Update to version v4.1.3

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.1.3] - 2026-02-24
+
+### Fixed
+
+- Fixed error when deploying MCP Server use case with Lambda targets due to IAM permission propagation ([#238](https://github.com/aws-solutions/generative-ai-application-builder-on-aws/issues/238)).
+
+### Security
+
+- Upgraded ajv to `6.14.0` to mitigate [CVE-2025-69873](https://nvd.nist.gov/vuln/detail/CVE-2025-69873)
+- Upgraded fast-xml-parser to `5.3.6` to mitigate [CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) and [CVE-2026-25896](https://nvd.nist.gov/vuln/detail/CVE-2026-25896)
+- Upgraded minimatch to `3.1.3`/`5.1.7`/`9.0.6` to mitigate [CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996)
+- Upgraded werkzeug to `3.1.6` to mitigate [CVE-2026-27199](https://nvd.nist.gov/vuln/detail/CVE-2026-27199)
+- Upgraded aws-cdk-lib to `2.240.0`
+- Upgraded aws-cdk to `2.1106.1`
+
 ## [4.1.2] - 2026-02-17
 
 ### Security

NOTICE.txt

@@ -40,6 +40,7 @@ This software includes third party software subject to the following copyrights:
 @aws-cdk/asset-awscli-v1 under the Apache-2.0 license.
 @aws-cdk/asset-kubectl-v20 under the Apache-2.0 license.
 @aws-cdk/asset-node-proxy-agent-v6 under the Apache-2.0 license.
+@aws-cdk/cloud-assembly-api under the Apache-2.0 license.
 @aws-cdk/cloud-assembly-schema under the Apache-2.0 license.
 @aws-cdk/integ-tests-alpha under the Apache-2.0 license.
 @aws-crypto/crc32 under the Apache-2.0 license.

deployment/cdk-solution-helper/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@amzn/cdk-solution-helper",
-  "version": "4.1.2",
+  "version": "4.1.3",
   "description": "This script performs token replacement as part of the build pipeline",
   "license": "Apache-2.0",
   "author": {

deployment/ecr/gaab-strands-agent/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "gaab-strands-agent"
-version = "4.1.2"
+version = "4.1.3"
 description = "GAAB Strands Agent Runtime for Amazon Bedrock AgentCore"
 readme = "README.md"
 requires-python = ">=3.13"

deployment/ecr/gaab-strands-common/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "gaab-strands-common"
-version = "4.1.2"
+version = "4.1.3"
 description = "Shared library for GAAB Strands agents"
 readme = "README.md"
 requires-python = ">=3.13"

deployment/ecr/gaab-strands-workflow-agent/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "gaab-strands-workflow-agent"
-version = "4.1.2"
+version = "4.1.3"
 description = "GAAB Strands Workflow Agent Runtime for Amazon Bedrock AgentCore"
 readme = "README.md"
 requires-python = ">=3.13"

source/infrastructure/bin/gen-ai-app-builder.ts

@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import * as cdk from 'aws-cdk-lib';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { AwsSolutionsChecks } from 'cdk-nag';
 import * as crypto from 'crypto';
 import { AgentBuilderStack } from '../lib/use-case-stacks/agent-core/agent-builder-stack';
@@ -13,6 +14,7 @@ import { DeploymentPlatformStack } from '../lib/deployment-platform-stack';
 import { BaseStack, BaseStackProps } from '../lib/framework/base-stack';
 import { SageMakerChat } from '../lib/sagemaker-chat-stack';
 import { LambdaAspects } from '../lib/utils/lambda-aspect';
+import { LambdaVersionCDKNagSuppression } from '../lib/utils/lambda-version-cdk-nag-suppression';
 import { LogGroupRetentionCheckAspect } from '../lib/utils/log-group-retention-check-aspect';
 import { WorkflowStack } from '../lib/use-case-stacks/agent-core/workflow-stack';
 
@@ -41,6 +43,17 @@ createStack(DeploymentPlatformStack, getDefaultBaseStackProps(DeploymentPlatform
 cdk.Aspects.of(app).add(new AwsSolutionsChecks(), { priority: cdk.AspectPriority.READONLY });
 cdk.Aspects.of(app).add(new LogGroupRetentionCheckAspect(), { priority: cdk.AspectPriority.READONLY });
 
+// suppress AwsSolutions-L1 for runtimes where the next version is not yet supported
+const runtimeSuppressions = [
+    lambda.Runtime.NODEJS_22_X,
+    lambda.Runtime.PYTHON_3_13,
+];
+for (const runtime of runtimeSuppressions) {
+    cdk.Aspects.of(app).add(new LambdaVersionCDKNagSuppression(runtime), {
+        priority: cdk.AspectPriority.MUTATING
+    });
+}
+
 app.synth();
 
 /**

source/infrastructure/cdk.json

@@ -64,7 +64,7 @@
     "@custom-bundler/unit-test": false,
     "solution_id": "SO0276",
     "solution_name": "generative-ai-application-builder-on-aws",
-    "solution_version": "v4.1.2",
+    "solution_version": "v4.1.3",
     "app_registry_name": "GAAB",
     "application_type": "AWS-Solutions",
     "application_trademark_name": "Generative AI Application Builder on AWS",

source/infrastructure/lib/utils/constants.ts

@@ -24,8 +24,6 @@ export const LANGCHAIN_LAMBDA_LAYER_PYTHON_RUNTIME: string = 'langchain_python_3
 export const COMMERCIAL_REGION_LAMBDA_NODE_TS_LAYER_RUNTIME: string = 'node_ts_lambda_22_x_layer';
 export const COMMERCIAL_REGION_LAMBDA_JS_LAYER_RUNTIME: string = 'node_js_lambda_22_x_layer';
 export const GOV_CLOUD_REGION_LAMBDA_PYTHON_RUNTIME: lambda.Runtime = lambda.Runtime.PYTHON_3_11;
-export const COMMERCIAL_REGION_LAMBDA_JAVA_RUNTIME: lambda.Runtime = lambda.Runtime.JAVA_21;
-export const GOV_CLOUD_REGION_LAMBDA_JAVA_RUNTIME: lambda.Runtime = lambda.Runtime.JAVA_17;
 export const SERVICE_NAME = 'UseCaseManagement';
 
 export enum StackDeploymentSource {