Maintenance: Bump version dependency for aws-encryption-sdk

[dsalsbury-dev]

Why is this needed?

Bump the usage of aws-encryption-sdk to version >=4.0.5 in order to resolve concerns over CVE-2026-6550 - aws-encryption-sdk being propagated via Lambda layers

Which area does this relate to?

Other

Solution

Bump the version of aws-encryption-sdk to >=4.0.5

Acknowledgment

• This request meets Powertools for AWS Lambda (Python) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Java, TypeScript, and .NET

[boring-cyborg]

Thanks for opening your first issue here! We'll come back to you as soon as we can.
In the meantime, check out the #python channel on our Powertools for AWS Lambda Discord: Invite link

[leandrodamascena]

Hey @dsalsbury-dev , thanks for raising this.

Our Lambda layer always pulls the latest version and it already resolves to the latest version of the 4.x. I'll check if the latest version of our Lamba Layer is bringing aws-encryption-sdk 4.0.5, if not, I'll release a new version.

That said, we shouldn't allow vulnerable versions to be installed as a transitive dependency. I'll update the version constraint to >=3.3.1,!=4.0.0,!=4.0.1,!=4.0.2,!=4.0.3,!=4.0.4,<5.0.0. This blocks all vulnerable versions without breaking anyone already on a safe 3.x release.

I'll also create a separate issue to drop 3.x support entirely in 2-3 months, giving folks time to migrate to 4.x.