chore(deps): bump minimatch and aws-cdk-lib#27
Closed
dependabot[bot] wants to merge 20 commits intomainfrom
Closed
chore(deps): bump minimatch and aws-cdk-lib#27dependabot[bot] wants to merge 20 commits intomainfrom
dependabot[bot] wants to merge 20 commits intomainfrom
Conversation
iam roles (8 specialized roles for deployment pipeline)
- handshake - trust establishment with external accounts
- lookup - resource discovery and validation
- assets - s3 asset upload/management
- images - ecr container image management
- deploy - cloudformation stack deployment
- exec - general cloudformation execution
- druidExec - druid-specific execution permissions
- webappExec - webapp-specific execution permissions
storage resources
- ecr repository for docker images
- s3 bucket for deployment artifacts/assets
encryption & parameters
- kms encryption key for data at rest
- ssm parameter for version/config storage
what the scripts do
scripts/grafana/create.sh - main entry point that:
1. validates input json with grafana cloud credentials
2. parses configuration (hosts, usernames, tokens, instance id, region)
3. calls create-integration.sh to set up grafana monitoring
scripts/grafana/create-integration.sh - creates grafana cloud integration:
1. creates grafana cloud access policy with monitoring scopes (metrics, logs, traces, profiles, alerts, rules)
2. generates 90-day access token for the policy
3. builds json payload with all grafana endpoints (prometheus, loki, tempo)
4. stores credentials in aws secrets manager as fastish-grafana-{alias}
this enables eks clusters to push observability data to grafana cloud for monitoring
… aws cdk default bootstrap resources
migrate to github-native workflows and add comprehensive tests - add codeql workflow for typescript security scanning - add dependency review for vulnerability detection on prs - remove codecov integration, use github artifacts for coverage reports - add comprehensive cdk infrastructure tests (bootstrap and storage stacks) - update readme with testing documentation and examples - remove unused code (nested stacks, extra iam roles, s3/ecr/kms/ssm constructs) - clean up tests to focus on deployed resources only bootstrap now only creates the handshake iam role for cross-account access, with focused tests validating security configurations
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v5) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
- remove auto-approval step (fails with GITHUB_TOKEN permissions) - remove auto-merge functionality (requires manual review for safety) - fix test runner to use npm instead of maven (typescript project) - add proper labeling: patch-update, minor-update, major-update - update summary messages for manual merge workflow
Bumps [constructs](https://github.com/aws/constructs) from 10.4.2 to 10.4.3. - [Release notes](https://github.com/aws/constructs/releases) - [Commits](aws/constructs@v10.4.2...v10.4.3) --- updated-dependencies: - dependency-name: constructs dependency-version: 10.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.10.7 to 24.10.0. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 24.10.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the aws-cdk group with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk). Updates `aws-cdk-lib` from 2.176.0 to 2.220.0 - [Release notes](https://github.com/aws/aws-cdk/releases) - [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md) - [Commits](https://github.com/aws/aws-cdk/commits/v2.220.0/packages/aws-cdk-lib) Updates `aws-cdk` from 2.176.0 to 2.1030.0 - [Release notes](https://github.com/aws/aws-cdk-cli/releases) - [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1030.0/packages/aws-cdk) --- updated-dependencies: - dependency-name: aws-cdk-lib dependency-version: 2.220.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-cdk - dependency-name: aws-cdk dependency-version: 2.1030.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: aws-cdk ... Signed-off-by: dependabot[bot] <support@github.com>
remove .github/dependabot.yml as renovate now handles all version updates (maven, npm, github actions, and eks addons). dependabot security updates remain enabled via repository settings managed by ok-cli config. this eliminates duplicate dependency update prs while maintaining free security vulnerability scanning through dependabot.
replace deprecated deny-licenses option in dependency-review workflow with the modern license-check and allow-licenses format. this removes the deprecation warning while maintaining the same license restrictions (blocking GPL-2.0 and GPL-3.0 by only allowing permissive licenses).
summary: + rename synthesizer context variable to handshake
- change bin/bootstrap.ts to read from 'self' context instead of 'handshake' - update cdk.context.json example to use 'subscriber' key - remove unused cdk.version field from example context
- replace actions/setup-java with actions/setup-node - change from maven cache to npm cache - add npm ci step to install dependencies - update build command from 'mvn clean compile' to 'npm run build' - update file type checks from java to typescript/javascript - update repository statistics to analyze typescript files
…orkflow the health-check job in scheduled-maintenance.yml was redundant because test-and-analyze.yml already performs comprehensive build and quality checks on a similar schedule (monday 9am vs sunday 2am) plus on every push and pull request. the scheduled-maintenance workflow now focuses solely on maintenance tasks: - cleanup old workflow runs and artifacts - mark and manage stale issues - cleanup old caches - gather repository statistics build validation and health checks are handled by test-and-analyze.yml which provides more comprehensive quality gates including: - build and test execution - code coverage analysis - eslint and typescript checks - dependency audits - owasp security scanning
removed cleanup-artifacts and cache-cleanup jobs as they are unnecessary - github has built-in retention settings that handle this automatically and more reliably. github's built-in settings (settings → actions → general): - artifact and log retention: configurable 1-400 days - workflow run retention: automatic cleanup - cache management: automatic eviction scheduled-maintenance now focuses on: - check-stale-issues: manage stale issue lifecycle - repository-stats: gather repository metrics and insights
- add stackset-execution.ts for cross-account role configuration - update bootstrap-stack.ts for stackset integration - update cdk.json and cdk.context.json configurations
Bumps [minimatch](https://github.com/isaacs/minimatch) to 3.1.5 and updates ancestor dependencies [minimatch](https://github.com/isaacs/minimatch) and [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib). These dependencies need to be updated together. Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `minimatch` from 5.1.6 to 5.1.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `aws-cdk-lib` from 2.225.0 to 2.240.0 - [Release notes](https://github.com/aws/aws-cdk/releases) - [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md) - [Commits](https://github.com/aws/aws-cdk/commits/v2.240.0/packages/aws-cdk-lib) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect - dependency-name: minimatch dependency-version: 5.1.9 dependency-type: indirect - dependency-name: aws-cdk-lib dependency-version: 2.240.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
📊 PR Statistics✅ PR Size: S (50-200 lines)
|
Dependency ReviewThe following issues were found:
Vulnerabilitiespackage-lock.jsonOnly included vulnerabilities with severity moderate or higher. License Issuespackage-lock.json
OpenSSF ScorecardScorecard details
Scanned Files
|
stxkxs
force-pushed
the
dependabot/npm_and_yarn/multi-3ceb054b63
branch
from
17d3d55 to
c3d651e
Compare
📊 PR Statistics✅ PR Size: S (50-200 lines)
|
1 similar comment
📊 PR Statistics✅ PR Size: S (50-200 lines)
|
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps minimatch to 3.1.5 and updates ancestor dependencies minimatch and aws-cdk-lib. These dependencies need to be updated together.
Updates
minimatchfrom 3.1.2 to 3.1.5Commits
7bba9783.1.5bd25942docs: add warning about ReDoS1a9c27cfix partial matching of globstar patterns1a2e0843.1.4ae24656update lockfileb100374limit recursion for **, improve perf considerably26ffeaalockfile update9eca892lock node version to 1400c323b3.1.330486b2update CI matrix and actionsUpdates
minimatchfrom 5.1.6 to 5.1.9Commits
7bba9783.1.5bd25942docs: add warning about ReDoS1a9c27cfix partial matching of globstar patterns1a2e0843.1.4ae24656update lockfileb100374limit recursion for **, improve perf considerably26ffeaalockfile update9eca892lock node version to 1400c323b3.1.330486b2update CI matrix and actionsUpdates
aws-cdk-libfrom 2.225.0 to 2.240.0Release notes
Sourced from aws-cdk-lib's releases.
... (truncated)
Changelog
Sourced from aws-cdk-lib's changelog.
... (truncated)
Commits
e3ec6dfchore: update analytics metadata blueprintse48ea41chore: bump minimatch to ^10.2.1 to resolve ReDoS vulnerability (GHSA-3ppc-4f...17b2d93feat: update L1 CloudFormation resource definitions (#37039)a7de51cfeat(eks-v2): graduate to stable 🚀 (#36950)a8914c2Merge branch 'main' into merge-back/2.239.062d40f8feat: update L1 CloudFormation resource definitions (#37034)e458da3Merge branch 'v2-release' into pr-37033e906f86chore(release): 2.239.0bc65c09feat: update L1 CloudFormation resource definitions (#37031)96714e6Merge branch 'v2-release' into bump/2.239.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.