doc only update for a valid option in
DB parameter group
- api-change:`sns`: \[`botocore`] This release marks phone numbers as
sensitive inputs.
###
[`v1.34.43`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13443)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.42...1.34.43)
\=======
- api-change:`artifact`: \[`botocore`] This is the initial SDK release
for AWS Artifact. AWS Artifact provides on-demand access to compliance
and third-party compliance reports. This release includes access to List
and Get reports, along with their metadata. This release also includes
access to AWS Artifact notifications settings.
- api-change:`codepipeline`: \[`botocore`] Add ability to override
timeout on action level.
- api-change:`detective`: \[`botocore`] Doc only updates for content
enhancement
- api-change:`guardduty`: \[`botocore`] Marked fields IpAddressV4,
PrivateIpAddress, Email as Sensitive.
- api-change:`healthlake`: \[`botocore`] This release adds a new
response parameter, JobProgressReport, to the DescribeFHIRImportJob and
ListFHIRImportJobs API operation. JobProgressReport provides details on
the progress of the import job on the server.
- api-change:`opensearch`: \[`botocore`] Adds additional supported
instance types.
- api-change:`polly`: \[`botocore`] Amazon Polly adds 1 new voice -
Burcu (tr-TR)
- api-change:`sagemaker`: \[`botocore`] This release adds a new API
UpdateClusterSoftware for SageMaker HyperPod. This API allows users to
patch HyperPod clusters with latest platform softwares.
- api-change:`secretsmanager`: \[`botocore`] Doc only update for Secrets
Manager
- api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules
client to latest version
###
[`v1.34.42`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13442)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.41...1.34.42)
\=======
- api-change:`controltower`: \[`botocore`] Adds support for new Baseline
and EnabledBaseline APIs for automating multi-account governance.
- api-change:`lookoutequipment`: \[`botocore`] This feature allows
customers to see pointwise model diagnostics results for their models.
- api-change:`qbusiness`: \[`botocore`] This release adds the
metadata-boosting feature, which allows customers to easily fine-tune
the underlying ranking of retrieved RAG passages in order to optimize
Q\&A answer relevance. It also adds new feedback reasons for the
PutFeedback API.
###
[`v1.34.41`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13441)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.40...1.34.41)
\=======
- bugfix:ContainerProvider: \[`botocore`] Properly refreshes token from
file from EKS in ContainerProvider
- api-change:`lightsail`: \[`botocore`] This release adds support to
upgrade the major version of a database.
- api-change:`marketplace-catalog`: \[`botocore`] AWS Marketplace
Catalog API now supports setting intent on requests
- api-change:`resource-explorer-2`: \[`botocore`] Resource Explorer now
uses newly supported IPv4 'amazonaws.com' endpoints by default.
- api-change:`securitylake`: \[`botocore`] Documentation updates for
Security Lake
- api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules
client to latest version
###
[`v1.34.40`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13440)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.39...1.34.40)
\=======
- api-change:`appsync`: \[`botocore`] Adds support for new options on
GraphqlAPIs, Resolvers and Data Sources for emitting Amazon CloudWatch
metrics for enhanced monitoring of AppSync APIs.
- api-change:`cloudwatch`: \[`botocore`] Update cloudwatch client to
latest version
- api-change:`neptune-graph`: \[`botocore`] Adding a new option
"parameters" for data plane api ExecuteQuery to support running
parameterized query via SDK.
- api-change:`route53domains`: \[`botocore`] This release adds bill
contact support for RegisterDomain, TransferDomain, UpdateDomainContact
and GetDomainDetail API.
###
[`v1.34.39`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13439)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.38...1.34.39)
\=======
- api-change:`amp`: \[`botocore`] Overall documentation updates.
- api-change:`batch`: \[`botocore`] This feature allows Batch to support
configuration of repository credentials for jobs running on ECS
- api-change:`braket`: \[`botocore`] Creating a job will result in
DeviceOfflineException when using an offline device, and
DeviceRetiredException when using a retired device.
- api-change:`cost-optimization-hub`: \[`botocore`] Adding
includeMemberAccounts field to the response of ListEnrollmentStatuses
API.
- api-change:`ecs`: \[`botocore`] Documentation only update for Amazon
ECS.
- api-change:`iot`: \[`botocore`] This release allows AWS IoT Core users
to enable Online Certificate Status Protocol (OCSP) Stapling for TLS
X.509 Server Certificates when creating and updating AWS IoT Domain
Configurations with Custom Domain.
- api-change:`pricing`: \[`botocore`] Add Throttling Exception to all
APIs.
###
[`v1.34.38`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13438)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.37...1.34.38)
\=======
- api-change:`codepipeline`: \[`botocore`] Add ability to execute
pipelines with new parallel & queued execution modes and add support for
triggers with filtering on branches and file paths.
- api-change:`quicksight`: \[`botocore`] General Interactions for
Visuals; Waterfall Chart Color Configuration; Documentation Update
- api-change:`workspaces`: \[`botocore`] This release introduces
User-Decoupling feature. This feature allows Workspaces Core customers
to provision workspaces without providing users. CreateWorkspaces and
DescribeWorkspaces APIs will now take a new optional parameter
"WorkspaceName".
###
[`v1.34.37`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13437)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.36...1.34.37)
\=======
- api-change:`datasync`: \[`botocore`] AWS DataSync now supports
manifests for specifying files or objects to transfer.
- api-change:`lexv2-models`: \[`botocore`] Update lexv2-models client to
latest version
- api-change:`redshift`: \[`botocore`] LisRecommendations API to fetch
Amazon Redshift Advisor recommendations.
###
[`v1.34.36`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13436)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.35...1.34.36)
\=======
- api-change:`appsync`: \[`botocore`] Support for environment variables
in AppSync GraphQL APIs
- api-change:`ecs`: \[`botocore`] This release is a documentation only
update to address customer issues.
- api-change:`es`: \[`botocore`] This release adds clear visibility to
the customers on the changes that they make on the domain.
- api-change:`logs`: \[`botocore`] This release adds a new field,
logGroupArn, to the response of the logs:DescribeLogGroups action.
- api-change:`opensearch`: \[`botocore`] This release adds clear
visibility to the customers on the changes that they make on the domain.
- api-change:`wafv2`: \[`botocore`] You can now delete an API key that
you've created for use with your CAPTCHA JavaScript integration API.
###
[`v1.34.35`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13435)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.34...1.34.35)
\=======
- api-change:`glue`: \[`botocore`] Introduce Catalog Encryption Role
within Glue Data Catalog Settings. Introduce SASL/PLAIN as an
authentication method for Glue Kafka connections
- api-change:`workspaces`: \[`botocore`] Added definitions of various
WorkSpace states
###
[`v1.34.34`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13434)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.33...1.34.34)
\=======
- api-change:`dynamodb`: \[`botocore`] Any number of users can execute
up to 50 concurrent restores (any type of restore) in a given account.
- api-change:`sagemaker`: \[`botocore`] Amazon SageMaker Canvas adds
GenerativeAiSettings support for CanvasAppSettings.
- api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules
client to latest version
###
[`v1.34.33`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13433)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.32...1.34.33)
\=======
- api-change:`cognito-idp`: \[`botocore`] Added CreateIdentityProvider
and UpdateIdentityProvider details for new SAML IdP features
- api-change:`ivs`: \[`botocore`] This release introduces a new resource
Playback Restriction Policy which can be used to geo-restrict or
domain-restrict channel stream playback when associated with a channel.
New APIs to support this resource were introduced in the form of
Create/Delete/Get/Update/List.
- api-change:`managedblockchain-query`: \[`botocore`] This release adds
support for transactions that have not reached finality. It also removes
support for the status property from the response of the GetTransaction
operation. You can use the confirmationStatus and executionStatus
properties to determine the status of the transaction.
- api-change:`mediaconvert`: \[`botocore`] This release includes support
for broadcast-mixed audio description tracks.
- api-change:`neptune-graph`: \[`botocore`] Adding new APIs in SDK for
Amazon Neptune Analytics. These APIs include operations to execute,
cancel, list queries and get the graph summary.
###
[`v1.34.32`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13432)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.31...1.34.32)
\=======
- api-change:`cloudformation`: \[`botocore`] CloudFormation IaC
generator allows you to scan existing resources in your account and
select resources to generate a template for a new or existing
CloudFormation stack.
- api-change:`elbv2`: \[`botocore`] Update elbv2 client to latest
version
- api-change:`glue`: \[`botocore`] Update page size limits for
GetJobRuns and GetTriggers APIs.
- api-change:`ssm`: \[`botocore`] This release adds an optional Duration
parameter to StateManager Associations. This allows customers to specify
how long an apply-only-on-cron association execution should run. Once
the specified Duration is out all the ongoing cancellable commands or
automations are cancelled.
###
[`v1.34.31`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13431)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.30...1.34.31)
\=======
- api-change:`datazone`: \[`botocore`] Add new skipDeletionCheck to
DeleteDomain. Add new skipDeletionCheck to DeleteProject which also
automatically deletes dependent objects
- api-change:`route53`: \[`botocore`] Update the SDKs for text changes
in the APIs.
###
[`v1.34.30`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13430)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.29...1.34.30)
\=======
- api-change:`autoscaling`: \[`botocore`] EC2 Auto Scaling customers who
use attribute based instance-type selection can now intuitively define
their Spot instances price protection limit as a percentage of the
lowest priced On-Demand instance type.
- api-change:`comprehend`: \[`botocore`] Comprehend PII analysis now
supports Spanish input documents.
- api-change:`ec2`: \[`botocore`] EC2 Fleet customers who use attribute
based instance-type selection can now intuitively define their Spot
instances price protection limit as a percentage of the lowest priced
On-Demand instance type.
- api-change:`mwaa`: \[`botocore`] This release adds MAINTENANCE
environment status for Amazon MWAA environments.
- api-change:`rds`: \[`botocore`] Introduced support for the
InsufficientDBInstanceCapacityFault error in the RDS
RestoreDBClusterFromSnapshot and RestoreDBClusterToPointInTime API
methods. This provides enhanced error handling, ensuring a more robust
experience.
- api-change:`snowball`: \[`botocore`] Modified description of
createaddress to include direction to add path when providing a JSON
file.
###
[`v1.34.29`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13429)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.28...1.34.29)
\=======
- api-change:`connect`: \[`botocore`] Update list and string length
limits for predefined attributes.
- api-change:`inspector2`: \[`botocore`] This release adds ECR container
image scanning based on their lastRecordedPullTime.
- api-change:`sagemaker`: \[`botocore`] Amazon SageMaker Automatic Model
Tuning now provides an API to programmatically delete tuning jobs.
###
[`v1.34.28`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13428)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.27...1.34.28)
\=======
- api-change:`acm-pca`: \[`botocore`] AWS Private CA now supports an
option to omit the CDP extension from issued certificates, when CRL
revocation is enabled.
- api-change:`lightsail`: \[`botocore`] This release adds support for
IPv6-only instance plans.
###
[`v1.34.27`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13427)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.26...1.34.27)
\=======
- api-change:`ec2`: \[`botocore`] Introduced a new clientToken request
parameter on CreateNetworkAcl and CreateRouteTable APIs. The clientToken
parameter allows idempotent operations on the APIs.
- api-change:`ecs`: \[`botocore`] Documentation updates for Amazon ECS.
- api-change:`outposts`: \[`botocore`] DeviceSerialNumber parameter is
now optional in StartConnection API
- api-change:`rds`: \[`botocore`] This release adds support for Aurora
Limitless Database.
- api-change:`storagegateway`: \[`botocore`] Add DeprecationDate and
SoftwareVersion to response of ListGateways.
###
[`v1.34.26`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13426)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.25...1.34.26)
\=======
- api-change:`inspector2`: \[`botocore`] This release adds support for
CIS scans on EC2 instances.
###
[`v1.34.25`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13425)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.24...1.34.25)
\=======
- enhancement:documentation: \[`botocore`] Updates the GitHub issue
creation link in our README
###
[`v1.34.24`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13424)
[Compare
Source](https://togithub.com/boto/boto3/compare/1.34.23...1.34.24)
\=======
- api-change:`appconfigdata`: \[`botocore`] Fix FIPS Endpoints in
aws-us-gov.
- api-change:`cloud9`: \[`botocore`] Doc-only update around removing AL1
from list of available AMIs for Cloud9
- api-change:`cloudfront-keyvaluestore`: \[`botocore`] This release
improves upon the DescribeKeyValueStore API by returning two additional
fields, Status of the KeyValueStore and the FailureReason in case of
failures during creation of KeyValueStore.
- api-change:`connectcases`: \[`botocore`] This release adds the ability
to view audit history on a case and introduces a new parameter,
performedBy, for CreateCase and UpdateCase API's.
- api-change:`ec2`: \[`botocore`] Documentation updates for Amazon EC2.
- api-change:`ecs`: \[`botocore`] This release adds support for
Transport Layer Security (TLS) and Configurable Timeout to ECS Service
Connect. TLS facilitates privacy and data security for inter-service
communications, while Configurable Timeout allows customized per-request
timeout and idle timeout for Service Connect services.
- api-change:`finspace`: \[`botocore`] Allow customer to set zip default
through command line arguments.
- api-change:`organizations`: \[`botocore`] Doc only update for quota
increase change
- api-change:`rds`: \[`botocore`] Introduced support for the
InsufficientDBInstanceCapacityFault error in the RDS CreateDBCluster API
method. This provides enhanced error handling, ensuring a more robust
experience when creating database clusters with insufficient instance
capacity.
- api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules
client to latest version
</details>
<details>
<summary>boto/botocore (botocore)</summary>
###
[`v1.34.50`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13450)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.49...1.34.50)
\=======
- api-change:`apigateway`: Documentation updates for Amazon API Gateway.
- api-change:`drs`: Added volume status to DescribeSourceServer
replicated volumes.
- api-change:`kafkaconnect`: Adds support for tagging, with new
TagResource, UntagResource and ListTagsForResource APIs to manage tags
and updates to existing APIs to allow tag on create. This release also
adds support for the new DeleteWorkerConfiguration API.
- api-change:`rds`: This release adds support for gp3 data volumes for
Multi-AZ DB Clusters.
###
[`v1.34.49`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13449)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.48...1.34.49)
\=======
- api-change:`appsync`: Documentation only updates for AppSync
- api-change:`qldb`: Clarify possible values for KmsKeyArn and
EncryptionDescription.
- api-change:`rds`: Add pattern and length based validations for
DBShardGroupIdentifier
- api-change:`rum`: Doc-only update for new RUM metrics that were added
###
[`v1.34.48`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13448)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.47...1.34.48)
\=======
- api-change:`internetmonitor`: This release adds IPv4 prefixes to
health events
- api-change:`kinesisvideo`: Increasing NextToken parameter length
restriction for List APIs from 512 to 1024.
###
[`v1.34.47`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13447)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.46...1.34.47)
\=======
- api-change:`iotevents`: Increase the maximum length of descriptions
for Inputs, Detector Models, and Alarm Models
- api-change:`lookoutequipment`: This release adds a field exposing
model quality to read APIs for models. It also adds a model quality
field to the API response when creating an inference scheduler.
- api-change:`medialive`: MediaLive now supports the ability to restart
pipelines in a running channel.
- api-change:`ssm`: This release adds support for sharing Systems
Manager parameters with other AWS accounts.
###
[`v1.34.46`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13446)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.45...1.34.46)
\=======
- api-change:`dynamodb`: Publishing quick fix for doc only update.
- api-change:`firehose`: This release updates a few Firehose related
APIs.
- api-change:`lambda`: Add .NET 8 (dotnet8) Runtime support to AWS
Lambda.
###
[`v1.34.45`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13445)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.44...1.34.45)
\=======
- api-change:`amplify`: This release contains API changes that enable
users to configure their Amplify domains with their own custom SSL/TLS
certificate.
- api-change:`chatbot`: This release adds support for AWS Chatbot. You
can now monitor, operate, and troubleshoot your AWS resources with
interactive ChatOps using the AWS SDK.
- api-change:`config`: Documentation updates for the AWS Config CLI
- api-change:`ivs`: Changed description for latencyMode in
Create/UpdateChannel and Channel/ChannelSummary.
- api-change:`keyspaces`: Documentation updates for Amazon Keyspaces
- api-change:`mediatailor`: MediaTailor: marking #AdBreak.OffsetMillis
as required.
###
[`v1.34.44`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13444)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.43...1.34.44)
\=======
- api-change:`connectparticipant`: Doc only update to GetTranscript API
reference guide to inform users about presence of events in the chat
transcript.
- api-change:`emr`: adds fine grained control over Unhealthy Node
Replacement to Amazon ElasticMapReduce
- api-change:`firehose`: This release adds support for Data Message
Extraction for decompressed CloudWatch logs, and to use a custom file
extension or time zone for S3 destinations.
- api-change:`lambda`: Documentation-only updates for Lambda to clarify
a number of existing actions and properties.
- api-change:`rds`: Doc only update for a valid option in DB parameter
group
- api-change:`sns`: This release marks phone numbers as sensitive
inputs.
###
[`v1.34.43`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13443)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.42...1.34.43)
\=======
- api-change:`artifact`: This is the initial SDK release for AWS
Artifact. AWS Artifact provides on-demand access to compliance and
third-party compliance reports. This release includes access to List and
Get reports, along with their metadata. This release also includes
access to AWS Artifact notifications settings.
- api-change:`codepipeline`: Add ability to override timeout on action
level.
- api-change:`detective`: Doc only updates for content enhancement
- api-change:`guardduty`: Marked fields IpAddressV4, PrivateIpAddress,
Email as Sensitive.
- api-change:`healthlake`: This release adds a new response parameter,
JobProgressReport, to the DescribeFHIRImportJob and ListFHIRImportJobs
API operation. JobProgressReport provides details on the progress of the
import job on the server.
- api-change:`opensearch`: Adds additional supported instance types.
- api-change:`polly`: Amazon Polly adds 1 new voice - Burcu (tr-TR)
- api-change:`sagemaker`: This release adds a new API
UpdateClusterSoftware for SageMaker HyperPod. This API allows users to
patch HyperPod clusters with latest platform softwares.
- api-change:`secretsmanager`: Doc only update for Secrets Manager
- api-change:`endpoint-rules`: Update endpoint-rules client to latest
version
###
[`v1.34.42`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13442)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.41...1.34.42)
\=======
- api-change:`controltower`: Adds support for new Baseline and
EnabledBaseline APIs for automating multi-account governance.
- api-change:`lookoutequipment`: This feature allows customers to see
pointwise model diagnostics results for their models.
- api-change:`qbusiness`: This release adds the metadata-boosting
feature, which allows customers to easily fine-tune the underlying
ranking of retrieved RAG passages in order to optimize Q\&A answer
relevance. It also adds new feedback reasons for the PutFeedback API.
###
[`v1.34.41`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13441)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.40...1.34.41)
\=======
- bugfix:ContainerProvider: Properly refreshes token from file from EKS
in ContainerProvider
- api-change:`lightsail`: This release adds support to upgrade the major
version of a database.
- api-change:`marketplace-catalog`: AWS Marketplace Catalog API now
supports setting intent on requests
- api-change:`resource-explorer-2`: Resource Explorer now uses newly
supported IPv4 'amazonaws.com' endpoints by default.
- api-change:`securitylake`: Documentation updates for Security Lake
- api-change:`endpoint-rules`: Update endpoint-rules client to latest
version
###
[`v1.34.40`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13440)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.39...1.34.40)
\=======
- api-change:`appsync`: Adds support for new options on GraphqlAPIs,
Resolvers and Data Sources for emitting Amazon CloudWatch metrics for
enhanced monitoring of AppSync APIs.
- api-change:`cloudwatch`: Update cloudwatch client to latest version
- api-change:`neptune-graph`: Adding a new option "parameters" for data
plane api ExecuteQuery to support running parameterized query via SDK.
- api-change:`route53domains`: This release adds bill contact support
for RegisterDomain, TransferDomain, UpdateDomainContact and
GetDomainDetail API.
###
[`v1.34.39`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13439)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.38...1.34.39)
\=======
- api-change:`amp`: Overall documentation updates.
- api-change:`batch`: This feature allows Batch to support configuration
of repository credentials for jobs running on ECS
- api-change:`braket`: Creating a job will result in
DeviceOfflineException when using an offline device, and
DeviceRetiredException when using a retired device.
- api-change:`cost-optimization-hub`: Adding includeMemberAccounts field
to the response of ListEnrollmentStatuses API.
- api-change:`ecs`: Documentation only update for Amazon ECS.
- api-change:`iot`: This release allows AWS IoT Core users to enable
Online Certificate Status Protocol (OCSP) Stapling for TLS X.509 Server
Certificates when creating and updating AWS IoT Domain Configurations
with Custom Domain.
- api-change:`pricing`: Add Throttling Exception to all APIs.
###
[`v1.34.38`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13438)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.37...1.34.38)
\=======
- api-change:`codepipeline`: Add ability to execute pipelines with new
parallel & queued execution modes and add support for triggers with
filtering on branches and file paths.
- api-change:`quicksight`: General Interactions for Visuals; Waterfall
Chart Color Configuration; Documentation Update
- api-change:`workspaces`: This release introduces User-Decoupling
feature. This feature allows Workspaces Core customers to provision
workspaces without providing users. CreateWorkspaces and
DescribeWorkspaces APIs will now take a new optional parameter
"WorkspaceName".
###
[`v1.34.37`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13437)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.36...1.34.37)
\=======
- api-change:`datasync`: AWS DataSync now supports manifests for
specifying files or objects to transfer.
- api-change:`lexv2-models`: Update lexv2-models client to latest
version
- api-change:`redshift`: LisRecommendations API to fetch Amazon Redshift
Advisor recommendations.
###
[`v1.34.36`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13436)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.35...1.34.36)
\=======
- api-change:`appsync`: Support for environment variables in AppSync
GraphQL APIs
- api-change:`ecs`: This release is a documentation only update to
address customer issues.
- api-change:`es`: This release adds clear visibility to the customers
on the changes that they make on the domain.
- api-change:`logs`: This release adds a new field, logGroupArn, to the
response of the logs:DescribeLogGroups action.
- api-change:`opensearch`: This release adds clear visibility to the
customers on the changes that they make on the domain.
- api-change:`wafv2`: You can now delete an API key that you've created
for use with your CAPTCHA JavaScript integration API.
###
[`v1.34.35`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13435)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.34...1.34.35)
\=======
- api-change:`glue`: Introduce Catalog Encryption Role within Glue Data
Catalog Settings. Introduce SASL/PLAIN as an authentication method for
Glue Kafka connections
- api-change:`workspaces`: Added definitions of various WorkSpace states
###
[`v1.34.34`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13434)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.33...1.34.34)
\=======
- api-change:`dynamodb`: Any number of users can execute up to 50
concurrent restores (any type of restore) in a given account.
- api-change:`sagemaker`: Amazon SageMaker Canvas adds
GenerativeAiSettings support for CanvasAppSettings.
- api-change:`endpoint-rules`: Update endpoint-rules client to latest
version
###
[`v1.34.33`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13433)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.32...1.34.33)
\=======
- api-change:`cognito-idp`: Added CreateIdentityProvider and
UpdateIdentityProvider details for new SAML IdP features
- api-change:`ivs`: This release introduces a new resource Playback
Restriction Policy which can be used to geo-restrict or domain-restrict
channel stream playback when associated with a channel. New APIs to
support this resource were introduced in the form of
Create/Delete/Get/Update/List.
- api-change:`managedblockchain-query`: This release adds support for
transactions that have not reached finality. It also removes support for
the status property from the response of the GetTransaction operation.
You can use the confirmationStatus and executionStatus properties to
determine the status of the transaction.
- api-change:`mediaconvert`: This release includes support for
broadcast-mixed audio description tracks.
- api-change:`neptune-graph`: Adding new APIs in SDK for Amazon Neptune
Analytics. These APIs include operations to execute, cancel, list
queries and get the graph summary.
###
[`v1.34.32`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13432)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.31...1.34.32)
\=======
- api-change:`cloudformation`: CloudFormation IaC generator allows you
to scan existing resources in your account and select resources to
generate a template for a new or existing CloudFormation stack.
- api-change:`elbv2`: Update elbv2 client to latest version
- api-change:`glue`: Update page size limits for GetJobRuns and
GetTriggers APIs.
- api-change:`ssm`: This release adds an optional Duration parameter to
StateManager Associations. This allows customers to specify how long an
apply-only-on-cron association execution should run. Once the specified
Duration is out all the ongoing cancellable commands or automations are
cancelled.
###
[`v1.34.31`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13431)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.30...1.34.31)
\=======
- api-change:`datazone`: Add new skipDeletionCheck to DeleteDomain. Add
new skipDeletionCheck to DeleteProject which also automatically deletes
dependent objects
- api-change:`route53`: Update the SDKs for text changes in the APIs.
###
[`v1.34.30`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13430)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.29...1.34.30)
\=======
- api-change:`autoscaling`: EC2 Auto Scaling customers who use attribute
based instance-type selection can now intuitively define their Spot
instances price protection limit as a percentage of the lowest priced
On-Demand instance type.
- api-change:`comprehend`: Comprehend PII analysis now supports Spanish
input documents.
- api-change:`ec2`: EC2 Fleet customers who use attribute based
instance-type selection can now intuitively define their Spot instances
price protection limit as a percentage of the lowest priced On-Demand
instance type.
- api-change:`mwaa`: This release adds MAINTENANCE environment status
for Amazon MWAA environments.
- api-change:`rds`: Introduced support for the
InsufficientDBInstanceCapacityFault error in the RDS
RestoreDBClusterFromSnapshot and RestoreDBClusterToPointInTime API
methods. This provides enhanced error handling, ensuring a more robust
experience.
- api-change:`snowball`: Modified description of createaddress to
include direction to add path when providing a JSON file.
###
[`v1.34.29`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13429)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.28...1.34.29)
\=======
- api-change:`connect`: Update list and string length limits for
predefined attributes.
- api-change:`inspector2`: This release adds ECR container image
scanning based on their lastRecordedPullTime.
- api-change:`sagemaker`: Amazon SageMaker Automatic Model Tuning now
provides an API to programmatically delete tuning jobs.
###
[`v1.34.28`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13428)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.27...1.34.28)
\=======
- api-change:`acm-pca`: AWS Private CA now supports an option to omit
the CDP extension from issued certificates, when CRL revocation is
enabled.
- api-change:`lightsail`: This release adds support for IPv6-only
instance plans.
###
[`v1.34.27`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13427)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.26...1.34.27)
\=======
- api-change:`ec2`: Introduced a new clientToken request parameter on
CreateNetworkAcl and CreateRouteTable APIs. The clientToken parameter
allows idempotent operations on the APIs.
- api-change:`ecs`: Documentation updates for Amazon ECS.
- api-change:`outposts`: DeviceSerialNumber parameter is now optional in
StartConnection API
- api-change:`rds`: This release adds support for Aurora Limitless
Database.
- api-change:`storagegateway`: Add DeprecationDate and SoftwareVersion
to response of ListGateways.
###
[`v1.34.26`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13426)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.25...1.34.26)
\=======
- api-change:`inspector2`: This release adds support for CIS scans on
EC2 instances.
###
[`v1.34.25`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13425)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.24...1.34.25)
\=======
- enhancement:documentation: Updates the GitHub issue creation link in
our README
###
[`v1.34.24`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13424)
[Compare
Source](https://togithub.com/boto/botocore/compare/1.34.23...1.34.24)
\=======
- api-change:`appconfigdata`: Fix FIPS Endpoints in aws-us-gov.
- api-change:`cloud9`: Doc-only update around removing AL1 from list of
available AMIs for Cloud9
- api-change:`cloudfront-keyvaluestore`: This release improves upon the
DescribeKeyValueStore API by returning two additional fields, Status of
the KeyValueStore and the FailureReason in case of failures during
creation of KeyValueStore.
- api-change:`connectcases`: This release adds the ability to view audit
history on a case and introduces a new parameter, performedBy, for
CreateCase and UpdateCase API's.
- api-change:`ec2`: Documentation updates for Amazon EC2.
- api-change:`ecs`: This release adds support for Transport Layer
Security (TLS) and Configurable Timeout to ECS Service Connect. TLS
facilitates privacy and data security for inter-service communications,
while Configurable Timeout allows customized per-request timeout and
idle timeout for Service Connect services.
- api-change:`finspace`: Allow customer to set zip default through
command line arguments.
- api-change:`organizations`: Doc only update for quota increase change
- api-change:`rds`: Introduced support for the
InsufficientDBInstanceCapacityFault error in the RDS CreateDBCluster API
method. This provides enhanced error handling, ensuring a more robust
experience when creating database clusters with insufficient instance
capacity.
- api-change:`endpoint-rules`: Update endpoint-rules client to latest
version
</details>
<details>
<summary>nedbat/coveragepy (coverage)</summary>
###
[`v7.4.3`](https://togithub.com/nedbat/coveragepy/blob/HEAD/CHANGES.rst#Version-743--2024-02-23)
[Compare
Source](https://togithub.com/nedbat/coveragepy/compare/7.4.2...7.4.3)
- Fix: in some cases, coverage could fail with a RuntimeError: "Set
changed
size during iteration." This is now fixed, closing `issue 1733`\_.
.. \_issue
1733:[https://github.com/nedbat/coveragepy/issues/1733](https://togithub.com/nedbat/coveragepy/issues/1733)3
.. \_changes\_7-4-2:
###
[`v7.4.2`](https://togithub.com/nedbat/coveragepy/blob/HEAD/CHANGES.rst#Version-742--2024-02-20)
[Compare
Source](https://togithub.com/nedbat/coveragepy/compare/7.4.1...7.4.2)
- Fix: setting `COVERAGE_CORE=sysmon` no longer errors on 3.11 and
lower,
thanks `Hugo van Kemenade <pull 1747_>`\_. It now issues a warning that
sys.monitoring is not available and falls back to the default core
instead.
.. \_pull
1747:[https://github.com/nedbat/coveragepy/pull/1747](https://togithub.com/nedbat/coveragepy/pull/1747)7
.. \_changes\_7-4-1:
###
[`v7.4.1`](https://togithub.com/nedbat/coveragepy/blob/HEAD/CHANGES.rst#Version-741--2024-01-26)
[Compare
Source](https://togithub.com/nedbat/coveragepy/compare/7.4.0...7.4.1)
- Python 3.13.0a3 is supported.
- Fix: the JSON report now includes an explicit format version number,
closing
`issue 1732`\_.
.. \_issue
1732:[https://github.com/nedbat/coveragepy/issues/1732](https://togithub.com/nedbat/coveragepy/issues/1732)2
.. \_changes\_7-4-0:
</details>
<details>
<summary>marshmallow-code/marshmallow (marshmallow)</summary>
###
[`v3.21.0`](https://togithub.com/marshmallow-code/marshmallow/compare/3.20.2...3.21.0)
[Compare
Source](https://togithub.com/marshmallow-code/marshmallow/compare/3.20.2...3.21.0)
</details>
<details>
<summary>getmoto/moto (moto)</summary>
###
[`v4.2.14`](https://togithub.com/getmoto/moto/blob/HEAD/CHANGELOG.md#4214)
[Compare
Source](https://togithub.com/getmoto/moto/compare/4.2.13...4.2.14)
Docker Digest for 4.2.14:
*sha256:2fa10aa48e32f85c63c62a7d437b8a4b320a56a8494bc25d45ced370bc159c23*
New Services:
* Backup:
* create_backup_plan()
* create_backup_vault()
* get_backup_plan()
* describe_backup_vault()
* delete_backup_plan()
* list_backup_plans()
* list_backup_vaults()
* list_tags()
* tag_resource()
* untag_resource()
New Methods:
* RDS:
* describe_db_cluster_snapshot_attributes()
* describe_db_snapshot_attributes()
* modify_db_cluster_snapshot_attribute()
* modify_db_snapshot_attribute()
* restore_db_instance_to_point_in_time()
* SageMaker:
* create_feature_group()
* SageMakerRuntime:
* invoke_endpoint_async()
Miscellaneous:
* Cognito: The ID-token now contains custom attributes
* DynamoDB: query() now returns the correct ScannedCount
* EC2: Security Group Rules now have tag support
* LakeFormation: grant_permissions() now has better support for known
principal-resource pairs
* SNS: set_subscription_attributes() can now unset the FilterPolicy
</details>
<details>
<summary>psycopg/psycopg (psycopg)</summary>
###
[`v3.1.18`](https://togithub.com/psycopg/psycopg/compare/3.1.17...3.1.18)
[Compare
Source](https://togithub.com/psycopg/psycopg/compare/3.1.17...3.1.18)
</details>
<details>
<summary>pydantic/pydantic (pydantic)</summary>
###
[`v2.6.2`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v262-2024-02-23)
[Compare
Source](https://togithub.com/pydantic/pydantic/compare/v2.6.1...v2.6.2)
[GitHub
release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.2)
##### What's Changed
##### Packaging
- Upgrade to `pydantic-core` 2.16.3 by
[@​sydney-runkle](https://togithub.com/sydney-runkle) in
[#​8879](https://togithub.com/pydantic/pydantic/pull/8879)
##### Fixes
- 'YYYY-MM-DD' date string coerced to datetime shouldn't infer timezone
by [@​sydney-runkle](https://togithub.com/sydney-runkle) in
[pydantic/pydantic-core#1193](https://togithub.com/pydantic/pydantic-core/pull/1193)
###
[`v2.6.1`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v261-2024-02-05)
[Compare
Source](https://togithub.com/pydantic/pydantic/compare/v2.6.0...v2.6.1)
[GitHub
release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.1)
##### What's Changed
##### Packaging
- Upgrade to `pydantic-core` 2.16.2 by
[@​sydney-runkle](https://togithub.com/sydney-runkle) in
[#​8717](https://togithub.com/pydantic/pydantic/pull/8717)
##### Fixes
- Fix bug with `mypy` plugin and `no_strict_optional = True` by
[@​dmontagu](https://togithub.com/dmontagu) in
[#​8666](https://togithub.com/pydantic/pydantic/pull/8666)
- Fix `ByteSize` error `type` change by
[@​sydney-runkle](https://togithub.com/sydney-runkle) in
[#​8681](https://togithub.com/pydantic/pydantic/pull/8681)
- Fix inheriting `Field` annotations in dataclasses by
[@​sydney-runkle](https://togithub.com/sydney-runkle) in
[#​8679](https://togithub.com/pydantic/pydantic/pull/8679)
- Fix regression in core schema generation for indirect definition
references by [@​dmontagu](https://togithub.com/dmontagu) in
[#​8702](https://togithub.com/pydantic/pydantic/pull/8702)
- Fix unsupported types bug with `PlainValidator` by
[@​sydney-runkle](https://togithub.com/sydney-runkle) in
[#​8710](https://togithub.com/pydantic/pydantic/pull/8710)
- Reverting problematic fix from 2.6 release, fixing schema building bug
by [@​sydney-runkle](https://togithub.com/sydney-runkle) in
[#​8718](https://togithub.com/pydantic/pydantic/pull/8718)
- Fix warning for tuple of wrong size in `Union` by
[@​davidhewitt](https://togithub.com/davidhewitt) in
[pydantic/pydantic-core#1174](https://togithub.com/pydantic/pydantic-core/pull/1174)
- Fix `computed_field` JSON serializer `exclude_none` behavior by
[@​sydney-runkle](https://togithub.com/sydney-runkle) in
[pydantic/pydantic-core#1187](https://togithub.com/pydantic/pydantic-core/pull/1187)
###
[`v2.6.0`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v260-2024-01-23)
[Compare
Source](https://togithub.com/pydantic/pydantic/compare/v2.5.3...v2.6.0)
[GitHub
release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.0)
The code released in v2.6.0 is practically identical to that of
v2.6.0b1.
##### What's Changed
##### Packaging
- Check for `email-validator` version >= 2.0 by
[@​commonism](https://togithub.com/commonism) in
[#​6033](https://togithub.com/pydantic/pydantic/pull/6033)
- Upgrade \`ruff\`\` target version to Python 3.8 by
[@​Elkiwa](https://togithub.com/Elkiwa) in
[#​8341](https://togithub.com/pydantic/pydantic/pull/8341)
- Update to `pydantic-extra-types==2.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "on the 2nd and 4th day instance on
sunday after 9pm" in timezone America/New_York, Automerge - At any time
(no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/HHS/simpler-grants-gov).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIxMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Folks are using various bandit images kindly built by others, but we should really start providing our own. Should a different container image hosted elsewhere be subjected to some sort of attack (maintainer takeover), this could lead to some serious problems for those using Bandit.
This PR includes an action to build, publish (to ghcr.io) and sign the image using sigstore cosign, upon a release of bandit (it will work alongside pip publish). Users can verify the source of origin for these images were the official repo via sigstore.
You can see an example of this below, where I tested the action in my own test fork (bandit-test):
https://search.sigstore.dev/?logIndex=61918446
Closes: #1087