Upgrade to AWS SDK v2 #272
Conversation
|
build.sbt
Outdated
| @@ -17,14 +18,14 @@ inThisBuild(Seq( | |||
| "-deprecation", | |||
| "-Xfatal-warnings", | |||
| "-encoding", "UTF-8", | |||
| "-release:11", | |||
| "-release:21", | |||
There was a problem hiding this comment.
I think we might want to target a lower version of the JVM because the Anghammarad client library gets published?
There was a problem hiding this comment.
I'd also observe that this means Anghammarad can only be run locally by people running 21+, it gives the error "21 is not a valid choice for -java-output-version" if you're running 17 or 11, both common choices still.
I appreciate we do have a .tool-versions file here, but:
- I'm not sure how widely used that is, does everyone actually use asdf?
- the pinned version is currently 7 months out of date, but with no plan (or automation) this will get worse in the future, so we don't necessarily want to hang local development workflows off it
These are outstanding questions that we can sidestep by simple setting a more modest JDK target. Very happy to chat this over!
| @@ -4,6 +4,7 @@ import sbtversionpolicy.withsbtrelease.ReleaseVersion | |||
| val assemblySettings = Seq( | |||
| assembly / assemblyMergeStrategy := { | |||
| case path if path.endsWith("module-info.class") => MergeStrategy.last | |||
| case PathList("META-INF", "io.netty.versions.properties") => MergeStrategy.first //see https://github.com/sbt/sbt-assembly/issues/362 | |||
There was a problem hiding this comment.
We should switch to native-packager to avoid these problems, but something to look at later. Thank you!
mchv
force-pushed
the
mc-upgrade-sdk-v2
branch
from
ee62500 to
b6e68a4
Compare
|
After discussion with @adamnfish we agreed on removing 25f6c4e so library users who have not yet upgraded to java 21 can still update without worrying about it. |
What does this change?
I recently started to look at AWS FSBP reported issues for one of our AWS account, and enabled AWS Lambda Inspector.
It immediately identifies that lambda provided by security-hq are still embedding vulnerable version of
Log4j!I was surprised by this but found this was due to the dependency to anghammarad-client which is still using the first version of AWS SDK, which depend to vulnerable versions of
Log4j.The associated changes do the following:
Java 21(Latest LTS) as SDK upgrade is a breaking change and consumers should be running it or upgrading their runtime as the same time.What are the next steps?