[pull] master from aws:master

.eslintrc.js

@@ -80,6 +80,9 @@ module.exports = {
     '@typescript-eslint/ban-ts-comment': ['error', { 'ts-ignore': false }],
     // This rule fights with Prettier and no-semi
     '@typescript-eslint/no-extra-semi': 'off',
+    // Added in later versions of @typescript-eslint
+    '@typescript-eslint/explicit-module-boundary-types': 'off',
+    '@typescript-eslint/no-unused-vars': 'off',
   },
   // This is a good rule,
   // but in many tests,

.github/workflows/ci.yml

@@ -0,0 +1,67 @@
+# This workflow performs tests in JavaScript.
+name: ESDK JavaScript CI Tests 
+
+on: [pull_request, workflow_call]
+
+jobs:
+  CI:
+    strategy:
+      matrix:
+          node: [18.x, 20.x, 22.x, latest]
+      fail-fast: false
+    runs-on: codebuild-AWS-ESDK-JS-Release-${{ github.run_id }}-${{ github.run_attempt }}-ubuntu-5.0-large
+    permissions:
+      id-token: write
+      contents: read
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true 
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{matrix.node}}
+      - name: Configure AWS Credentials for Tests
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
+          role-session-name: JavaScriptTests 
+      - name: Test Coverage Node ${{matrix.node}}
+        env: 
+          NODE_OPTIONS: "--max-old-space-size=4096"
+        run: |
+          npm ci
+          npm run build
+          npm run coverage-node
+      - name: Test Coverage Browser ${{matrix.node}}
+        env: 
+          NODE_OPTIONS: "--max-old-space-size=4096"
+        run: |
+          npm run coverage-browser
+      - name: Test compliance
+        env: 
+          NODE_OPTIONS: "--max-old-space-size=4096"
+        run: |
+          npm run lint
+          npm run test_conditions
+      - name: Run Test Vectors Node ${{matrix.node}}
+        env:
+          NODE_OPTIONS: "--max-old-space-size=4096"
+          NPM_CONFIG_UNSAFE_PERM: true
+          PUBLISH_LOCAL: true
+        run: |
+          npm run verdaccio-publish
+          npm run verdaccio-node-decrypt
+          npm run verdaccio-node-encrypt
+      - name: Run Test Vectors Browser node ${{matrix.node}} 
+        env:
+          NODE_OPTIONS: "--max-old-space-size=4096"
+          NPM_CONFIG_UNSAFE_PERM: true
+          PUBLISH_LOCAL: true
+        run: |
+          npm run verdaccio-publish
+          npm run verdaccio-browser-decrypt
+          npm run verdaccio-browser-encrypt

.github/workflows/daily_ci.yml

@@ -0,0 +1,12 @@
+# This workflow runs every weekday at 15:00 UTC (8AM PDT)
+name: Daily CI
+
+on:
+  schedule:
+    - cron: "00 15 * * 1-5"
+
+jobs:
+  DAILY_CI:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/ci.yml

.gitignore

@@ -47,3 +47,5 @@ package.json.decrypt
 # they track the package.json version
 /modules/kms-keyring-browser/src/version.ts
 /modules/kms-keyring-node/src/version.ts
+/modules/branch-keystore-node/src/version.ts
+/modules/integration-node/src/version.ts

.gitmodules

@@ -4,3 +4,4 @@
 [submodule "aws-encryption-sdk-specification"]
 	path = aws-encryption-sdk-specification
 	url = https://github.com/awslabs/aws-encryption-sdk-specification.git
+	branch = master

CHANGELOG.md

@@ -3,6 +3,39 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [4.2.1](https://github.com/awslabs/aws-encryption-sdk-javascript/compare/v4.2.0...v4.2.1) (2025-04-10)
+
+### Bug Fixes
+
+- add serializationOptions flag for AAD UTF8 sorting ([#1581](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1581)) ([b80cad1](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/b80cad14df361b4384aeed5753efb57c69d77377))
+
+# [4.2.0](https://github.com/awslabs/aws-encryption-sdk-javascript/compare/v4.1.0...v4.2.0) (2025-02-27)
+
+### Bug Fixes
+
+- include uuid as a dependency in material-management ([#1564](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1564)) ([dee213b](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/dee213bc91dd0cde8dd177da52b739e10129f514))
+
+### Features
+
+- integration-node can produce decrypt manifests ([#1580](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1580)) ([95f0fa1](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/95f0fa10b7d94ccc142fc2e89b2ffa49620285c9))
+
+# [4.1.0](https://github.com/awslabs/aws-encryption-sdk-javascript/compare/v4.0.2...v4.1.0) (2025-01-16)
+
+### Features
+
+- Adding the hierarchical keyring ([#1537](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1537)) ([43dcb16](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/43dcb166d5ac76d744ea283808006f65915b9730))
+
+## [4.0.2](https://github.com/awslabs/aws-encryption-sdk-javascript/compare/v4.0.1...v4.0.2) (2024-10-21)
+
+**Note:** Version bump only for package aws-encryption-sdk-javascript
+
+## [4.0.1](https://github.com/awslabs/aws-encryption-sdk-javascript/compare/v4.0.0...v4.0.1) (2024-07-30)
+
+### Bug Fixes
+
+- Add CVE-2023-46809 option to integration node ([#1424](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1424)) ([84a7034](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/84a703440aa7313ad0c779e50b7c052aa8dd5e7b))
+- **CI:** npx_verdaccio ([#1190](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1190)) ([1051f19](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/1051f19578ba54bc476a30dedf5779576cf46d9f))
+
 # [4.0.0](https://github.com/awslabs/aws-encryption-sdk-javascript/compare/v3.2.2...v4.0.0) (2023-07-17)
 
 - feat!: Remove AWS SDK V2 Dependency (#1180) ([1d74248](https://github.com/awslabs/aws-encryption-sdk-javascript/commit/1d742489b436748a656ecc2abce00e99353d1d62)), closes [#1180](https://github.com/awslabs/aws-encryption-sdk-javascript/issues/1180)

codebuild/nodejs20.yml

@@ -5,8 +5,15 @@ env:
     NODE_OPTIONS: "--max-old-space-size=4096"
 
 phases:
-  install:
+  install: 
     commands:
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+
       - n 20
       - node --version ; npm --version
       - npm ci --unsafe-perm

karma.conf.js

@@ -127,6 +127,8 @@ function createCredentialPreprocessor() {
     // This will affect the generated (ES5) JS
     const regionCode = `var defaultRegion = '${region}';`
     const credentialsCode = `var credentials = ${JSON.stringify(credentials)};`
+    // See: https://github.com/aws/aws-sdk-js-v3/issues/5890
+    const expirationNeedsToBeDate = `credentials.expiration = new Date(credentials.expiration);`
     const isBrowser = `var isBrowser = true;`
     const contents = content.split('\n')
     let idx = -1
@@ -137,7 +139,7 @@ function createCredentialPreprocessor() {
         break
       }
     }
-    contents.splice(idx + 1, 0, regionCode, credentialsCode, isBrowser)
+    contents.splice(idx + 1, 0, regionCode, credentialsCode, expirationNeedsToBeDate, isBrowser)
     done(contents.join('\n'))
   }
 }

lerna.json

@@ -1,6 +1,6 @@
 {
   "packages": ["modules/*"],
-  "version": "4.0.0",
+  "version": "4.2.1",
   "command": {
     "bootstrap": {
       "nohoist": ["typedoc"]

modules/branch-keystore-node/.eslintrc.js

@@ -0,0 +1,12 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+module.exports = {
+  parserOptions: {
+    // There is an issue with @typescript-eslint/parser performance.
+    // It scales with the number of projects
+    // see https://github.com/typescript-eslint/typescript-eslint/issues/1192#issuecomment-596741806
+    project: '../../tsconfig.lint.json',
+    tsconfigRootDir: __dirname,
+  }
+}

modules/branch-keystore-node/.gitignore

@@ -0,0 +1,3 @@
+/node_modules/
+/build/
+/.nyc_output

modules/branch-keystore-node/CHANGELOG.md

@@ -0,0 +1,20 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+## [4.2.1](https://github.com/aws/aws-encryption-sdk-javascript/compare/v4.2.0...v4.2.1) (2025-04-10)
+
+### Bug Fixes
+
+- add serializationOptions flag for AAD UTF8 sorting ([#1581](https://github.com/aws/aws-encryption-sdk-javascript/issues/1581)) ([b80cad1](https://github.com/aws/aws-encryption-sdk-javascript/commit/b80cad14df361b4384aeed5753efb57c69d77377))
+
+# [4.2.0](https://github.com/aws/aws-encryption-sdk-javascript/compare/v4.1.0...v4.2.0) (2025-02-27)
+
+**Note:** Version bump only for package @aws-crypto/branch-keystore-node
+
+# [4.1.0](https://github.com/aws/aws-encryption-sdk-javascript/compare/v4.0.2...v4.1.0) (2025-01-16)
+
+### Features
+
+- Adding the hierarchical keyring ([#1537](https://github.com/aws/aws-encryption-sdk-javascript/issues/1537)) ([43dcb16](https://github.com/aws/aws-encryption-sdk-javascript/commit/43dcb166d5ac76d744ea283808006f65915b9730))