fix: upgrade aws-cdk-lib to fix HIGH minimatch vulnerability#91
Merged
fix: upgrade aws-cdk-lib to fix HIGH minimatch vulnerability#91
Conversation
- Upgrade aws-cdk-lib 2.240.0 → 2.241.0 (bundles patched minimatch 10.2.4) - Upgrade constructs 10.1.139 → 10.5.0 (required by aws-cdk-lib@2.241.0) - Upgrade jsii ^1.63.0 → ~5.9.9 (supports intersection-types assembly feature) - npm audit --audit-level=high: 0 vulnerabilities
- Fix broken multi-line run: YAML block scalar syntax - Upgrade Node.js 14.17.6 → 18.x (required by jsii ~5.9.9) - Upgrade container jsii/superchain:1-buster-slim-node14 → 1-bookworm-slim-node18 - Upgrade actions/checkout@v2 → v4, actions/setup-node@v2.2.0 → v4 - Replace deprecated ::set-output with $GITHUB_OUTPUT
… matchers - Upgrade ts-jest ^27.1.5 → ^29.4.6 (supports jest ^29 || ^30) - Upgrade @types/jest ^27.5.2 → ^30.0.0 - Replace deprecated jest preset with transform config - Replace toBeCalled() with toHaveBeenCalled() (jest 30 deprecation) - Replace toBeCalledWith() with toHaveBeenCalledWith() - All tests passing (2 suites, 2 tests)
- Remove jsii/superchain container (only ships jsii 1.x) - Add actions/setup-java@v4 and actions/setup-python@v5 for pacmak - Upgrade aws-cdk-lib 2.240.0→2.241.0 (bundles patched minimatch 10.2.4) - Upgrade jsii ^1.63.0→~5.9.9, typescript ^4.7.4→~5.9.3 - Upgrade constructs 10.1.139→10.5.0, jsii-docgen ^3.8.31→^10.11.14 - Add jsii-rosetta ~5.9.5 - Fix ts-jest/jest 30 compatibility, update deprecated test matchers - npm audit: 0 vulnerabilities
svidgen
approved these changes
Mar 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes Dependabot alert (HIGH severity): minimatch ReDoS vulnerability bundled inside
aws-cdk-lib@2.240.0. Since minimatch is bundled (not a regular transitive dep), npm overrides cannot fix it — upgradingaws-cdk-libis the only viable path.Vulnerability Fix
npm audit --audit-level=high: 0 vulnerabilitiesCI/Build Modernization (required by dependency upgrades)
The aws-cdk-lib upgrade required jsii 5.x, which cascaded into CI and toolchain changes:
jsii/superchainDocker container from CI — it only ships jsii 1.x. Replaced withactions/setup-java@v4(Corretto 11) andactions/setup-python@v5for pacmak.build.yml(multi-linerun:block scalar)::set-outputwith$GITHUB_OUTPUTTest Compatibility Fixes
preset/globals) withtransformsyntaxtoBeCalled()→toHaveBeenCalled(),toBeCalledWith()→toHaveBeenCalledWith()skipLibCheck: trueandesnext.disposabletotsconfig.jest.jsonOther
mavenEndpointfrom.projenrc.js(incompatible with jsii 5.x Maven Central publishing).envfrom git tracking, added to.gitignoreAPI.mdregenerated by jsii-docgen 10.x (formatting changes only)Verification
npm audit: 0 vulnerabilitiesjsii: builds successfully (0 errors, 0 warnings)jest: 2 test suites, 2 tests passed