Skip to content

chore: bump the npm group across 1 directory with 4 updates#275

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dea2768b4b
Closed

chore: bump the npm group across 1 directory with 4 updates#275
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-dea2768b4b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm group with 4 updates in the / directory: dotenv, @types/node, cdk-nag and jest.

Updates dotenv from 17.3.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

  • Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

  • Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

  • Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

  • Tighten up logs: ◇ injecting env (14) from .env (#1003)
Commits

Updates @types/node from 24.12.0 to 26.1.0

Commits

Updates cdk-nag from 2.37.55 to 3.0.1

Release notes

Sourced from cdk-nag's releases.

v3.0.1

3.0.1 (2026-06-15)

Bug Fixes

  • walk ancestor tree in isAcknowledged and WriteNagSuppressions (#2349) (9c2d2cb)

v3.0.0

3.0.0 (2026-06-12)

⚠ BREAKING CHANGES

  • cdk nag v3 rewrites the core engine from an IAspect to an IPolicyValidationPlugin. Rule packs now participate in CDK's native policy validation framework instead of emitting annotations during synthesis.

Features

v2.38.2

2.38.2 (2026-04-27)

Bug Fixes

  • prefix using Stage Construct ID to avoid StageName colissions (#2338) (c0d76f6)

v2.38.1

2.38.1 (2026-04-21)

Bug Fixes

  • remove unnecessary test for serverSideEncryptionConfiguration to not be undefined (#2227) (9436814), closes #2226

v2.38.0

2.38.0 (2026-04-21)

Features

v2.37.56

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for cdk-nag since your current version.


Updates jest from 30.3.0 to 30.4.2

Release notes

Sourced from jest's releases.

v30.4.2

Fixes

  • [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#16150)

Full Changelog: jestjs/jest@v30.4.1...v30.4.2

v30.4.1

Features

  • [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#16141)

Fixes

  • [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#16143)

Full Changelog: jestjs/jest@v30.4.0...v30.4.1

v30.4.0

Big release! 😀

Main feature is a rewrite of our custom runtime in preparation for stabilisation of native support of ESM. As part of that work require(esm) module is now supported on Node 24.9+ (still requires --experimental-vm-modules like before).

In addition we now support fake timers for the recently released Temporal API in Node v26.

React 19 is also supported properly in pretty-format, meaning snapshots of React components now work like they should.

Due to all the changes, there might be regressions that snuck in. Please report them!

Full list of changes below

Features

  • [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#15994)
  • [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#16006)
  • [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#15984)
  • [jest-config] Add support for jest.config.mts as a valid configuration file (#16005)
  • [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#16133)
  • [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#16128)
  • [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#16128)
  • [@jest/fake-timers] Support faking Temporal.Now.* (#16131)
  • [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#16088)
  • [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#16064)
  • [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#16062)
  • [jest-runtime] Support require() of ES modules on Node v24.9+ (#16074)
  • [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#16127)
  • [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#16062)
  • [jest-util] Add isError helper (#16076)

... (truncated)

Changelog

Sourced from jest's changelog.

30.4.2

Fixes

  • [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#16150)

30.4.1

Features

  • [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#16141)

Fixes

  • [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#16143)

30.4.0

Features

  • [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#15994)
  • [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#16006)
  • [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#15984)
  • [jest-config] Add support for jest.config.mts as a valid configuration file (#16005)
  • [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#16133)
  • [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#16128)
  • [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#16128)
  • [@jest/fake-timers] Support faking Temporal.Now.* (#16131)
  • [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#16088)
  • [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#16064)
  • [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#16062)
  • [jest-runtime] Support require() of ES modules on Node v24.9+ (#16074)
  • [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#16127)
  • [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#16062)
  • [jest-util] Add isError helper (#16076)
  • [pretty-format] Support React 19 (#16123)

Fixes

  • [expect-utils] Fix toStrictEqual failing on structuredClone results due to cross-realm constructor mismatch (#15959)
  • [@jest/expect-utils] Prevent toMatchObject/subset matching from throwing when encountering exotic iterables (#15952)
  • [fake-timers] Convert Date to milliseconds before passing to @sinonjs/fake-timers (#16029)
  • [jest] Export GlobalConfig and ProjectConfig TypeScript types (#16132)
  • [jest-circus] Prevent crash when asyncError is undefined for non-Error throws (#16003)
  • [jest-circus, jest-jasmine2] Include Error.cause in JSON failureMessages output (#15967)
  • [jest-config] Fix preset path resolution on Windows when the preset uses subpath exports (#15961)
  • [jest-config] Allow collectCoverage and coverageProvider in project config without a validation warning (#16132)
  • [jest-config] Project config validator now emits "is not supported in an individual project configuration" instead of "probably a typing mistake" for known global-only options (#16132)
  • [jest-environment-node] Fix --localstorage-file warning on Node 25+ (#16086)
  • [jest-reporters] Apply global coverage threshold to unmatched pattern files in addition to glob/path thresholds (#16137)

... (truncated)

Commits

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@babel/helper-plugin-utils 7.29.7 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@babel/plugin-syntax-jsx 7.29.7 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@babel/plugin-syntax-typescript 7.29.7 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 5Found 17/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 2badge detected: InProgress
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@emnapi/core 1.10.0 🟢 3.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1021 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime 1.10.0 🟢 3.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1021 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/wasi-threads 1.2.1 🟢 3.4
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1021 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@jest/console 30.4.1 UnknownUnknown
npm/@jest/core 30.4.2 UnknownUnknown
npm/@jest/diff-sequences 30.4.0 UnknownUnknown
npm/@jest/environment 30.4.1 UnknownUnknown
npm/@jest/expect 30.4.1 UnknownUnknown
npm/@jest/expect-utils 30.4.1 UnknownUnknown
npm/@jest/fake-timers 30.4.1 UnknownUnknown
npm/@jest/globals 30.4.1 UnknownUnknown
npm/@jest/pattern 30.4.0 UnknownUnknown
npm/@jest/reporters 30.4.1 UnknownUnknown
npm/@jest/schemas 30.4.1 UnknownUnknown
npm/@jest/snapshot-utils 30.4.1 UnknownUnknown
npm/@jest/test-result 30.4.1 UnknownUnknown
npm/@jest/test-sequencer 30.4.1 UnknownUnknown
npm/@jest/transform 30.4.1 UnknownUnknown
npm/@jest/types 30.4.1 UnknownUnknown
npm/@napi-rs/wasm-runtime 1.1.6 🟢 5.2
Details
CheckScoreReason
Code-Review⚠️ 2Found 5/17 approved changesets -- score normalized to 2
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Packaging⚠️ -1packaging workflow not detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@pkgr/core 0.3.6 UnknownUnknown
npm/@sinonjs/fake-timers 15.4.0 🟢 5.7
Details
CheckScoreReason
Code-Review⚠️ 1Found 5/27 approved changesets -- score normalized to 1
Maintained🟢 1021 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@tybys/wasm-util 0.10.3 UnknownUnknown
npm/@types/node 26.1.0 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 8Found 26/29 approved changesets -- score normalized to 8
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@unrs/resolver-binding-android-arm-eabi 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-android-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-darwin-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-darwin-x64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-freebsd-x64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm-gnueabihf 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm-musleabihf 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-arm64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-loong64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-loong64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-ppc64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-riscv64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-riscv64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-s390x-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-x64-gnu 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-linux-x64-musl 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-openharmony-arm64 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-wasm32-wasi 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-arm64-msvc 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-ia32-msvc 1.12.2 UnknownUnknown
npm/@unrs/resolver-binding-win32-x64-msvc 1.12.2 UnknownUnknown
npm/babel-jest 30.4.1 UnknownUnknown
npm/babel-plugin-jest-hoist 30.4.0 UnknownUnknown
npm/babel-preset-jest 30.4.0 UnknownUnknown
npm/balanced-match 1.0.2 🟢 5.1
Details
CheckScoreReason
Code-Review⚠️ 2Found 5/19 approved changesets -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/brace-expansion 2.1.1 🟢 7.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1010 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 3Found 8/21 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/cdk-nag 3.0.1 🟢 7.1
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 5detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
SAST🟢 4SAST tool is not run on all commits -- score normalized to 4
npm/dotenv 17.4.2 🟢 4.4
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Code-Review⚠️ 0Found 1/15 approved changesets -- score normalized to 0
Security-Policy🟢 9security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/expect 30.4.1 UnknownUnknown
npm/jest 30.4.2 UnknownUnknown
npm/jest-changed-files 30.4.1 UnknownUnknown
npm/jest-circus 30.4.2 UnknownUnknown
npm/jest-cli 30.4.2 UnknownUnknown
npm/jest-config 30.4.2 UnknownUnknown
npm/jest-diff 30.4.1 UnknownUnknown
npm/jest-docblock 30.4.0 UnknownUnknown
npm/jest-each 30.4.1 UnknownUnknown
npm/jest-environment-node 30.4.1 UnknownUnknown
npm/jest-haste-map 30.4.1 UnknownUnknown
npm/jest-leak-detector 30.4.1 UnknownUnknown
npm/jest-matcher-utils 30.4.1 UnknownUnknown
npm/jest-message-util 30.4.1 UnknownUnknown
npm/jest-mock 30.4.1 UnknownUnknown
npm/jest-regex-util 30.4.0 UnknownUnknown
npm/jest-resolve 30.4.1 UnknownUnknown
npm/jest-resolve-dependencies 30.4.2 UnknownUnknown
npm/jest-runner 30.4.2 UnknownUnknown
npm/jest-runtime 30.4.2 UnknownUnknown
npm/jest-snapshot 30.4.1 UnknownUnknown
npm/jest-util 30.4.1 UnknownUnknown
npm/jest-validate 30.4.1 UnknownUnknown
npm/jest-watcher 30.4.1 UnknownUnknown
npm/jest-worker 30.4.1 UnknownUnknown
npm/minimatch 9.0.9 🟢 5.2
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained⚠️ 20 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/pretty-format 30.4.1 UnknownUnknown
npm/react-is-18 18.3.1 UnknownUnknown
npm/react-is-19 19.2.7 UnknownUnknown
npm/semver 6.3.1 🟢 6.6
Details
CheckScoreReason
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Code-Review🟢 8Found 14/17 approved changesets -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 9SAST tool detected but not run on all commits
npm/synckit 0.11.13 UnknownUnknown
npm/undici-types 8.3.0 🟢 8.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 8binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Signed-Releases⚠️ -1no releases found
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing🟢 10project is fuzzed
Vulnerabilities🟢 73 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 76 contributing companies or organizations
npm/unrs-resolver 1.12.2 UnknownUnknown
npm/yargs 17.7.3 🟢 6.2
Details
CheckScoreReason
Maintained🟢 1010 commit(s) and 26 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 20/27 approved changesets -- score normalized to 7
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • package-lock.json

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Scan for commit: 325db27 | Updated: 2026-07-06 05:07:40 UTC

🔒 Security Scan Results

Scanned files: 2

⚠️ Security findings detected. Please review and address before merging.

@frbrkoala

Copy link
Copy Markdown
Contributor

@dependabot recreate

Bumps the npm group with 4 updates in the / directory: [dotenv](https://github.com/motdotla/dotenv), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [cdk-nag](https://github.com/cdklabs/cdk-nag) and [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest).


Updates `dotenv` from 17.3.1 to 17.4.2
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v17.3.1...v17.4.2)

Updates `@types/node` from 24.12.0 to 26.1.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `cdk-nag` from 2.37.55 to 3.0.1
- [Release notes](https://github.com/cdklabs/cdk-nag/releases)
- [Commits](cdklabs/cdk-nag@v2.37.55...v3.0.1)

Updates `jest` from 30.3.0 to 30.4.2
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: cdk-nag
  dependency-version: 3.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: dotenv
  dependency-version: 17.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: jest
  dependency-version: 30.4.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-dea2768b4b branch from 9857edc to 325db27 Compare July 6, 2026 05:04
frbrkoala added a commit that referenced this pull request Jul 6, 2026
Add ignore rules to the root npm ecosystem so Dependabot stops proposing major
version bumps for two dependencies (minor/patch updates still flow):

- cdk-nag: v3 is a breaking rewrite (IAspect -> IPolicyValidationPlugin, and
  NagSuppressions -> per-finding Validations.acknowledge). Deferred until
  upstream supports prefix/bulk acknowledgment. This is why the grouped npm PR
  #275 fails "Validate CDK synthesis" — the ignore drops the v3 bump so a
  regenerated PR builds. Unignore when ready to do the v3 migration.
- @types/node: keep aligned with the Node.js runtime major we target
  (currently 24) rather than chasing the newest typings.

Co-authored-by: Nikolay Vlasov <vlason@amazon.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are no longer being updated by Dependabot, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-dea2768b4b branch July 6, 2026 05:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant