v7.0.0

Changed

• Location of API Gateway infrastructure resources
• Breaking New condition on API gateway will cause a delete/create of ApiGateway::Deployment on stack update
• Breaking: Exception thrown on invalid resize parameters #463
• Code formatting to align with ESLint rules
• Breaking Reduced passthrough of errors from external APIs to response body. Errors will still be logged.
• Modified CloudFront logging bucket to have versioning enabled by default
• CloudFront behaviour to redirect http requests to https rather than throwing forbidden error
• Set-Cookie was added to list of deny-listed response headers
• Name of solution from Serverless Image Handler on AWS to Dynamic Image Transformation for Amazon CloudFront.

Added

• Ability to enable origin shield through a deployment parameter
• Ability to deploy solution without creating a CloudFront distribution
• CloudFront function to normalize accept headers when AutoWebP is enabled
• Alternative infrastructure using S3 Object Lambda to overcome 6 MB response size limit
• Query param named expires which can be used to define when a generated image should no longer be accessible
• Ability to include smart_crop as a filter for Thumbor style requests, taking advantage of AWS Rekognition face cropping
• Ability to set CloudWatch log retention period to Infinite
• Ability to specify Sharp input image size limit #465 #476
• Query parameter based image editing #184
• Query parameter normalization to improve cache hit rate
• CloudWatch dashboard to improve Solution observability
• Additional anonymized metrics to help understand how the solution is being used, identify areas of improvement, and drive future roadmap decisions.

Removed

• Accept header being used in cache policy when AutoWebP is disabled

Fixed

• Broken URLs in Signature and Fallback Image template parameters

v6.3.3

Fixed

• Overlays not checking for valid S3 buckets
• Failures when updating deployments created in version 6.1.0 and prior #559

Security

• Added allowlist on sharp operations. Info
• Added deny list on custom headers for base64 encoded requests. Info
• Added inference of Content-Type header if S3 Metadata provides an unsupported value

v6.3.2

Fixed

• Upgrade cross-spawn to v7.0.6 for vulnerability CVE-2024-9506

v6.3.1

Fixed

• Base-64 encoded overlayWith call requiring strings in top/left options rather than numbers
• CloudFront anonymized metrics missing for deployments outside of us-east-1

v6.3.0

Added

• Additional anonymized metrics system to help understand how the solution is being used, identify areas of improvement, and drive future roadmap decisions.

Changed

• Cdk update to 2.151.0
• Default log retention to 180 days
• Cache-control header on fallback images to use (in order of priority), fallback image metadata, header provided in image request, and default cache control #563

Security

• Upgraded micromatch to v4.0.8 for vulnerability CVE-2024-4067

v6.2.7

Security

• Upgraded axios to v1.7.4 for vulnerability CVE-2024-39338
• Adds Security.md file to provide guidance around reporting security vulnerabilities.

Removed

• Properly deletes files removed in previous versions.

v6.2.6

Added

• StackId tag to CloudFrontLoggingBucket and its bucket name as a CfnOutput #529
• Test case to verify UTF-8 support in object key #320
• Test cases to verify crop functionality #459
• VERSION.txt and build script change to auto-update local package versions
• S3:bucket-name tag for defining which source bucket to use in thumbor style requests #521
• Ability to override whether an image should be animated #456
• Support for 8-bit depth AVIF image type inference #360

Changed

• Decreased permissions allotted to CustomResource Lambda and ImageHandler Lambda
• cdk update to 2.124.0
• aws-solutions-constructs update to 2.51.0
• SourceBucketsParameter to require explicit bucket names
• Demo-ui dependency update
• Demo-ui to be a package and manage script/stylesheet dependencies through NPM
• Modified JPEG SOI marker parsing to only check first 2 bytes [#429]

Security

• Upgraded follow-redirects to v1.15.6 for vulnerability CVE-2024-28849
• Upgraded braces to v3.0.3 for vulnerability CVE-2024-4068

Removed

• Unused CopyS3Assets custom resource

Fixed

• Some error messages indicating incorrect file types
• Solution version and id not being passed to Backend Lambda
• Thumbor-style URL matching being overly permissive

v6.2.5

Fixed

• Ensure accurate image metadata when generating Amazon Rekognition compatible images #374
• Upgraded axios to v1.6.5 for vulnerability CVE-2023-26159
• Exclude demo-ui-config from being deleted upon BucketDeployment update sync when updating to a new version

Changed

• Overlay requests with an overlay image with one or both dimensions greater than the base image now returns a 400 bad request status with the message "Image to overlay must have same dimensions or smaller", previously returned a 500 internal error #405
• cdk update to 2.118.0
• typescript update to 5.3.3
• GIF files without multiple pages are now treated as non-animated, allowing all filters to be used on them #460

v6.2.4

[6.2.4] - 2023-12-06

Changed

• node 20.x Lambda runtimes
• cdk update to 2.111.0
• disable gzip compression in cloudfront cache option to improve cache hit ratio #373
• requests for webp images supported for upper/lower case Accept header #490
• changed axios version to 1.6.2 for github dependabot reported vulnerability CVE-2023-45857
• enabled thumbor filter chaining #343

v6.2.3

Fixed

• Fixing Security Vulnerabilities