Skip to content

chore: bump the npm group with 8 updates#265

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/npm-4db42a8d1b
Open

chore: bump the npm group with 8 updates#265
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/npm-4db42a8d1b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm group with 8 updates:

Package From To
aws-cdk-lib 2.245.0 2.260.0
dotenv 17.3.1 17.4.2
@types/node 24.12.0 26.0.1
aws-cdk 2.1114.1 2.1128.1
cdk-nag 2.37.55 3.0.1
jest 30.3.0 30.4.2
ts-jest 29.4.6 29.4.11
typescript 5.9.3 6.0.3

Updates aws-cdk-lib from 2.245.0 to 2.260.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.260.0

Features

Bug Fixes

  • bundling: docker build can be skipped if already performed (#38134) (2f9ae95)
  • core: stack traces contain decorator paths (#38130) (318f645)
  • core: weak cross-stack references fail for list attributes (#37948) (6bb9d75), closes #37910
  • lambda-nodejs: reuse posixShellEscape for Docker bundling file operations (#38133) (baa9e1d)

Alpha modules (2.260.0-alpha.0)

v2.259.0

⚠ BREAKING CHANGES

  • lambda: Runtime.NODEJS_LATEST now resolves to nodejs24.x in every region. Customers who pin to a concrete runtime (Runtime.NODEJS_22_X, useLatestRuntimeVersion: false in aws-lambda-nodejs.NodejsFunction) are unaffected. Existing AWS::Lambda::Function resources synthesized with NODEJS_LATEST will see Runtime: nodejs22.xRuntime: nodejs24.x on next deploy. Lambda accepts runtime updates in place.

    Customer-code compatibility — IMPORTANT: Node.js 24 removes support for callback-style asynchronous handlers ((event, context, callback) => {...}) per the launch blog. Customers whose Lambda code still uses callback-based handlers will see runtime errors after the bump. Customers should migrate to async (event, context) => {...} or pin to Runtime.NODEJS_22_X explicitly.

Features

  • core: recommend the use of weak references if no choice has been made (#38070) (6e74e5e)
  • ecs: add forceNewDeployment option for Fargate and EC2 services (#36797) (3d9c4df), closes #27762
  • eks: use the recommended AL2023 instead of AL2 AMI type (under feature flag) (#37850) (6a2dcb7), closes #32211
  • lambda: upgrade lambda and custom resource default runtime to nodejs24.x (#38031) (36c84c6)

Bug Fixes

Reverts


Alpha modules (2.259.0-alpha.0)

v2.258.1

Reverts


Alpha modules (2.258.1-alpha.0)

... (truncated)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.260.0-alpha.0 (2026-06-16)

2.259.0-alpha.0 (2026-06-11)

2.258.1-alpha.0 (2026-06-08)

2.258.0-alpha.0 (2026-06-04)

Features

  • integ-tests-alpha: add option to set the provider log level (#38005) (c634a79)

Bug Fixes

  • custom-resource-handlers: deterministic asset hashes for generated lambdas (#37634) (6c3d5bc), closes #34307
  • glue-alpha: deprecate Ray Jobs (#38055) (3fa428b)
  • glue-alpha: restore notifyDelayAfter to PySpark and Scala Spark ETL jobs (#37815) (05be88a), closes #33839
  • integ-tests-alpha: assertion failures print too much unnecessary information (#37974) (bc0de1d)
  • mediapackagev2-alpha: cdnAuth on OriginEndpoint now generates the required policy (#38013) (1d56b46)

2.257.0-alpha.0 (2026-05-21)

2.256.1-alpha.0 (2026-05-20)

2.256.0-alpha.0 (2026-05-19)

2.255.0-alpha.0 (2026-05-18)

Features

  • bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

2.254.0-alpha.0 (2026-05-13)

Features

  • bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
  • bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
  • mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

... (truncated)

Commits
  • f266a47 feat: update L1 CloudFormation resource definitions (#38151)
  • 318f645 fix(core): stack traces contain decorator paths (#38130)
  • 2f9ae95 fix(bundling): docker build can be skipped if already performed (#38134)
  • aeafa63 docs(pipelines): clarify format of DockerHub creds (#38132)
  • baa9e1d fix(lambda-nodejs): reuse posixShellEscape for Docker bundling file operation...
  • e360dd9 feat(core): add external traces to ConstructError (#38131)
  • 5619d43 Merge branch 'main' into merge-back/2.259.0
  • 6bb9d75 fix(core): weak cross-stack references fail for list attributes (#37948)
  • c77a08c feat(core): append external stack traces to metadata if available (#38124)
  • 772eeba chore: update analytics metadata blueprints
  • Additional commits viewable in compare view

Updates dotenv from 17.3.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

  • Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

  • Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

  • Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

  • Tighten up logs: ◇ injecting env (14) from .env (#1003)
Commits

Updates @types/node from 24.12.0 to 26.0.1

Commits

Updates aws-cdk from 2.1114.1 to 2.1128.1

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1128.1

2.1128.1 (2026-06-22)

Bug Fixes

aws-cdk@v2.1128.0

2.1128.0 (2026-06-17)

Features

Bug Fixes

aws-cdk@v2.1127.0

2.1127.0 (2026-06-15)

Features

Bug Fixes

  • not enough information to count sequential failures (#1614) (eb1882c)
  • total deploy time is not well-accounted for (#1596) (c5db51a)

aws-cdk@v2.1126.0

2.1126.0 (2026-06-03)

... (truncated)

Commits
  • ee34e8c chore(cli): snapshot the destroy command's IoHost message stream (#1659)
  • 3ff0bdf fix(aws-cdk): correct project-name argument mapping in cdk init (#1644)
  • f979da7 fix: remove ~48 transitive dependencies from asset packaging (#1654)
  • 078ce70 fix(toolkit-lib): user-supplied glob include patterns silently ignored (#1652)
  • ab0f8e3 fix: validation report handling is inconsistent (#1650)
  • 7daa104 fix(cli): cdk list pollutes stdout with synthesis time (#1637)
  • 6b49a20 chore: better hotswap fallback surfacing in telemetry (#1635)
  • 9c73eaf feat(deps): upgrade aws-cdk-lib (#1639)
  • 3041560 feat(deps): upgrade aws-cdk-lib (#1627)
  • 995a457 chore(deps): upgrade dependencies (#1626)
  • Additional commits viewable in compare view

Updates cdk-nag from 2.37.55 to 3.0.1

Release notes

Sourced from cdk-nag's releases.

v3.0.1

3.0.1 (2026-06-15)

Bug Fixes

  • walk ancestor tree in isAcknowledged and WriteNagSuppressions (#2349) (9c2d2cb)

v3.0.0

3.0.0 (2026-06-12)

⚠ BREAKING CHANGES

  • cdk nag v3 rewrites the core engine from an IAspect to an IPolicyValidationPlugin. Rule packs now participate in CDK's native policy validation framework instead of emitting annotations during synthesis.

Features

v2.38.2

2.38.2 (2026-04-27)

Bug Fixes

  • prefix using Stage Construct ID to avoid StageName colissions (#2338) (c0d76f6)

v2.38.1

2.38.1 (2026-04-21)

Bug Fixes

  • remove unnecessary test for serverSideEncryptionConfiguration to not be undefined (#2227) (9436814), closes #2226

v2.38.0

2.38.0 (2026-04-21)

Features

v2.37.56

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for cdk-nag since your current version.


Updates jest from 30.3.0 to 30.4.2

Release notes

Sourced from jest's releases.

v30.4.2

Fixes

  • [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#16150)

Full Changelog: jestjs/jest@v30.4.1...v30.4.2

v30.4.1

Features

  • [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#16141)

Fixes

  • [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#16143)

Full Changelog: jestjs/jest@v30.4.0...v30.4.1

v30.4.0

Big release! 😀

Main feature is a rewrite of our custom runtime in preparation for stabilisation of native support of ESM. As part of that work require(esm) module is now supported on Node 24.9+ (still requires --experimental-vm-modules like before).

In addition we now support fake timers for the recently released Temporal API in Node v26.

React 19 is also supported properly in pretty-format, meaning snapshots of React components now work like they should.

Due to all the changes, there might be regressions that snuck in. Please report them!

Full list of changes below

Features

  • [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#15994)
  • [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#16006)
  • [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#15984)
  • [jest-config] Add support for jest.config.mts as a valid configuration file (#16005)
  • [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#16133)
  • [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#16128)
  • [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#16128)
  • [@jest/fake-timers] Support faking Temporal.Now.* (#16131)
  • [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#16088)
  • [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#16064)
  • [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#16062)
  • [jest-runtime] Support require() of ES modules on Node v24.9+ (#16074)
  • [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#16127)
  • [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#16062)
  • [jest-util] Add isError helper (#16076)

... (truncated)

Changelog

Sourced from jest's changelog.

30.4.2

Fixes

  • [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#16150)

30.4.1

Features

  • [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#16141)

Fixes

  • [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#16143)

30.4.0

Features

  • [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#15994)
  • [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#16006)
  • [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#15984)
  • [jest-config] Add support for jest.config.mts as a valid configuration file (#16005)
  • [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#16133)
  • [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#16128)
  • [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#16128)
  • [@jest/fake-timers] Support faking Temporal.Now.* (#16131)
  • [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#16088)
  • [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#16064)
  • [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#16062)
  • [jest-runtime] Support require() of ES modules on Node v24.9+ (#16074)
  • [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#16127)
  • [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#16062)
  • [jest-util] Add isError helper (#16076)
  • [pretty-format] Support React 19 (#16123)

Fixes

  • [expect-utils] Fix toStrictEqual failing on structuredClone results due to cross-realm constructor mismatch (#15959)
  • [@jest/expect-utils] Prevent toMatchObject/subset matching from throwing when encountering exotic iterables (#15952)
  • [fake-timers] Convert Date to milliseconds before passing to @sinonjs/fake-timers (#16029)
  • [jest] Export GlobalConfig and ProjectConfig TypeScript types (#16132)
  • [jest-circus] Prevent crash when asyncError is undefined for non-Error throws (#16003)
  • [jest-circus, jest-jasmine2] Include Error.cause in JSON failureMessages output (#15967)
  • [jest-config] Fix preset path resolution on Windows when the preset uses subpath exports (#15961)
  • [jest-config] Allow collectCoverage and coverageProvider in project config without a validation warning (#16132)
  • [jest-config] Project config validator now emits "is not supported in an individual project configuration" instead of "probably a typing mistake" for known global-only options (#16132)
  • [jest-environment-node] Fix --localstorage-file warning on Node 25+ (#16086)
  • [jest-reporters] Apply global coverage threshold to unmatched pattern files in addition to glob/path thresholds (#16137)

... (truncated)

Commits

Updates ts-jest from 29.4.6 to 29.4.11

Release notes

Sourced from ts-jest's releases.

v29.4.11

Please refer to CHANGELOG.md for details.

v29.4.10

Please refer to CHANGELOG.md for details.

v29.4.9

Please refer to CHANGELOG.md for details.

v29.4.8

No release notes provided.

v29.4.7

Please refer to CHANGELOG.md for details.

Changelog

Sourced from ts-jest's changelog.

29.4.11 (2026-05-21)

Bug Fixes

  • preserve Bundler on the CJS path under TypeScript >= 6 (3941818), closes #4198

29.4.10 (2026-05-18)

Bug Fixes

  • pass resolutionMode to ts.resolveModuleName for hybrid module support (b557a85)
  • rebuild Program when consecutive compiles need different module kinds (a82a2b3), closes #4774
  • respect tsconfig moduleResolution instead of forcing Node10 (1bffffc)
  • transformer: transpile mjs files from node_modules for CJS mode (96d025d)
  • transformer: use a consistent comparator in hoist-jest sortStatements (8a8fd2f)

29.4.9 (2026-04-01)

Bug Fixes

  • use correct registry for npm OIDC trusted publishing (f8a9cc9)

29.4.8 (2026-04-01)

Bug Fixes

  • wrong published assets

29.4.7 (2026-04-01)

Features

Commits
  • bff2d64 chore(release): 29.4.11
  • 3941818 fix: preserve Bundler on the CJS path under TypeScript >= 6
  • efb3c2f build(deps): bump webpack-dev-server from 5.2.2 to 5.2.4 in /website
  • 4e46fad ci: refactor release workflow
  • 96b3ac0 chore(release): 29.4.10
  • e98ec64 build(deps): update github/codeql-action digest to 458d36d
  • 21ac58f build(deps): update jest packages
  • 0fdc96d build(deps): update dependency semver to ^7.8.0
  • 4b95551 build(deps): update dependency jest-environment-jsdom to ^30.4.1 (#5311)
  • 7b88447 build(deps): update eslint packages to ^8.59.3 (#5310)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ts-jest since your current version.


Updates typescript from 5.9.3 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0 Beta

For release notes, check out the release announcement.

Downloads are available on:

Commits
  • 050880c Bump version to 6.0.3 and LKG
  • eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
  • ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
  • 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
  • 607a22a Bump version to 6.0.2 and LKG
  • 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
  • 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
  • e175b69 Bump version to 6.0.1-rc and LKG
  • af4caac Update LKG
  • 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the npm group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) | `2.245.0` | `2.260.0` |
| [dotenv](https://github.com/motdotla/dotenv) | `17.3.1` | `17.4.2` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `24.12.0` | `26.0.1` |
| [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk) | `2.1114.1` | `2.1128.1` |
| [cdk-nag](https://github.com/cdklabs/cdk-nag) | `2.37.55` | `3.0.1` |
| [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) | `30.3.0` | `30.4.2` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.6` | `29.4.11` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.9.3` | `6.0.3` |


Updates `aws-cdk-lib` from 2.245.0 to 2.260.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.260.0/packages/aws-cdk-lib)

Updates `dotenv` from 17.3.1 to 17.4.2
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v17.3.1...v17.4.2)

Updates `@types/node` from 24.12.0 to 26.0.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `aws-cdk` from 2.1114.1 to 2.1128.1
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1128.1/packages/aws-cdk)

Updates `cdk-nag` from 2.37.55 to 3.0.1
- [Release notes](https://github.com/cdklabs/cdk-nag/releases)
- [Commits](cdklabs/cdk-nag@v2.37.55...v3.0.1)

Updates `jest` from 30.3.0 to 30.4.2
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest)

Updates `ts-jest` from 29.4.6 to 29.4.11
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](kulshekhar/ts-jest@v29.4.6...v29.4.11)

Updates `typescript` from 5.9.3 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.3)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.260.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: dotenv
  dependency-version: 17.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@types/node"
  dependency-version: 26.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: aws-cdk
  dependency-version: 2.1128.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: cdk-nag
  dependency-version: 3.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: jest
  dependency-version: 30.4.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: ts-jest
  dependency-version: 29.4.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 26, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@aws-cdk/asset-awscli-v1 2.2.282 UnknownUnknown
npm/@aws-cdk/asset-node-proxy-agent-v6 2.1.2 UnknownUnknown
npm/@aws-cdk/cloud-assembly-api 2.2.5 UnknownUnknown
npm/@aws-cdk/cloud-assembly-schema 54.5.0 UnknownUnknown
npm/@babel/helper-plugin-utils 7.29.7 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@babel/plugin-syntax-jsx 7.29.7 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@babel/plugin-syntax-typescript 7.29.7 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@emnapi/core 1.10.0 🟢 3.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1026 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime 1.10.0 🟢 3.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1026 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/wasi-threads 1.2.1 🟢 3.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1026 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@jest/console 30.4.1 UnknownUnknown
npm/@jest/core 30.4.2 UnknownUnknown
npm/@jest/diff-sequences 30.4.0 UnknownUnknown
npm/@jest/environment 30.4.1 UnknownUnknown
npm/@jest/expect 30.4.1 UnknownUnknown
npm/@jest/expect-utils 30.4.1 UnknownUnknown
npm/@jest/fake-timers 30.4.1 UnknownUnknown
npm/@jest/globals 30.4.1 UnknownUnknown
npm/@jest/pattern 30.4.0 UnknownUnknown
npm/@jest/reporters 30.4.1 UnknownUnknown
npm/@jest/schemas 30.4.1 UnknownUnknown
npm/@jest/snapshot-utils 30.4.1 UnknownUnknown
npm/@jest/test-result 30.4.1 UnknownUnknown
npm/@jest/test-sequencer 30.4.1 UnknownUnknown
npm/@jest/transform 30.4.1 UnknownUnknown
npm/@jest/types 30.4.1 UnknownUnknown
npm/@napi-rs/wasm-runtime 1.1.6 🟢 5.2
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 2Found 4/20 approved changesets -- score normalized to 2
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@pkgr/core 0.3.6 UnknownUnknown
npm/@sinonjs/fake-timers 15.4.0 🟢 5.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 1Found 5/27 approved changesets -- score normalized to 1
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@tybys/wasm-util 0.10.3 UnknownUnknown
npm/@types/node 26.0.1 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@unrs/resolver-binding-android-arm-eabi 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-android-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-darwin-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-darwin-x64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-freebsd-x64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm-gnueabihf 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm-musleabihf 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-loong64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-loong64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-ppc64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-riscv64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-riscv64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-s390x-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-x64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-x64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-openharmony-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-wasm32-wasi 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-arm64-msvc 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-ia32-msvc 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-x64-msvc 1.12.2 UnknownUnknown
npm/ajv 8.20.0 🟢 5.4
Details
CheckScoreReason
Maintained🟢 56 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 8Found 25/30 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/aws-cdk 2.1128.1 UnknownUnknown
npm/aws-cdk-lib 2.260.0 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ -1internal error: internal error: invalid Dockerfile
License🟢 10license file detected
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Signed-Releases🟢 85 out of the last 5 releases have a total of 5 signed artifacts.
Binary-Artifacts⚠️ 0binaries present in source code
SAST🟢 9SAST tool detected but not run on all commits
Fuzzing🟢 10project is fuzzed
npm/babel-jest 30.4.1 UnknownUnknown
npm/babel-plugin-jest-hoist 30.4.0 UnknownUnknown
npm/babel-preset-jest 30.4.0 UnknownUnknown
npm/brace-expansion 5.0.6 🟢 7.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1010 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 3Found 8/21 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/brace-expansion 2.1.1 🟢 7.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1010 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 3Found 8/21 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/cdk-nag 3.0.1 🟢 7.1
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 5detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
SAST🟢 4SAST tool is not run on all commits -- score normalized to 4
npm/dotenv 17.4.2 🟢 4.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/15 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 9security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/expect 30.4.1 UnknownUnknown
npm/fast-uri 3.1.2 UnknownUnknown
npm/fs-extra 11.3.5 🟢 5.4
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 6Found 20/29 approved changesets -- score normalized to 6
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Maintained🟢 1010 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/jest 30.4.2 UnknownUnknown
npm/jest-changed-files 30.4.1 UnknownUnknown
npm/jest-circus 30.4.2 UnknownUnknown
npm/jest-cli 30.4.2 UnknownUnknown
npm/jest-config 30.4.2 UnknownUnknown
npm/jest-diff 30.4.1 UnknownUnknown
npm/jest-docblock 30.4.0 UnknownUnknown
npm/jest-each 30.4.1 UnknownUnknown
npm/jest-environment-node 30.4.1 UnknownUnknown
npm/jest-haste-map 30.4.1 UnknownUnknown
npm/jest-leak-detector 30.4.1 UnknownUnknown
npm/jest-matcher-utils 30.4.1 UnknownUnknown
npm/jest-message-util 30.4.1 UnknownUnknown
npm/jest-mock 30.4.1 UnknownUnknown
npm/jest-regex-util 30.4.0 UnknownUnknown
npm/jest-resolve 30.4.1 UnknownUnknown
npm/jest-resolve-dependencies 30.4.2 UnknownUnknown
npm/jest-runner 30.4.2 UnknownUnknown
npm/jest-runtime 30.4.2 UnknownUnknown
npm/jest-snapshot 30.4.1 UnknownUnknown
npm/jest-util 30.4.1 UnknownUnknown
npm/jest-validate 30.4.1 UnknownUnknown
npm/jest-watcher 30.4.1 UnknownUnknown
npm/jest-worker 30.4.1 UnknownUnknown
npm/jsonfile 6.2.1 🟢 3.5
Details
CheckScoreReason
Code-Review🟢 3Found 9/24 approved changesets -- score normalized to 3
Maintained🟢 44 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/minimatch 10.2.5 🟢 5.2
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained⚠️ 20 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/pretty-format 30.4.1 UnknownUnknown
npm/react-is-18 18.3.1 UnknownUnknown
npm/react-is-19 19.2.7 UnknownUnknown
npm/semver 7.8.4 🟢 6.6
Details
CheckScoreReason
Code-Review🟢 8Found 14/17 approved changesets -- score normalized to 8
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 9SAST tool detected but not run on all commits
npm/semver 7.8.1 🟢 6.6
Details
CheckScoreReason
Code-Review🟢 8Found 14/17 approved changesets -- score normalized to 8
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 9SAST tool detected but not run on all commits
npm/semver 7.8.5 🟢 6.6
Details
CheckScoreReason
Code-Review🟢 8Found 14/17 approved changesets -- score normalized to 8
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 9SAST tool detected but not run on all commits
npm/synckit 0.11.13 UnknownUnknown
npm/ts-jest 29.4.11 🟢 4.8
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ -1Found no human activity in the last 30 changesets
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 10SAST tool is run on all commits
npm/typescript 6.0.3 🟢 7.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1024 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Vulnerabilities⚠️ 19 existing vulnerabilities detected
License🟢 10license file detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Branch-Protection⚠️ -1internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Binary-Artifacts🟢 10no binaries found in the repo
SAST🟢 10SAST tool is run on all commits
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Fuzzing🟢 10project is fuzzed
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 38 contributing companies or organizations
npm/undici-types 8.3.0 🟢 7.9
Details
CheckScoreReason
Code-Review🟢 7Found 20/26 approved changesets -- score normalized to 7
Maintained🟢 1030 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 8binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Vulnerabilities🟢 73 existing vulnerabilities detected
SAST🟢 9SAST tool detected but not run on all commits
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing🟢 10project is fuzzed
CI-Tests🟢 1025 out of 25 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 76 contributing companies or organizations
npm/unrs-resolver 1.12.2 UnknownUnknown
npm/yargs 17.7.3 🟢 6.2
Details
CheckScoreReason
Maintained🟢 103 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 22/28 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • package-lock.json

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Scan for commit: 0c99f66 | Updated: 2026-07-01 00:05:16 UTC

🔒 Security Scan Results

Scanned files: 2

⚠️ Security findings detected. Please review and address before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant