security(deps): bump urllib3 2.6.3 -> 2.7.0 (CVE-2026-44432) (#53)

* security(deps): bump urllib3 2.6.3 -> 2.7.0 (CVE-2026-44432)

urllib3 2.7.0 fixes CVE-2026-44432, in which
decompression-bomb safeguards in the streaming API could be bypassed
during incremental Brotli reads and when HTTPResponse.drain_conn() ran
after partial decompression. A malicious server could exploit this to
trigger excessive CPU/memory use on the client.

Bumps the pin everywhere urllib3 is listed:

* pyproject.toml
* lambda/api-gateway-proxy/requirements.txt
* lambda/cross-region-aggregator/requirements.txt
* lambda/helm-installer/requirements.txt
* lambda/kubectl-applier-simple/requirements.txt
* requirements-lock.txt (regenerated via the documented Dockerfile.dev
  + pip-compile flow; only the urllib3 line moved)

lambda/regional-api-proxy is unchanged - it does not pin urllib3 and
relies on the Lambda runtime's bundled copy.

urllib3 2.7.0 requires Python >= 3.10; this project is already
requires-python = ">=3.10" and all Lambdas run the Python 3.14 runtime,
so no compatibility impact.

* chore: suppress pre-existing Go stdlib CVEs in helm-installer image

Add .trivyignore entries for 5 HIGH Go stdlib CVEs (CVE-2026-33811,
CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499) that
affect helm v4.1.4, kubectl v1.35.4, and aws-lambda-rie inside the
helm-installer Lambda container.

No upstream fix is available — Helm and kubectl have not released
builds compiled with Go >=1.25.10 or >=1.26.3 yet. These CVEs
pre-date this PR and would fail the container scan on main today.

Entries expire 2026-06-11; re-evaluate when new upstream releases ship.

Author: Jmevorach

.trivyignore

@@ -30,3 +30,24 @@
 # ALAS JSON feed: https://alas.aws.amazon.com/cve/json/v1/CVE-2026-4046.json
 # Upstream base image: public.ecr.aws/lambda/python:3.14
 CVE-2026-4046 exp:2026-05-22
+
+# CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836,
+# CVE-2026-42499 — Go stdlib vulnerabilities (net/http, crypto/tls, os/exec)
+# affecting three binaries in the helm-installer Lambda container:
+#   - aws-lambda-rie (Go 1.26.2, bundled in public.ecr.aws/lambda/python:3.14)
+#   - helm v4.1.4 (Go 1.25.9, latest release as of 2026-05-11)
+#   - kubectl v1.35.4 (Go 1.25.9, latest stable-1.35 as of 2026-05-11)
+#
+# Fix requires Go ≥1.25.10 or ≥1.26.3 in the compiled binaries. No upstream
+# releases are available yet:
+#   - Helm: v4.1.4 is latest (https://github.com/helm/helm/releases)
+#   - kubectl: v1.35.4 is latest stable-1.35 (https://dl.k8s.io/release/stable-1.35.txt)
+#   - aws-lambda-rie: AWS-controlled, no user-serviceable update path
+#
+# These CVEs pre-date this PR and would fail the scan on main today.
+# Re-evaluate when Helm v4.1.5+ or kubectl v1.35.5+ ships.
+CVE-2026-33811 exp:2026-06-11
+CVE-2026-33814 exp:2026-06-11
+CVE-2026-39820 exp:2026-06-11
+CVE-2026-39836 exp:2026-06-11
+CVE-2026-42499 exp:2026-06-11

lambda/api-gateway-proxy/requirements.txt

@@ -1,2 +1,2 @@
-urllib3==2.6.3
+urllib3==2.7.0
 boto3==1.43.3

lambda/cross-region-aggregator/requirements.txt

@@ -1,3 +1,3 @@
 # Cross-Region Aggregator Lambda dependencies
 boto3==1.43.3
-urllib3==2.6.3
+urllib3==2.7.0

lambda/helm-installer/requirements.txt

@@ -1,3 +1,3 @@
 boto3==1.43.3
 pyyaml==6.0.3
-urllib3==2.6.3
+urllib3==2.7.0

lambda/kubectl-applier-simple/requirements.txt

@@ -1,4 +1,4 @@
 boto3==1.43.3
 kubernetes==35.0.0
 PyYAML==6.0.3
-urllib3==2.6.3
+urllib3==2.7.0

pyproject.toml

@@ -43,7 +43,7 @@ dependencies = [
     "pydantic==2.13.3",
     "prometheus-client==0.25.0",
     "httpx==0.28.1",
-    "urllib3==2.6.3",
+    "urllib3==2.7.0",
 ]
 
 [project.optional-dependencies]

requirements-lock.txt

@@ -544,7 +544,7 @@ typing-inspection==0.4.2
     #   pydantic-settings
 uncalled-for==0.3.1
     # via fastmcp
-urllib3==2.6.3
+urllib3==2.7.0
     # via
     #   botocore
     #   gco-cli