fix: bump AWS SDK dependencies to fix CVE-2026-26278

[IgorHorta]

Summary

• Bumped @aws-sdk/credential-providers from 3.600.0 to 3.993.0
• Replaced deprecated @aws-sdk/protocol-http with @smithy/protocol-http ^5.3.8
• Replaced deprecated @aws-sdk/signature-v4 with @smithy/signature-v4 ^5.3.8

Security

Fixes CVE-2026-26278 introduced by the outdated AWS SDK packages.

Breaking Changes

These updated packages require Node.js >= 20. If you are running an older Node.js version, please upgrade before updating the SDK.

Test plan

• Verify AWS IAM auth still works end-to-end
• Confirm no regressions in secret fetching with AWS credentials

[linear]

ENG-4641 Bump AWS dependency versions in Node SDK

[greptile-apps]

Greptile Summary

This PR addresses CVE-2026-26278 by bumping @aws-sdk/credential-providers from 3.600.0 to 3.993.0 and replacing the deprecated @aws-sdk/protocol-http / @aws-sdk/signature-v4 packages with their canonical @smithy successors. The source change in src/custom/util.ts is a straightforward import swap — the public API of HttpRequest and SignatureV4 is unchanged, so no functional regression is expected.

Key findings:

• The engines field is missing from package.json. The PR explicitly introduces a Node.js >= 20 requirement, but without this field npm will silently install on older runtimes, causing confusing failures.
• @aws-sdk/credential-providers is still pinned to an exact version (3.993.0) while the two new @smithy packages use a ^ semver range. This inconsistency means future security patches to credential-providers will not be picked up automatically — the opposite of the intent behind this security-focused PR.
• No logic or security regressions were identified in the updated code.

Confidence Score: 4/5

• Safe to merge; the code change is minimal and correct, though two packaging housekeeping items should be addressed.
• The source-level change is a one-for-one import swap with no API surface changes. The CVE fix is the right approach. The only concerns are non-blocking packaging issues: a missing engines field and inconsistent version pinning in package.json.
• package.json — missing engines field for the Node.js >= 20 requirement and inconsistent semver pinning for @aws-sdk/credential-providers.

Important Files Changed

Filename	Overview
src/custom/util.ts	Updated imports from deprecated @aws-sdk/protocol-http and @aws-sdk/signature-v4 to their @smithy equivalents; the API surface (HttpRequest, SignatureV4) is unchanged so no functional regression is expected.
package.json	Dependencies updated correctly, but @aws-sdk/credential-providers remains exactly-pinned (3.993.0) while new @smithy packages use ^ ranges, and there is no engines field to enforce the newly introduced Node.js >= 20 requirement.
package-lock.json	Lock file regenerated to reflect the updated dependency tree; no concerns beyond what is tracked in package.json.

_{Last reviewed commit: ed7169e}

[varonix0]

Lets also add >=v4 supports Node.js >=14. We should make it clear that v5 is LTS and future updates will be released for v5

[IgorHorta]

was unsure if it was exact 14 .. thats why I did not add ..
will add it now!

[varonix0]

can we say <=v4 instead of < v5?