Security: Update Python to 3.12+ and fix dependency vulnerabilities

Author: Taniya [C] Mathur

CHANGELOG.md

@@ -15,6 +15,8 @@ SPDX-License-Identifier: MIT-0
 
 ### Changed
 
+- **Python 3.12+ now required** — Updated minimum Python version from 3.10 to 3.12 to address security vulnerabilities in transitive dependencies.
+
 - **Sync to BDA no longer auto-activates the config version** — Previously, performing "Sync to BDA" would automatically set the current config version as active. Since each config version now has its own BDA project, auto-activation is unnecessary. Users can manually choose which version to activate via the Versions table. The "Sync to BDA" confirmation modal text has been updated accordingly.
 
 - **Removed `Bedrock Data Automation (BDA) Project ARN` CloudFormation parameter** — The deploy-time `Pattern1BDAProjectArn` parameter has been removed as it was redundant with the per-config-version BDA project management already available in the Web UI, CLI, and GraphQL API. BDA projects are now managed entirely post-deployment: enable `use_bda: true` in your configuration, then use "Sync to BDA" to create or link a BDA project, or "Sync from BDA" to import from any existing BDA project. This simplifies the deployment experience (one fewer parameter) and better aligns the CloudFormation interface with the system's actual architecture. Existing deployed stacks are unaffected — runtime BDA project ARN resolution reads from DynamoDB per-version tracking, not from the CloudFormation parameter. Also removed the unused `nested/bda-lending-project/` directory (dead code not referenced by any template) and the legacy `BDA_PROJECT_ARN` environment variable fallback from the sync resolver.

CLAUDE.md

@@ -29,7 +29,7 @@ python3 publish.py idp-1234567890 idp us-east-1 --verbose
 ```
 
 The build process:
-- Checks system dependencies (AWS CLI, SAM CLI, Docker, Python 3.11+, Node.js 22.12+)
+- Checks system dependencies (AWS CLI, SAM CLI, Docker, Python 3.12+, Node.js 22.12+)
 - Builds CloudFormation templates and assets using SAM
 - Pattern-2 functions are built as container images; Pattern-1 and Pattern-3 use ZIP-based Lambdas
 - Uploads artifacts to S3 bucket named `<cfn_bucket_basename>-<region>`

CONTRIBUTING.md

@@ -37,7 +37,7 @@ opensource-codeofconduct@amazon.com with any additional questions or comments.
    - Bash shell (Linux, MacOS)
    - AWS CLI
    - AWS SAM CLI
-   - Python 3.11 or later
+   - Python 3.12 or later
    - Docker
 
 2. **Fork and Clone the Repository**:

docs/deployment.md

@@ -114,7 +114,7 @@ You need to have the following packages installed on your computer:
 1. bash shell (Linux, MacOS, Windows-WSL)
 2. aws (AWS CLI)
 3. [sam (AWS SAM)](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.html)
-4. python 3.11 or later
+4. python 3.12 or later
 5. A local Docker daemon
 6. Python packages: `pip install boto3 rich typer PyYAML botocore setuptools ruff build cfn-lint`
 7. **Node.js 22.12+** and **npm** (required for UI validation in publish script)

docs/idp-cli.md

@@ -66,7 +66,7 @@ https://github.com/user-attachments/assets/3d448a74-ba5b-4a4a-96ad-ec03ac0b4d7d
 
 ### Prerequisites
 
-- Python 3.10 or higher
+- Python 3.12 or higher
 - AWS credentials configured (via AWS CLI or environment variables)
 - An active IDP Accelerator CloudFormation stack
 

lib/idp_cli_pkg/pyproject.toml

@@ -11,14 +11,12 @@ version = "0.5.2.4"
 description = "Command-line interface for IDP Accelerator batch document processing"
 authors = [{name = "AWS"}]
 license = {text = "MIT-0"}
-requires-python = ">=3.10"
+requires-python = ">=3.12,<3.14"
 classifiers = [
     "Development Status :: 4 - Beta",
     "Intended Audience :: Developers",
     "License :: OSI Approved :: MIT License",
     "Programming Language :: Python :: 3",
-    "Programming Language :: Python :: 3.10",
-    "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
 ]

lib/idp_common_pkg/pyproject.toml

@@ -23,7 +23,7 @@ name = "idp_common"
 version = "0.5.2.4"
 description = "Common utilities for GenAI IDP Accelerator patterns"
 authors = [{ name = "AWS", email = "noreply@amazon.com" }]
-requires-python = ">=3.10,<3.14"
+requires-python = ">=3.12,<3.14"
 dependencies = [
   "boto3==1.42.0",      # Core dependency for AWS services
   "jsonschema>=4.25.1",

lib/idp_common_pkg/setup.py

@@ -130,7 +130,7 @@
         ]
     ),
     include_package_data=True,
-    python_requires=">=3.8",
+    python_requires=">=3.12,<3.14",
     install_requires=install_requires,
     extras_require=extras_require,
 )

lib/idp_common_pkg/uv.lock

@@ -11,15 +11,13 @@ version = "0.5.2.4"
 description = "Python SDK for IDP Accelerator - programmatic access to document processing capabilities"
 authors = [{name = "AWS"}]
 license = {text = "MIT-0"}
-requires-python = ">=3.10"
+requires-python = ">=3.12,<3.14"
 readme = "README.md"
 classifiers = [
     "Development Status :: 4 - Beta",
     "Intended Audience :: Developers",
     "License :: OSI Approved :: MIT License",
     "Programming Language :: Python :: 3",
-    "Programming Language :: Python :: 3.10",
-    "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
     "Topic :: Software Development :: Libraries :: Python Modules",