@exabugs/dynamodb-client 1.3.36 → 1.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +23 -0
  2. package/dist/server/handler.cjs +13 -9
  3. package/dist/server/handler.cjs.map +3 -3
  4. package/dist/server/operations/updateOne.d.ts +6 -2
  5. package/dist/server/operations/updateOne.d.ts.map +1 -1
  6. package/dist/server/operations/updateOne.js +24 -10
  7. package/dist/server/operations/updateOne.js.map +1 -1
  8. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [1.3.37] - 2026-01-09
11
+
12
+ ### Security
13
+
14
+ - **updateOne情報漏洩の修正**: ADR 001に基づきセキュリティ脆弱性を修正
15
+ - update権限のみでread権限がない場合の情報漏洩を防止
16
+ - `findOne`呼び出しを削除し、`{ id, ...更新したフィールドのみ }` を返却
17
+ - UpdateOperators形式(`$set`)にも対応
18
+ - パフォーマンス向上: 不要な`findOne`クエリを削減
19
+
20
+ ### Added
21
+
22
+ - **ADR 001**: 最小限のレスポンスデータ(セキュリティ重視)を文書化
23
+ - セキュリティ最優先の設計決定
24
+ - 全操作で最小限の情報のみ返す統一ポリシー
25
+
26
+ ### Changed
27
+
28
+ - **破壊的変更**: `updateOne`のレスポンス形式が変更
29
+ - 従来: 完全なレコードを返却
30
+ - 新仕様: `{ id, ...更新したフィールドのみ }` を返却
31
+ - 完全なデータが必要な場合は追加の`findOne`呼び出しが必要
32
+
10
33
  ## [1.3.36] - 2026-01-09
11
34
 
12
35
  ### Refactored
package/dist/server/handler.cjs CHANGED
@@ -1,5 +1,5 @@
1
- // @exabugs/dynamodb-client v1.3.36
2
- // Built: 2026-01-09T00:36:32.014Z
1
+ // @exabugs/dynamodb-client v1.3.37
2
+ // Built: 2026-01-09T01:52:07.662Z
3
3
  "use strict";
4
4
  var __create = Object.create;
5
5
  var __defProp = Object.defineProperty;
@@ -32248,9 +32248,11 @@ async function handleUpdateOne(resource, params, requestId) {
32248
32248
  throw new Error(`Failed to update record: ${targetId}`);
32249
32249
  }
32250
32250
  }
32251
- const { handleFindOne: handleFindOne2 } = await Promise.resolve().then(() => (init_findOne(), findOne_exports));
32252
- const updatedRecord = await handleFindOne2(resource, { id: targetId }, requestId);
32253
- return updatedRecord;
32251
+ const actualPatchData = patchData.$set ? patchData.$set : patchData;
32252
+ return {
32253
+ id: targetId,
32254
+ ...actualPatchData
32255
+ };
32254
32256
  } else {
32255
32257
  logger19.debug("Executing updateOne with filter", {
32256
32258
  requestId,
@@ -32278,9 +32280,11 @@ async function handleUpdateOne(resource, params, requestId) {
32278
32280
  if (!updatedId) {
32279
32281
  throw new Error("Failed to get updated record ID");
32280
32282
  }
32281
- const { handleFindOne: handleFindOne2 } = await Promise.resolve().then(() => (init_findOne(), findOne_exports));
32282
- const updatedRecord = await handleFindOne2(resource, { id: updatedId }, requestId);
32283
- return updatedRecord;
32283
+ const actualPatchData = patchData.$set ? patchData.$set : patchData;
32284
+ return {
32285
+ id: updatedId,
32286
+ ...actualPatchData
32287
+ };
32284
32288
  }
32285
32289
  }
32286
32290
  __name(handleUpdateOne, "handleUpdateOne");
@@ -33905,7 +33909,7 @@ async function handler(event) {
33905
33909
  return createCorsResponse(HTTP_STATUS.OK);
33906
33910
  }
33907
33911
  if (event.requestContext.http.method === "GET" && event.requestContext.http.path === "/version") {
33908
- const version = "1.3.36";
33912
+ const version = "1.3.37";
33909
33913
  return createSuccessResponse({ version, timestamp: (/* @__PURE__ */ new Date()).toISOString() }, requestId);
33910
33914
  }
33911
33915
  if (event.requestContext.http.method !== "POST") {