Update aws sdk to fix netty vulnerability

[emdash-ie]

What does this change?

Updating the aws sdk to the newest version updates its transitive dependency on netty above 4.1.115, resolving a high-severity vulnerability identified by dependabot.

How to test

We feel this is a straightforward dependency update (patch version), so doesn’t require significant testing.

[gu-scala-library-release]

@emdash-ie has published a preview version of this PR with release workflow run #5, based on commit d36e433:

4.0.0-PREVIEW.update-aws-sdk-to-fix-netty-vulnerability.2024-11-21T1120.d36e433e

Want to make another preview release?

Click 'Run workflow' in the GitHub UI, specifying the update-aws-sdk-to-fix-netty-vulnerability branch, or use the GitHub CLI command:

gh workflow run release.yml --ref update-aws-sdk-to-fix-netty-vulnerability

Want to make a full release after this PR is merged?

Click 'Run workflow' in the GitHub UI, leaving the branch as the default, or use the GitHub CLI command:

gh workflow run release.yml

[akash1810]

Should this have created a new major version? This is definitely not a breaking change. Generally, dependency updates issue a new patch release.

cc @guardian/scala-guild.

[emdash-ie]

Should this have created a new major version? This is definitely not a breaking change. Generally, dependency updates issue a new patch release.

cc @guardian/scala-guild.

Good question, I'm not sure. If I understand correctly, the release covers more commits than just the ones in this PR: v3.0.0...v4.0.0

But those still don't look like major-version changes to me. It'd be really nice to have an explanation somewhere of why a specific type of version bump was chosen.

(Is it weird that there are commits to main between the release tag and the post-release commit for v3? Does it mean a PR was merged on the repository while the release was running? Should we avoid/prevent that?)

[emdash-ie]

(Is it weird that there are commits to main between the release tag and the post-release commit for v3? Does it mean a PR was merged on the repository while the release was running? Should we avoid/prevent that?)

Oh, I think this is just Github's UI ordering commits by their date rather than their position on the main branch. The parent of the post-release commit is the release commit, so that's fine. The October commits come from a PR that was merged on the 15th, well after the release.

[emdash-ie]

Ah, Roberto's issue that just appeared above explains the problem: sbt-version-policy doesn't understand Netty's version number and so assumes it's a major version change. (It also provides instructions for finding out why a given version bump happened.)

[rtyley]

Ah, Roberto's issue that just appeared above explains the problem

Hi there! Yeah, sorry, I was just trying to document the issue a bit before I got back here, but yup, I've created an issue to track unnecessary version bumps and explain them...

• sbt-version-policy sometimes makes unnecessary major/minor version bumps gha-scala-library-release-workflow#46

Would be good to have a chat sometime about how we might address a general fix for the version-parsing issue...!