What's Changed
New Contributors
- @maxflorentin made their first contribution in #1004
- @sjincho made their first contribution in #1018
[1.3.70] — 2026-06-30
Added
- CloudFormation — SAM transform (
AWS::Serverless-2016-10-31) templates are expanded into native CloudFormation — a template carryingTransform: AWS::Serverless-2016-10-31now has its SAM resources expanded into native CloudFormation before provisioning, via the canonicalaws-sam-translator, matching AWS's server-side expansion onCreateStack,UpdateStack, andCreateChangeSet. The dependency is optional and ships in the full image only; a lean image that receives a SAM template returns a clear error pointing to the full image instead of silently failing to expand. Contributed by @maximoosemine. - IAM — group policy attach/detach and inline group policies —
AttachGroupPolicy,DetachGroupPolicy,ListAttachedGroupPolicies,PutGroupPolicy,GetGroupPolicy,DeleteGroupPolicy, andListGroupPoliciesare now implemented, matching the existing User and Role coverage, so the create-group then attach-managed-and-inline-policy pattern works instead of returningInvalidAction: Unknown IAM action. Contributed by @maxflorentin. - SNS — mobile-push endpoint lifecycle:
GetEndpointAttributes,SetEndpointAttributes,DeleteEndpoint,DeletePlatformApplication— completes the platform-endpoint flow on top of the existingCreatePlatformApplication/CreatePlatformEndpoint.CreatePlatformEndpointnow dedups by device token within a platform application (AWS behavior): re-requesting the sameTokenreturns the existing endpoint ARN whenCustomUserDatamatches, and raisesInvalidParameter"Endpoint <arn> already exists with the same Token, but different attributes."when it differs — so callers can parse the ARN and reconcile.Publishto a platform-endpointTargetArnnow succeeds (stub delivery) instead of returningTopic does not exist, andDeletePlatformApplicationis idempotent and drops the application's endpoints. This lets app push-token registration flows (register → read/update attributes → delete) run end-to-end against MiniStack. Contributed by @sjincho.
Fixed
- S3 — S3 → EventBridge events use AWS-conformant
detail-type,reason, anddeletion-type— S3 → EventBridge delivery built thedetail-typeby string-mangling the granular notification event name (Object ObjectCreated Putinstead of AWS's fixedObject Created), hardcodeddetail.reasontoPutObjectfor every event, and omitteddetail.deletion-typeon deletes. Because EventBridge rules match ondetail-type, any rule written to the AWS-documented type (e.g.["Object Created"]) silently never matched. Each S3 event family now maps to its fixed EventBridgedetail-type, with the per-APIreason(PutObject/POST Object/CopyObject/CompleteMultipartUpload/DeleteObject) and adeletion-typeonObject Deleted. Contributed by @lucasmfraser. - API Gateway — failed OIDC discovery is negative-cached so a transient failure no longer causes a 2 hour auth outage —
_fetch_oidc_jwks_uricached the result of OIDC discovery unconditionally, so a single transient failure cachedjwks_uri = Nonefor the full 7200s TTL and every subsequent JWT validation for that issuer fell back to the wrong default path and returned 401/404 for up to two hours, recoverable only by a restart. Discovery now writes the 7200s cache only on success and a short 60s negative cache on failure, so auth recovers within a minute of the issuer becoming reachable while still avoiding a re-run on every request. Contributed by @Pratham2703005. - Lambda — worker respawn cleans up the previous tmpdir and terminates the dead process — when a Lambda worker died between invocations,
_spawn()created a fresh tmpdir without removing the previous one (leaking the extracted function code and layers on disk) and an errored handler setself._proc = Nonewithout terminating the subprocess (leaking ~68 MB per orphaned worker). Respawn now removes the old tmpdir and terminates the previous process first. Contributed by @hiddengearz. - Cognito — OAuth2 Basic-auth client secret containing
+is no longer corrupted — theAuthorization: Basiccredential decode usedunquote_plus, which turns a literal+in a Cognito-generated secret into a space, soclient_secret_basicfailed withinvalid_clientfor the roughly half of generated secrets that contain a+. It now usesunquote, preserving+while still decoding%2F/%2B. Contributed by @jgrumboe.