June 30, 2026 · v1.3.70
v1.3.70 adds the SNS mobile-push endpoint lifecycle and CloudFormation AWS SAM transform expansion, plus IAM group-policy management, alongside fixes for S3 to EventBridge event shapes, OIDC discovery caching, Lambda worker resource leaks, and Cognito Basic-auth credential decoding.
AWS::Serverless-2016-10-31) templates are expanded into native CloudFormation. A template carrying Transform: AWS::Serverless-2016-10-31 now has its AWS::Serverless::* resources expanded into native CloudFormation before provisioning, via the canonical aws-sam-translator — the same library the AWS SAM CLI uses — matching AWS's server-side transform on CreateStack, UpdateStack, and CreateChangeSet. The translator ships in the full image only; a lean image that receives a SAM template returns a clear error pointing at the full image rather than silently failing to expand. Basic Function / SimpleTable / Api shapes are expanded; SAM managed-policy templates are not fully expanded yet. Contributed by @maximoosemine.AttachGroupPolicy, DetachGroupPolicy, ListAttachedGroupPolicies, PutGroupPolicy, GetGroupPolicy, DeleteGroupPolicy, and ListGroupPolicies are now implemented, matching the existing User and Role coverage, so the create-group then attach-managed-and-inline-policy pattern works instead of returning InvalidAction: Unknown IAM action. Contributed by @maxflorentin.GetEndpointAttributes, SetEndpointAttributes, DeleteEndpoint, and DeletePlatformApplication complete the platform-endpoint flow on top of the existing CreatePlatformApplication / CreatePlatformEndpoint. CreatePlatformEndpoint now dedups by device token (AWS behavior): the same Token returns the existing endpoint ARN when CustomUserData matches and raises InvalidParameter when it differs. Publish to a platform-endpoint TargetArn now succeeds (stub delivery) instead of returning Topic does not exist, and DeletePlatformApplication is idempotent and drops its endpoints. Contributed by @sjincho.detail-type, reason, and deletion-type. Delivery built the detail-type by string-mangling the granular notification event name (Object ObjectCreated Put instead of AWS's fixed Object Created), hardcoded detail.reason to PutObject for every event, and omitted detail.deletion-type on deletes. Because EventBridge rules match on detail-type, any rule written to the AWS-documented type (e.g. ["Object Created"]) silently never matched. Each S3 event family now maps to its fixed EventBridge detail-type, with the per-API reason and a deletion-type on Object Deleted. Contributed by @lucasmfraser.jwks_uri = None for the full 7200s TTL and every subsequent JWT validation for that issuer fell back to the wrong default path and returned 401/404 for up to two hours, recoverable only by a restart. Discovery now writes the 7200s cache only on success and a short 60s negative cache on failure, so auth recovers within a minute of the issuer becoming reachable while still avoiding a re-run on every request. Contributed by @Pratham2703005.+ is no longer corrupted. The Authorization: Basic credential decode used unquote_plus, which turns a literal + in a Cognito-generated secret into a space, so client_secret_basic failed with invalid_client for the roughly half of generated secrets that contain a +. It now uses unquote, preserving + while still decoding %2F / %2B. Contributed by @jgrumboe.docker pull ministackorg/ministack:1.3.70 docker run -d -p 4566:4566 ministackorg/ministack:1.3.70
SAM transform expansion requires the full image:
docker pull ministackorg/ministack:1.3.70-full
Or pin in compose.yaml:
services:
ministack:
image: ministackorg/ministack:1.3.70
ports:
- "4566:4566"
Issues and PRs welcome on GitHub. Discussion on r/ministack.