Update package.json and aws packages to fix CVE-2026-26278

[cteyton]

AWS packages have been updated to fix this vulnerability:
GHSA-jmr7-xgp7-cmfj

AWs have been updated last night to fix these issues.

[greptile-apps]

Greptile Summary

This PR updates AWS SDK packages from version 3.600.0 to 3.993.0 to address CVE-2026-26278, replacing @aws-sdk/protocol-http and @aws-sdk/signature-v4 with their @smithy/* equivalents.

Critical Issue Found:

• The package dependencies were updated, but src/custom/util.ts:6-7 still imports from the old @aws-sdk/protocol-http and @aws-sdk/signature-v4 packages which are no longer in the dependency tree
• This will cause runtime errors when the AWS IAM authentication code attempts to execute
• Either the source code imports need to be updated to use @smithy/* packages, or the old @aws-sdk/* packages need to be kept alongside the new ones

Additional Concerns:

• The CVE identifier mentions year 2026, which should be verified against the GitHub advisory
• No tests were run or updated to verify the changes work correctly
• This qualifies as a breaking change per Rule 7 from custom instructions

Confidence Score: 0/5

• This PR will break AWS IAM authentication functionality at runtime
• The code imports packages that were removed from dependencies, causing guaranteed import errors when AWS authentication is used. This is a critical breaking change that will prevent the SDK from functioning properly.
• package.json requires either keeping old @aws-sdk/* packages or updating source code in src/custom/util.ts to use new @smithy/* imports

Important Files Changed

Filename	Overview
package.json	Updated AWS SDK packages to fix CVE, but created breaking change - source code still uses old @aws-sdk/* imports that were replaced with @smithy/* packages
package-lock.json	Lock file updated to reflect package.json changes - old @aws-sdk/protocol-http and @aws-sdk/signature-v4 packages completely removed from dependency tree

_{Last reviewed commit: f3c5d41}

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

CVE year 2026 seems unusual. Verify that CVE-2026-26278 is correct. Check the linked GitHub advisory (GHSA-jmr7-xgp7-cmfj) to confirm which AWS SDK versions address the vulnerability.

[cteyton]

Yeah I know you've been learning until 2025, but trust me we're now in 2026 :-)

[maidul98]

@cteyton It looks like you are introducing a new major version. Can you describe the testing process you went through?