Skip to content

chore: yarn upgrade dependencies requiring intervention #36600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 4 commits into from
Jan 14, 2026
Merged

chore: yarn upgrade dependencies requiring intervention #36600

mergify merged 4 commits into from
Jan 14, 2026

Conversation

@aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Jan 7, 2026

Ran npm-check-updates and yarn upgrade for the following dependencies:

@aws-cdk/asset-awscli-v1

Checkout this branch and run integration tests locally to update snapshots.

(cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed)

See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.

@aws-cdk-automation aws-cdk-automation added contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. labels Jan 7, 2026
@aws-cdk-automation aws-cdk-automation requested review from a team January 7, 2026 13:52
@github-actions github-actions bot added the p2 label Jan 7, 2026
@pahud pahud mentioned this pull request Jan 7, 2026
Open
@aws-cdk-automation aws-cdk-automation force-pushed the automation/yarn-upgrade-dependencies-requiring-intervention branch from 03d3d8e to f938a7a Compare January 13, 2026 15:09
@github-actions
Copy link
Contributor

github-actions bot commented Jan 14, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results504 ran504 passed
TestResult
No test annotations available

@github-actions
Copy link
Contributor

github-actions bot commented Jan 14, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results with resolved templates504 ran493 passed11 failed
TestResult
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-commands.js.snapshot/aws-cdk-codepipeline-commands.template.json
codepipeline-cross-account-role-trust-scope.guard❌ failure
guardhooks-no-root-principals-except-kms-secrets.guard❌ failure
iam-role-no-broad-principals.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ecr-image-scan-action.js.snapshot/codepipeline-ecr-image-scan-action.template.json
codepipeline-cross-account-role-trust-scope.guard❌ failure
guardhooks-no-root-principals-except-kms-secrets.guard❌ failure
iam-role-no-broad-principals.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.template.json
codepipeline-cross-account-role-trust-scope.guard❌ failure
guardhooks-no-root-principals-except-kms-secrets.guard❌ failure
iam-role-no-broad-principals.guard❌ failure
packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.cross-account-pipeline-action.js.snapshot/CrossAccountSourceStack.template.json
guardhooks-no-root-principals-except-kms-secrets.guard❌ failure
iam-role-no-broad-principals.guard❌ failure

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 14, 2026
@kumsmrit kumsmrit added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Jan 14, 2026
@kumsmrit kumsmrit had a problem deploying to deployment-integ-test January 14, 2026 09:04 — with GitHub Actions Failure
@kumsmrit kumsmrit removed the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Jan 14, 2026
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 14, 2026
@mergify
Copy link
Contributor

mergify bot commented Jan 14, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Jan 14, 2026
edited
Loading

Merge Queue Status

🚫 The pull request has left the queue (rule: default-squash) at c129ed2

This pull request spent 3 hours 50 minutes 28 seconds in the queue, with no time running CI.
The checks were run in-place.

Required conditions to merge

Reason

The pull request #36600 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio requeue comment.

@kumvprat kumvprat mentioned this pull request Jan 14, 2026
Merged
1 task
@aws-cdk-automation @github-actions
chore: npm-check-updates && yarn upgrade
5af01f7 
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
@aws-cdk-automation aws-cdk-automation force-pushed the automation/yarn-upgrade-dependencies-requiring-intervention branch from c129ed2 to 5af01f7 Compare January 14, 2026 13:52
@aws-cdk-automation aws-cdk-automation requested a review from a team January 14, 2026 13:52
mergify bot pushed a commit that referenced this pull request Jan 14, 2026
@kumvprat
ci(security-guardian): fix guardhooks-no-root-principals guard rule (#…
7da5aeb 
…36690)

### Issue # (if applicable)

Fixes false positive failures in Security Guardian for PR #36600

### Reason for this change

The `guardhooks-no-root-principals-except-kms-secrets.guard` rule was incorrectly failing on CloudFormation templates containing unresolved intrinsic functions (like `Fn::Join`, `Fn::Sub`) in IAM policy principals. This caused false positive security violations on legitimate CDK-generated templates.

**Error encountered:**
```
Error = [PathAwareValues are not comparable map, Regex]
Value = {"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::234567890123:role/..."]]}
ComparedWith = "/(?i):root$/"
```

### Description of changes

**Root Cause:** The rule had an inconsistency where:
- `AssumeRolePolicyDocument` section properly checked if array items were strings before validation
- `PolicyDocument`, `Policy`, and `ResourcePolicy` sections were **missing** this type check

This caused cfn-guard to attempt regex comparison on intrinsic function objects, resulting in comparison errors.

**Fix Applied:**
Changed the validation pattern from:
```guard
when Principal.AWS is_list {
    Principal.AWS[*] != /(?i):root$/  # Fails on objects
}
```

To:
```guard
when Principal.AWS is_list {
    Principal.AWS[*] {
        when this is_string {
            this != /(?i):root$/  # Only validates strings
        }
    }
}
```

This pattern:
1. Iterates through each array item individually
2. Only validates items that are strings
3. Skips intrinsic function objects (avoiding false positives on static templates)
4. Still catches real `:root` principals in resolved templates

**Files Changed:**
- `tools/@aws-cdk/security-guardian/rules/guard-hooks/guardhooks-no-root-principals-except-kms-secrets.guard`

**Alternatives Considered:**
- Adding `when Principal.AWS[*] is_string` guard: This checks if ALL items are strings, which fails when even one intrinsic function is present
- Disabling the rule for static templates: Would miss real violations in templates without intrinsics
- The chosen solution properly handles mixed arrays and maintains security validation

### Describe any new or updated permissions being added

No IAM permissions changes.

### Description of how you validated changes
Unit tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@kumsmrit kumsmrit self-requested a review January 14, 2026 16:16
@kumsmrit kumsmrit added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Jan 14, 2026
@kumsmrit kumsmrit had a problem deploying to deployment-integ-test January 14, 2026 18:59 — with GitHub Actions Failure
@kumsmrit kumsmrit removed the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Jan 14, 2026
@mergify
Copy link
Contributor

mergify bot commented Jan 14, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Jan 14, 2026
edited
Loading

Merge Queue Status

✅ The pull request has been merged at 38ea102

This pull request spent 28 minutes 57 seconds in the queue, including 28 minutes 46 seconds running CI.
The checks were run in-place.

Required conditions to merge

@mergify
Copy link
Contributor

mergify bot commented Jan 14, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit dea2c28 into main Jan 14, 2026
20 of 23 checks passed
@mergify mergify bot deleted the automation/yarn-upgrade-dependencies-requiring-intervention branch January 14, 2026 20:29
@github-actions
Copy link
Contributor

github-actions bot commented Jan 14, 2026

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@kumsmrit kumsmrit kumsmrit approved these changes

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aws-cdk-automation @kumsmrit