fix: Resolved vulnerabilities in examples#276
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the repository’s example projects to reduce security scanner findings by refreshing dependencies/lockfiles and excluding the examples/ directory from the published npm package.
Changes:
- Upgraded example app dependencies (CDK, constructs, esbuild, tsx, cdk-nag) and regenerated pnpm lockfiles (now lockfileVersion 9).
- Added
/examples/**to.npmignore(and projen config) so examples aren’t included in the published package. - Bumped example projects to newer CDK-related transitive packages via lockfile refresh.
Reviewed changes
Copilot reviewed 7 out of 12 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| examples/app-router/package.json | Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.). |
| examples/app-router/pnpm-lock.yaml | Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format. |
| examples/app-pages-router/package.json | Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.). |
| examples/app-pages-router/pnpm-lock.yaml | Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format. |
| examples/pages-router/package.json | Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.). |
| examples/pages-router/pnpm-lock.yaml | Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format. |
| examples/high-security/package.json | Updates example deps including cdk-nag. |
| examples/high-security/pnpm-lock.yaml | Regenerated lockfile with updated dependency graph and pnpm v9 lockfile format. |
| examples/multiple-sites/package.json | Updates example dev/runtime dependencies (CDK/esbuild/tsx/etc.). |
| .projenrc.ts | Configures projen to exclude /examples/** from npm packaging via npmignore. |
| .npmignore | Excludes /examples/** from published npm package contents. |
Files not reviewed (5)
- examples/app-pages-router/pnpm-lock.yaml: Language not supported
- examples/app-router/pnpm-lock.yaml: Language not supported
- examples/high-security/pnpm-lock.yaml: Language not supported
- examples/multiple-sites/pnpm-lock.yaml: Language not supported
- examples/pages-router/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "aws-cdk": "^2.1105.0", | ||
| "esbuild": "^0.25.12", |
There was a problem hiding this comment.
The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.
| "esbuild": "^0.19.8", | ||
| "tsx": "^4.6.2", | ||
| "aws-cdk": "^2.1105.0", | ||
| "esbuild": "^0.25.12", |
There was a problem hiding this comment.
tsx@^4.21.0 pulls in esbuild@0.27.x (per the lockfile), but this package.json also depends on esbuild@^0.25.12, which results in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.
| "esbuild": "^0.25.12", |
| "aws-cdk": "^2.1105.0", | ||
| "esbuild": "^0.25.12", | ||
| "tsx": "^4.21.0", |
There was a problem hiding this comment.
The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.
| "esbuild": "^0.19.8", | ||
| "tsx": "^4.6.2", | ||
| "aws-cdk": "^2.1105.0", | ||
| "esbuild": "^0.25.12", |
There was a problem hiding this comment.
tsx@^4.21.0 pulls in esbuild@0.27.x (per the lockfile), but this package.json also depends on esbuild@^0.25.12, which results in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.
| "esbuild": "^0.25.12", |
| @@ -1,464 +1,374 @@ | |||
| lockfileVersion: '6.0' | |||
| lockfileVersion: '9.0' | |||
There was a problem hiding this comment.
This lockfile was upgraded to lockfileVersion 9.0 (pnpm v9+). Since examples/install.sh and the examples README just run pnpm i without pinning a pnpm version, contributors using older pnpm will fail to install. Consider adding a packageManager field (e.g. pnpm@9.x) to the example package.json (or otherwise documenting/enforcing the required pnpm version).
| lockfileVersion: '9.0' | |
| lockfileVersion: '6.0' |
| "aws-cdk": "^2.1105.0", | ||
| "esbuild": "^0.25.12", |
There was a problem hiding this comment.
The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.
| @@ -1,464 +1,374 @@ | |||
| lockfileVersion: '6.0' | |||
| lockfileVersion: '9.0' | |||
There was a problem hiding this comment.
This lockfile was upgraded to lockfileVersion 9.0 (pnpm v9+). Since examples/install.sh and the examples README just run pnpm i without pinning a pnpm version, contributors using older pnpm will fail to install. Consider adding a packageManager field (e.g. pnpm@9.x) to the example package.json (or otherwise documenting/enforcing the required pnpm version).
| lockfileVersion: '9.0' | |
| lockfileVersion: '6.0' |
| "aws-cdk": "^2.1105.0", | ||
| "cdk-nag": "^2.37.55", | ||
| "esbuild": "^0.25.12", | ||
| "tsx": "^4.21.0", |
There was a problem hiding this comment.
The example now pins the CDK CLI to ^2.1105.0, which is a very different version line than the app’s aws-cdk-lib (^2.237.1) and the repo’s configured cdkVersion (2.232.1 in .projenrc.ts). Please verify this is intentional (and installable) and consider aligning the CLI version with the aws-cdk-lib major/minor to avoid CDK cloud-assembly/schema mismatches when deploying the example.
| "tsx": "^4.6.2", | ||
| "aws-cdk": "^2.1105.0", | ||
| "cdk-nag": "^2.37.55", | ||
| "esbuild": "^0.25.12", |
There was a problem hiding this comment.
tsx@^4.21.0 pulls in esbuild@0.27.x (per the lockfile), but this package.json also depends on esbuild@^0.25.12, which results in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.
| "esbuild": "^0.25.12", | |
| "esbuild": "^0.27.0", |
| "esbuild": "^0.19.3", | ||
| "tsx": "^3.12.10", | ||
| "aws-cdk": "^2.1105.0", | ||
| "esbuild": "^0.25.12", |
There was a problem hiding this comment.
tsx@^4.21.0 pulls in esbuild@0.27.x in pnpm installs, but this package.json also depends on esbuild@^0.25.12, which can result in multiple esbuild versions being installed. Consider aligning the direct esbuild devDependency to the version required by tsx (or dropping the direct dependency if it’s not needed) to reduce install size and vulnerability surface.
| "esbuild": "^0.25.12", | |
| "esbuild": "^0.27.0", |
Fixes #273