@exabugs/dynamodb-client 1.3.36 → 1.3.38

package/CHANGELOG.md

@@ -7,6 +7,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.3.38] - 2026-01-11
+
+### Changed
+
+- **テストカバレッジ大幅向上**: 86.37%達成（Phase 2目標80%を超過）
+  - dataProviderの完全テスト実装（17テスト、カバレッジ86.37%）
+  - react-admin v5 APIに対応（`pageInfo`形式のレスポンス）
+  - 全481テスト成功
+
+### Removed
+
+- **useManyToManyTransformフック削除**: 不要なコード削除
+  - Many-to-many関係の処理はdataProvider内で統合済み
+  - コードの重複を削減し、保守性を向上
+
+## [1.3.37] - 2026-01-09
+
+### Security
+
+- **updateOne情報漏洩の修正**: ADR 001に基づきセキュリティ脆弱性を修正
+  - update権限のみでread権限がない場合の情報漏洩を防止
+  - `findOne`呼び出しを削除し、`{ id, ...更新したフィールドのみ }` を返却
+  - UpdateOperators形式（`$set`）にも対応
+  - パフォーマンス向上: 不要な`findOne`クエリを削減
+
+### Added
+
+- **ADR 001**: 最小限のレスポンスデータ（セキュリティ重視）を文書化
+  - セキュリティ最優先の設計決定
+  - 全操作で最小限の情報のみ返す統一ポリシー
+
+### Changed
+
+- **破壊的変更**: `updateOne`のレスポンス形式が変更
+  - 従来: 完全なレコードを返却
+  - 新仕様: `{ id, ...更新したフィールドのみ }` を返却
+  - 完全なデータが必要な場合は追加の`findOne`呼び出しが必要
+
 ## [1.3.36] - 2026-01-09
 
 ### Refactored

package/dist/server/handler.cjs

@@ -1,5 +1,5 @@
-// @exabugs/dynamodb-client v1.3.36
-// Built: 2026-01-09T00:36:32.014Z
+// @exabugs/dynamodb-client v1.3.38
+// Built: 2026-01-10T23:33:04.543Z
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -31681,8 +31681,14 @@ function applyJsonMergePatch(target, patch) {
   return result;
 }
 async function handleUpdateMany(resource, params, requestId) {
-  const { data: patchData } = params;
+  const { data: patchData, options } = params;
+  const upsert = options?.upsert ?? false;
   const startTime = Date.now();
+  logger18.debug("Executing updateMany", {
+    requestId,
+    resource,
+    upsert
+  });
   let ids;
   if ("ids" in params) {
     ids = params.ids;
@@ -31742,6 +31748,15 @@ async function handleUpdateMany(resource, params, requestId) {
     })
   );
   const notFoundIds = ids.filter((id) => !existingIds.has(id));
+  if (!upsert && notFoundIds.length > 0) {
+    logger18.warn("Records not found (upsert: false)", {
+      requestId,
+      resource,
+      notFoundCount: notFoundIds.length,
+      notFoundIds: notFoundIds.slice(0, 10)
+      // 最初の10件のみログ
+    });
+  }
   const shadowConfig = getShadowConfig();
   const preparedRecords = [];
   const preparationFailedIds = [];
@@ -31751,8 +31766,8 @@ async function handleUpdateMany(resource, params, requestId) {
       const existingData = item.data;
       const id = existingData.id;
       const oldShadowKeys = existingData.__shadowKeys || [];
-      const actualPatchData = patchData.$set ? patchData.$set : patchData;
-      const mergedData = applyJsonMergePatch(removeShadowKeys(existingData), actualPatchData);
+      const actualPatchData2 = patchData.$set ? patchData.$set : patchData;
+      const mergedData = applyJsonMergePatch(removeShadowKeys(existingData), actualPatchData2);
       const updatedData = addUpdateTimestamp({
         ...mergedData,
         id
@@ -31856,13 +31871,19 @@ async function handleUpdateMany(resource, params, requestId) {
     errors: chunkErrors
   } = await executeChunks(chunks, executeChunk, (record) => record.id);
   const successIds = {};
+  const items = [];
   const failedIdsMap = {};
   const errorsMap = {};
+  const actualPatchData = patchData.$set ? patchData.$set : patchData;
   const successIdSet = new Set(successRecords.map((r4) => r4.id));
   for (let i4 = 0; i4 < ids.length; i4++) {
     const id = ids[i4];
     if (successIdSet.has(id)) {
       successIds[i4] = id;
+      items.push({
+        id,
+        ...actualPatchData
+      });
     }
   }
   for (let i4 = 0; i4 < ids.length; i4++) {
@@ -31938,7 +31959,9 @@ async function handleUpdateMany(resource, params, requestId) {
     count,
     successIds,
     failedIds: failedIdsMap,
-    errors: errorsMap
+    errors: errorsMap,
+    items
+    // 更新したフィールドのみを含むレコード配列（ADR 001）
   };
 }
 function getPreparationErrorCode2(error2) {
@@ -32223,9 +32246,8 @@ var logger19 = createLogger({ service: "records-lambda" });
 async function handleUpdateOne(resource, params, requestId) {
   const { data: patchData, options } = params;
   const { handleUpdateMany: handleUpdateMany2 } = await Promise.resolve().then(() => (init_updateMany(), updateMany_exports));
-  let targetId;
   if ("id" in params) {
-    targetId = params.id;
+    const targetId = params.id;
     logger19.debug("Executing updateOne with id", {
       requestId,
       resource,
@@ -32236,7 +32258,8 @@ async function handleUpdateOne(resource, params, requestId) {
       resource,
       {
         ids: [targetId],
-        data: patchData
+        data: patchData,
+        options
       },
       requestId
     );
@@ -32248,9 +32271,10 @@ async function handleUpdateOne(resource, params, requestId) {
         throw new Error(`Failed to update record: ${targetId}`);
       }
     }
-    const { handleFindOne: handleFindOne2 } = await Promise.resolve().then(() => (init_findOne(), findOne_exports));
-    const updatedRecord = await handleFindOne2(resource, { id: targetId }, requestId);
-    return updatedRecord;
+    if (!updateManyResult.items || updateManyResult.items.length === 0) {
+      throw new Error("updateMany did not return items");
+    }
+    return updateManyResult.items[0];
   } else {
     logger19.debug("Executing updateOne with filter", {
       requestId,
@@ -32262,7 +32286,8 @@ async function handleUpdateOne(resource, params, requestId) {
       resource,
       {
         filter: params.filter,
-        data: patchData
+        data: patchData,
+        options
       },
       requestId
     );
@@ -32274,13 +32299,10 @@ async function handleUpdateOne(resource, params, requestId) {
         throw new Error(`No records found matching filter`);
       }
     }
-    const updatedId = Object.values(updateManyResult.successIds)[0];
-    if (!updatedId) {
-      throw new Error("Failed to get updated record ID");
+    if (!updateManyResult.items || updateManyResult.items.length === 0) {
+      throw new Error("updateMany did not return items");
     }
-    const { handleFindOne: handleFindOne2 } = await Promise.resolve().then(() => (init_findOne(), findOne_exports));
-    const updatedRecord = await handleFindOne2(resource, { id: updatedId }, requestId);
-    return updatedRecord;
+    return updateManyResult.items[0];
   }
 }
 __name(handleUpdateOne, "handleUpdateOne");
@@ -33905,7 +33927,7 @@ async function handler(event) {
       return createCorsResponse(HTTP_STATUS.OK);
     }
     if (event.requestContext.http.method === "GET" && event.requestContext.http.path === "/version") {
-      const version = "1.3.36";
+      const version = "1.3.38";
       return createSuccessResponse({ version, timestamp: (/* @__PURE__ */ new Date()).toISOString() }, requestId);
     }
     if (event.requestContext.http.method !== "POST") {