v6.3.3

Fixed

• Overlays not checking for valid S3 buckets
• Failures when updating deployments created in version 6.1.0 and prior #559

Security

• Added allowlist on sharp operations. Info
• Added deny list on custom headers for base64 encoded requests. Info
• Added inference of Content-Type header if S3 Metadata provides an unsupported value

v6.3.2

Fixed

• Upgrade cross-spawn to v7.0.6 for vulnerability CVE-2024-9506

v6.3.1

Fixed

• Base-64 encoded overlayWith call requiring strings in top/left options rather than numbers
• CloudFront anonymized metrics missing for deployments outside of us-east-1

v6.3.0

Added

• Additional anonymized metrics system to help understand how the solution is being used, identify areas of improvement, and drive future roadmap decisions.

Changed

• Cdk update to 2.151.0
• Default log retention to 180 days
• Cache-control header on fallback images to use (in order of priority), fallback image metadata, header provided in image request, and default cache control #563

Security

• Upgraded micromatch to v4.0.8 for vulnerability CVE-2024-4067

v6.2.7

Security

• Upgraded axios to v1.7.4 for vulnerability CVE-2024-39338
• Adds Security.md file to provide guidance around reporting security vulnerabilities.

Removed

• Properly deletes files removed in previous versions.

v6.2.6

Added

• StackId tag to CloudFrontLoggingBucket and its bucket name as a CfnOutput #529
• Test case to verify UTF-8 support in object key #320
• Test cases to verify crop functionality #459
• VERSION.txt and build script change to auto-update local package versions
• S3:bucket-name tag for defining which source bucket to use in thumbor style requests #521
• Ability to override whether an image should be animated #456
• Support for 8-bit depth AVIF image type inference #360

Changed

• Decreased permissions allotted to CustomResource Lambda and ImageHandler Lambda
• cdk update to 2.124.0
• aws-solutions-constructs update to 2.51.0
• SourceBucketsParameter to require explicit bucket names
• Demo-ui dependency update
• Demo-ui to be a package and manage script/stylesheet dependencies through NPM
• Modified JPEG SOI marker parsing to only check first 2 bytes [#429]

Security

• Upgraded follow-redirects to v1.15.6 for vulnerability CVE-2024-28849
• Upgraded braces to v3.0.3 for vulnerability CVE-2024-4068

Removed

• Unused CopyS3Assets custom resource

Fixed

• Some error messages indicating incorrect file types
• Solution version and id not being passed to Backend Lambda
• Thumbor-style URL matching being overly permissive

v6.2.5

Fixed

• Ensure accurate image metadata when generating Amazon Rekognition compatible images #374
• Upgraded axios to v1.6.5 for vulnerability CVE-2023-26159
• Exclude demo-ui-config from being deleted upon BucketDeployment update sync when updating to a new version

Changed

• Overlay requests with an overlay image with one or both dimensions greater than the base image now returns a 400 bad request status with the message "Image to overlay must have same dimensions or smaller", previously returned a 500 internal error #405
• cdk update to 2.118.0
• typescript update to 5.3.3
• GIF files without multiple pages are now treated as non-animated, allowing all filters to be used on them #460

v6.2.4

[6.2.4] - 2023-12-06

Changed

• node 20.x Lambda runtimes
• cdk update to 2.111.0
• disable gzip compression in cloudfront cache option to improve cache hit ratio #373
• requests for webp images supported for upper/lower case Accept header #490
• changed axios version to 1.6.2 for github dependabot reported vulnerability CVE-2023-45857
• enabled thumbor filter chaining #343

v6.2.3

Fixed

• Fixing Security Vulnerabilities

v6.2.2

Changed

• Update package.json Author
• Modify some license headers to maintain consistency

Security

• Upgraded sharp to v0.32.6 for vulnerability CVE-2023-4863
• Upgraded outdated NPM packages