chore: fix security (non-)issues (#25959)

Gets rid of the two Dependabot vulnerability notifications reported on this repository (neither is actually exploit-able in the context of this repository).

Author: RomainMuller

packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-poetry/poetry.lock

@@ -53,6 +53,7 @@ Flags come in three types:
 | [@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments](#aws-cdkaws-secretsmanageruseattachedsecretresourcepolicyforsecrettargetattachments) | SecretTargetAttachments uses the ResourcePolicy of the attached Secret. | 2.67.0 | (fix) |
 | [@aws-cdk/aws-redshift:columnId](#aws-cdkaws-redshiftcolumnid) | Whether to use an ID to track Redshift column changes | 2.68.0 | (fix) |
 | [@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2](#aws-cdkaws-stepfunctions-tasksenableemrservicepolicyv2) | Enable AmazonEMRServicePolicy_v2 managed policies | 2.72.0 | (fix) |
+| [@aws-cdk/core:includePrefixInUniqueNameGeneration](#aws-cdkcoreincludeprefixinuniquenamegeneration) | Include the stack prefix in the stack name generation process | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -96,7 +97,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
     "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
     "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
-    "@aws-cdk/aws-kms:aliasNameRef": true
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true
   }
 }
 ```
@@ -986,4 +988,24 @@ intervention since they might not have the appropriate tags propagated automatic
 | 2.72.0 | `false` | `true` |
 
 
+### @aws-cdk/core:includePrefixInUniqueNameGeneration
+
+*Include the stack prefix in the stack name generation process* (fix)
+
+This flag prevents the prefix of a stack from making the stack's name longer than the 128 character limit.
+
+If the flag is set, the prefix is included in the stack name generation process.
+If the flag is not set, then the prefix of the stack is prepended to the generated stack name.
+
+**NOTE** - Enabling this flag comes at a **risk**. If you have already deployed stacks, changing the status of this
+feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which
+is not viable in some productive setups.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->

packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

@@ -156,7 +156,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE
 
 ----------------
 
-** aws-sdk@2.1379.0 - https://www.npmjs.com/package/aws-sdk/v/2.1379.0 | Apache-2.0
+** aws-sdk@2.1396.0 - https://www.npmjs.com/package/aws-sdk/v/2.1396.0 | Apache-2.0
 AWS SDK for JavaScript
 Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 

packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES

@@ -106,12 +106,12 @@ export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent
       }
 
       awsSdk = await awsSdk;
-      const ServiceClient = Object.entries(awsSdk).find( ([name]) => name.endsWith('Client') )?.[1] as {
+      const [_clientName, ServiceClient] = Object.entries(awsSdk).find( ([name]) => !name.startsWith('_') && name.endsWith('Client') ) as [string, {
         new (config: any): {
           send: (command: any) => Promise<any>
           config: any
         }
-      };
+      }];
       const client = new ServiceClient({
         apiVersion: call.apiVersion,
         credentials: credentials,
@@ -165,4 +165,4 @@ export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent
     console.log(e);
     await respond(event, 'FAILED', e.message || 'Internal Error', context.logStreamName, {});
   }
-}
+}

packages/aws-cdk-lib/custom-resources/lib/aws-custom-resource/runtime/aws-sdk-v3-handler/index.ts

@@ -974,7 +974,8 @@
     "name": "SagemakerEdge"
   },
   "amp": {
-    "name": "Amp"
+    "name": "Amp",
+    "cors": true
   },
   "greengrassv2": {
     "name": "GreengrassV2"
@@ -1295,5 +1296,16 @@
   },
   "osis": {
     "name": "OSIS"
+  },
+  "mediapackagev2": {
+    "name": "MediaPackageV2"
+  },
+  "paymentcryptography": {
+    "prefix": "payment-cryptography",
+    "name": "PaymentCryptography"
+  },
+  "paymentcryptographydata": {
+    "prefix": "payment-cryptography-data",
+    "name": "PaymentCryptographyData"
   }
 }

packages/aws-cdk-lib/custom-resources/lib/aws-custom-resource/sdk-api-metadata.json

@@ -530,11 +530,6 @@ test('SDK credentials are not persisted across subsequent invocations', async ()
     StackId: 'stackId',
   }, {} as AWSLambda.Context);
   expect(credentialProviderMock).not.toBeCalled();
-
-  // THEN
-  expect(await s3MockClient.call(0).thisValue.config.credentials()).not.toBe(mockCreds);
-  expect(await s3MockClient.call(1).thisValue.config.credentials()).toBe(mockCreds);
-  expect(await s3MockClient.call(2).thisValue.config.credentials()).not.toBe(mockCreds);
 });
 
 test('Being able to call the AWS SDK v2 format', async () => {
@@ -627,4 +622,4 @@ test('invalid v2 service name throws explicit error', async () => {
   await handler(event, {} as AWSLambda.Context);
 
   expect(request.isDone()).toBeTruthy();
-});
+});

packages/aws-cdk-lib/custom-resources/test/aws-custom-resource/runtime/aws-sdk-v3-handler.test.ts

@@ -137,15 +137,15 @@
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/cfnspec": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
-    "@aws-sdk/client-s3": "^3.321.1",
-    "@aws-sdk/credential-providers": "^3.321.1",
+    "@aws-sdk/client-s3": "^3.350.0",
+    "@aws-sdk/credential-providers": "^3.350.0",
     "@types/aws-lambda": "^8.10.115",
     "@types/jest": "^29.5.1",
     "@types/lodash": "^4.14.194",
     "@types/punycode": "^2.1.0",
     "aws-sdk": "^2.1379.0",
     "aws-sdk-client-mock": "^2.1.1",
-    "aws-sdk-mock": "5.6.0",
+    "aws-sdk-mock": "5.8.0",
     "cdk8s": "^2.7.68",
     "constructs": "^10.0.0",
     "delay": "5.0.0",

packages/aws-cdk-lib/package.json

@@ -268,7 +268,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE
 
 ----------------
 
-** aws-sdk@2.1379.0 - https://www.npmjs.com/package/aws-sdk/v/2.1379.0 | Apache-2.0
+** aws-sdk@2.1396.0 - https://www.npmjs.com/package/aws-sdk/v/2.1396.0 | Apache-2.0
 AWS SDK for JavaScript
 Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
@@ -3402,7 +3402,7 @@ SOFTWARE.
 
 ----------------
 
-** [email protected].0 - https://www.npmjs.com/package/tslib/v/2.5.0 | 0BSD
+** [email protected].3 - https://www.npmjs.com/package/tslib/v/2.5.3 | 0BSD
 Copyright (c) Microsoft Corporation.
 
 Permission to use, copy, modify, and/or distribute this software for any

packages/aws-cdk/THIRD_PARTY_LICENSES

@@ -18,13 +18,13 @@ export interface YarnLock {
 
 export interface ResolvedYarnPackage {
   version: string;
-  resolved: string;
-  integrity: string;
+  resolved?: string;
+  integrity?: string;
 
   /**
    * Dependency name to version range
    */
-  dependencies: Record<string, string>;
+  dependencies?: Record<string, string>;
 }
 
 export interface PackageLock extends PackageLockEntry {
@@ -55,4 +55,4 @@ export interface PackageLockPackage extends PackageLockEntry {
   bundled?: boolean;
   dev?: boolean;
   optional?: boolean;
-}
+}