Skip to content

fix: Resolved vulnerabilities in examples#276

Merged
revmischa merged 1 commit into
jetbridge:mainfrom
Darasimi-Ajewole:273-fix-vulnerabilities
Feb 9, 2026
Merged

fix: Resolved vulnerabilities in examples#276
revmischa merged 1 commit into
jetbridge:mainfrom
Darasimi-Ajewole:273-fix-vulnerabilities

Conversation

@Darasimi-Ajewole

Copy link
Copy Markdown
Contributor

Fixes #273

@revmischa revmischa merged commit 8b575e3 into jetbridge:main Feb 9, 2026
14 of 17 checks passed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s example projects to reduce security scanner findings by refreshing dependencies/lockfiles and excluding the examples/ directory from the published npm package.

Changes:

  • Upgraded example app dependencies (CDK, constructs, esbuild, tsx, cdk-nag) and regenerated pnpm lockfiles (now lockfileVersion 9).
  • Added /examples/** to .npmignore (and projen config) so examples aren’t included in the published package.
  • Bumped example projects to newer CDK-related transitive packages via lockfile refresh.

Reviewed changes

Copilot reviewed 7 out of 12 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
examples/app-router/package.json Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.).
examples/app-router/pnpm-lock.yaml Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format.
examples/app-pages-router/package.json Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.).
examples/app-pages-router/pnpm-lock.yaml Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format.
examples/pages-router/package.json Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.).
examples/pages-router/pnpm-lock.yaml Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format.
examples/high-security/package.json Updates example deps including cdk-nag.
examples/high-security/pnpm-lock.yaml Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format.
examples/multiple-sites/package.json Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.).
.projenrc.ts Configures projen to exclude /examples/** from npm packaging via npmignore.
.npmignore Excludes /examples/** from published npm package contents.
Files not reviewed (5)
  • examples/app-pages-router/pnpm-lock.yaml: Language not supported
  • examples/app-router/pnpm-lock.yaml: Language not supported
  • examples/high-security/pnpm-lock.yaml: Language not supported
  • examples/multiple-sites/pnpm-lock.yaml: Language not supported
  • examples/pages-router/pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +11 to +12
"aws-cdk": "^2.1105.0",
"esbuild": "^0.25.12",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.

Copilot uses AI. Check for mistakes.
"esbuild": "^0.19.8",
"tsx": "^4.6.2",
"aws-cdk": "^2.1105.0",
"esbuild": "^0.25.12",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tsx@^4.21.0 pulls in esbuild@0.27.x (per the lockfile), but this package.json also depends on esbuild@^0.25.12, which results in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.

Suggested change
"esbuild": "^0.25.12",

Copilot uses AI. Check for mistakes.
Comment on lines +11 to +13
"aws-cdk": "^2.1105.0",
"esbuild": "^0.25.12",
"tsx": "^4.21.0",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.

Copilot uses AI. Check for mistakes.
"esbuild": "^0.19.8",
"tsx": "^4.6.2",
"aws-cdk": "^2.1105.0",
"esbuild": "^0.25.12",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tsx@^4.21.0 pulls in esbuild@0.27.x (per the lockfile), but this package.json also depends on esbuild@^0.25.12, which results in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.

Suggested change
"esbuild": "^0.25.12",

Copilot uses AI. Check for mistakes.
@@ -1,464 +1,374 @@
lockfileVersion: '6.0'
lockfileVersion: '9.0'

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lockfile was upgraded to lockfileVersion 9.0 (pnpm v9+). Since examples/install.sh and the examples README just run pnpm i without pinning a pnpm version, contributors using older pnpm will fail to install. Consider adding a packageManager field (e.g. pnpm@9.x) to the example package.json (or otherwise documenting/enforcing the required pnpm version).

Suggested change
lockfileVersion: '9.0'
lockfileVersion: '6.0'

Copilot uses AI. Check for mistakes.
Comment on lines +11 to +12
"aws-cdk": "^2.1105.0",
"esbuild": "^0.25.12",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.

Copilot uses AI. Check for mistakes.
@@ -1,464 +1,374 @@
lockfileVersion: '6.0'
lockfileVersion: '9.0'

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lockfile was upgraded to lockfileVersion 9.0 (pnpm v9+). Since examples/install.sh and the examples README just run pnpm i without pinning a pnpm version, contributors using older pnpm will fail to install. Consider adding a packageManager field (e.g. pnpm@9.x) to the example package.json (or otherwise documenting/enforcing the required pnpm version).

Suggested change
lockfileVersion: '9.0'
lockfileVersion: '6.0'

Copilot uses AI. Check for mistakes.
Comment on lines +11 to +14
"aws-cdk": "^2.1105.0",
"cdk-nag": "^2.37.55",
"esbuild": "^0.25.12",
"tsx": "^4.21.0",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.

Copilot uses AI. Check for mistakes.
"tsx": "^4.6.2",
"aws-cdk": "^2.1105.0",
"cdk-nag": "^2.37.55",
"esbuild": "^0.25.12",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tsx@^4.21.0 pulls in esbuild@0.27.x (per the lockfile), but this package.json also depends on esbuild@^0.25.12, which results in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.

Suggested change
"esbuild": "^0.25.12",
"esbuild": "^0.27.0",

Copilot uses AI. Check for mistakes.
"esbuild": "^0.19.3",
"tsx": "^3.12.10",
"aws-cdk": "^2.1105.0",
"esbuild": "^0.25.12",

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tsx@^4.21.0 pulls in esbuild@0.27.x in pnpm installs, but this package.json also depends on esbuild@^0.25.12, which can result in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.

Suggested change
"esbuild": "^0.25.12",
"esbuild": "^0.27.0",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security scanners flag vulnerabilities from projects present in examples directory

3 participants