v4.1.0

Added

• Task Orchestration Rewrite - Replaced the legacy step function orchestration with a new multi-region parallel architecture using Map states, EventBridge-routed failure handling, a regional sync barrier, fast failure detection for Taurus and JVM errors, and structured JSON logging in ECS tasks
• Command-Line Interface (CLI) - Added a TypeScript CLI for headless interaction with the DLT solution, supporting browser-based and token-based authentication, baseline comparison with semantic coloring, batch start, and single-file portable bundle via esbuild
• ALB + ECS Web Console Deployment - Added an alternative deployment option that hosts the web console on ALB with ECS Fargate via an nginx container, enabling deployment in restricted network environments
• Headless Deployment Option - Added an API-only deployment stack with no web console, designed for CLI and MCP-driven workflows
• Partition-Aware Resource References - Added partition-aware ARN construction and service endpoint resolution to support deployment in non-standard AWS partitions
• Timezone-Aware Scheduling - Added timezone selection to cron-based scheduling so users can schedule tests in their local timezone rather than UTC only
• Cognito Hosted UI Authentication - Added Cognito Hosted UI with UUID-based domain prefix, OAuth code flow, branded login page, and CloudWatch logging for the user pool
• Version Compatibility Checks - Added a version compatibility file that blocks and displays incompatible test runs when regional stacks are on a different version than the primary stack
• New Version Notification - Added a notification banner in the UI when a newer DLT version is available
• Cancelled Test Run History - Added cancelled test runs to the history table, now visible from the UI

Changed

• ARM64 Lambda Architecture - Migrated all Lambda functions from x86_64 to ARM64 (Graviton2) for improved cost-performance
• Backwards Compatibility (v3 to v4) - Implemented a custom resource to migrate scheduled test payloads when upgrading from v3 to v4
• Stack Tag Propagation - Propagated stack-level CloudFormation tags to ECS tasks
• Improved Cron Validation - Replaced generic cron errors with field-specific error messages and corrected expiry date comparison to use end-of-day UTC
• Improved Traffic Shape Validation - Replaced single generic error with multiple granular error messages for traffic shape configuration

Fixed

• Premature Terminal States - Deferred terminal status write to the final step function step to prevent tests from appearing complete before cleanup finishes
• Scenario Deletion Safety - Prevented scenario deletion while tests are in a non-terminal state; reject delete requests for running or cancelling scenarios with 409 Conflict
• Race Condition in Scenario Creation - Fixed a race condition that produced empty test scenarios
• Regional Stack Crash - Fixed unhandled TypeError on a deleted regional stack
• Edit Scenario with Special Characters - Fixed form population failure when editing scenarios containing special characters
• Cancel Test Endpoint - Fixed the web UI to use the correct API endpoint for the cancel test action
• Auth Redirect Loops - Fixed stale OAuth callback params and auth redirect race conditions
• Result File Handling - Updated test orchestration to handle result files in cases of task failures
• EventBridge Rule Cleanup - Cleaned up EventBridge rules created by scheduled tests as part of stack deletion, preventing orphaned rules

Security

• WAF Protection - Added WAF WebACL with AWS managed rule groups for the ALB+ECS deployment
• Cognito Refresh Token Rotation - Enabled refresh token rotation to limit token reuse
• Non-Root Web Console Container - Configured the nginx-based web console container to run as a non-root user
• CSP Hardening - Reduced wildcards in Content Security Policy for CloudFront and dynamically generated CSP for ALB-ECS deployments
• IoT Policy Scoping - Scoped down overly permissive IoT policy to least-privilege
• ECS Task Role Separation - Split the shared ECS execution role into a dedicated task role scoped to only what the container workload requires
• OAuth Scope Reduction - Removed the overly permissive aws.cognito.signin.user.admin OAuth scope
• Container Base Images - Pinned both the load tester (amazonlinux:2023-minimal) and web console (nginx:alpine) container images to latest security-patched digests

v4.0.16

[4.0.16] - 2026-05-05

Security

• Upgraded Apache Log4j Core from 2.22.1 to 2.25.4 (log4j-core, log4j-api, log4j-1.2-api, log4j-slf4j-impl)
• Updated Docker base image (amazonlinux:2023-minimal) to latest sha256 digest

v4.0.15

[4.0.15] - 2026-04-17

Security

• Upgrade vulnerable npm and container image dependencies

v4.0.14

[4.0.14] - 2026-04-10

Security

• Upgrade vulnerable npm dependencies
• Upgrade Lambda runtime from Node.js 20 to Node.js 24 to address Issue #277

v4.0.13

[4.0.13] - 2026-04-03

Security

• Upgrade npm dependencies to address vulnerabilities in handlebars and lodash.

v4.0.12

[4.0.12] - 2026-03-19

Security

• Updated Docker base image (amazonlinux:2023-minimal) to latest digest to incorporate latest OS-level security patches
• Regenerated package-lock.json files to pull in latest dependency resolutions, including:
  • Upgraded fast-xml-parser from 5.3.6 to 5.5.6 via npm overrides to address GHSA-8gc5-j5rx-235r, CVE-2026-27942, CVE-2026-25896, and CVE-2026-25128
  • Upgraded undici from 7.20.0 to 7.24.4 to address CVE-2026-22036 and CVE-2026-1525
  • Upgraded @aws-sdk/xml-builder to 3.972.11 and @smithy/types to 4.13.1

v4.0.11

[4.0.11] - 2026-03-05

Security

• Upgrade npm dependencies to address vulnerabilities in minimatch and rollup.
• Upgrade jackson-core, jackson-databind, and jackson-annotations to 2.18.6 to address GHSA-72hv-8253-57qq

v4.0.10

[4.0.10] - 2026-02-23

Added

• Add support for k6 typescript scripts (#282)

Changed

• Include CloudFormation parameters AutoUpdateContainerImage and DeployMcpServer in usage telemetry

Fixed

• Remove conditions that disable the Auto Refresh button in the front-end
• Fix timezone conversion defects in the front-end
• Add HEAD permission to CORS to fix multi-part uploads (#293)

Security

• Upgrade aws-sdk to resolve fast-xml-parser CVE-2026-26278
• Replace uuid package with native crypto.randomUUID in order to comply with RFC 4122.

---

Warning

KNOWN VULNERABILITY NOTICE: CVE-2026-26996 (minimatch ReDoS, CVSS 8.7)

DLT uses minimatch 3.1.2 as a build/dev dependency (eslint, jest, aws-cdk-lib).
Minimatch is not included in DLT deployed artifacts, such as Lambda functions and ECS containers.

DLT will be updated after this vulnerability has been resolved in eslint, jest, and aws-cdk-lib.

v4.0.9

[4.0.9] - 2026-02-11

Changed

• Increased JMeter heap size for improved test stability

Security

• Updated Docker base image (amazonlinux:2023-minimal) to latest digest to address HIGH severity vulnerabilities in curl, libcurl, gnupg2, libgcrypt, gnutls, systemd, and nettle
• Updated Docker base image (amazonlinux:2023-minimal) to address vulnerabilities in:
  • CVE-2025-15467 (openssl)
  • CVE-2026-21945 (java-21-amazon-corretto)
  • CVE-2026-21932 (java-21-amazon-corretto)
  • CVE-2026-21441 (python3.11-pip)
  • CVE-2025-61731 (libcap)
  • CVE-2025-13151 (libtasn1)
  • CVE-2025-68973 (gnupg2-minimal)
  • CVE-2025-68119 (libcap)
• Upgraded axios to 1.13.5 to address denial-of-service vulnerability in CVE-2026-25639
• Pinned @aws-amplify/ui-react to version 6.13.2 and added lodash override (^4.17.23) to address prototype pollution vulnerability in CVE-2020-8203

v4.0.8

[4.0.8] - 2026-02-04

Security

• Upgrade aws-sdk to v3.981.0 to address vulnerability in CVE-2026-25128