From 960305f67910c74863afdb8ada19781b0c60806e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 14 Nov 2023 11:27:04 +0000
Subject: [PATCH 1/4] chore(deps-dev): Bump pip from 23.3 to 23.3.1 in
/packages/jsii-pacmak/test/generated-code (#4306)
Bumps [pip](https://github.com/pypa/pip) from 23.3 to 23.3.1.
Changelog
Sourced from pip's changelog.
23.3.1 (2023-10-21)
Bug Fixes
- Handle a timezone indicator of Z when parsing dates in the self check. (
[#12338](https://github.com/pypa/pip/issues/12338) <https://github.com/pypa/pip/issues/12338>_)
- Fix bug where installing the same package at the same time with multiple pip processes could fail. (
[#12361](https://github.com/pypa/pip/issues/12361) <https://github.com/pypa/pip/issues/12361>_)
Commits
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
---
packages/jsii-pacmak/test/generated-code/requirements-dev.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/packages/jsii-pacmak/test/generated-code/requirements-dev.txt b/packages/jsii-pacmak/test/generated-code/requirements-dev.txt
index 04ac2a2a1e..3f6b30ae79 100644
--- a/packages/jsii-pacmak/test/generated-code/requirements-dev.txt
+++ b/packages/jsii-pacmak/test/generated-code/requirements-dev.txt
@@ -1,2 +1,2 @@
mypy==1.4.1
-pip==23.3 # required to use --config-settings
+pip==23.3.1 # required to use --config-settings
From e3191e520d009e65befb7a9bfeaed6480eef763c Mon Sep 17 00:00:00 2001
From: Kayo
Date: Tue, 14 Nov 2023 04:30:35 -0800
Subject: [PATCH 2/4] docs(typescript-restrictions): clarify non-jsii deps
(#3995)
I spent about a day and a half trying to figure this out, so I thought I'd add a little clarification :)
tl;dr: I'm making a CDK Construct package that also includes a custom lambda handler. That handler takes on a non-jsii dep but I couldn't figure out why JSII kept trying to compile that non-jsii dep until I read
> The API of the *jsii module* can not expose any type from bundled dependencies, since those types would not be available in other languages.
about 20 times.
---
By submitting this pull request, I confirm that my contribution is made under the terms of the [Apache 2.0 license].
[Apache 2.0 license]: https://www.apache.org/licenses/LICENSE-2.0
---
.../user-guides/lib-author/typescript-restrictions.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/gh-pages/content/user-guides/lib-author/typescript-restrictions.md b/gh-pages/content/user-guides/lib-author/typescript-restrictions.md
index b8a53b83a9..9ab1bc1f22 100644
--- a/gh-pages/content/user-guides/lib-author/typescript-restrictions.md
+++ b/gh-pages/content/user-guides/lib-author/typescript-restrictions.md
@@ -14,10 +14,14 @@ A *jsii module* can declare dependencies on any other *jsii module* by adding en
`package.json` file. Since most other platforms do not support multiple different versions of the same library to
coexist in the same closure, it is recommended to also declare all such dependencies as `peerDependencies`.
+### non-jsii dependencies
+
Occasionally, a dependency on a *non-jsii module* is useful. Since such dependencies do not have generated bindings in
all the supported languages, they must be bundled with the *jsii module* that depends on them, by adding the library
-into the `bundleDependencies` array in `package.json`. The API of the *jsii module* can not expose any type from bundled
-dependencies, since those types would not be available in other languages.
+into the `bundleDependencies` array in `package.json`.
+
+The API of the *jsii module* can not expose any type from bundled dependencies, since those types would not be available in other languages.
+TypeScript files that include a non-jsii dependency (e.g. a lambda handler for an AWS CDK Construct) cannot be exported from the `main`/`types` entry point.
!!! info
For more information on `package.json` file contents, refer to the [npm documentation][package-json].
From 68be5e1ad887fcf08598b677854ca4bce3c27007 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 14 Nov 2023 13:32:51 +0000
Subject: [PATCH 3/4] chore(deps): Bump axios from 1.5.1 to 1.6.1 (#4321)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bumps [axios](https://github.com/axios/axios) from 1.5.1 to 1.6.1.
Release notes
Sourced from axios's releases.
Release v1.6.1
Release notes:
Bug Fixes
- formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
- platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)
Contributors to this release
Release v1.6.0
Release notes:
Bug Fixes
- CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
- dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
- types: fix AxiosHeaders types; (#5931) (a1c8ad0)
PRs
⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
Contributors to this release
Changelog
Sourced from axios's changelog.
1.6.1 (2023-11-08)
Bug Fixes
- formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
- platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)
Contributors to this release
1.6.0 (2023-10-26)
Bug Fixes
- CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
- dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
- types: fix AxiosHeaders types; (#5931) (a1c8ad0)
PRs
⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
Contributors to this release
Commits
f6d2cf9 chore(ci): fix publish action content permission; (#6061)a22f4b9 chore(release): v1.6.1 (#6060)cb8bb2b chore(ci): Publish to NPM with provenance (#5835)37cbf92 chore(ci): added labeling and notification for published PRs; (#6059)dd465ab fix(formdata): fixed content-type header normalization for non-standard brows...3dc8369 fix(platform): fixed emulated browser detection in node.js environment; (#6055)f7adacd chore(release): v1.6.0 (#6031)9917e67 chore(ci): fix release-it arg; (#6032)96ee232 fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)7d45ab2 chore(tests): fixed tests to pass in node v19 and v20 with keep-alive enabl...- Additional commits viewable in compare view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/jsii/network/alerts).
---
yarn.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/yarn.lock b/yarn.lock
index d3f60e3921..6cd4bce5a5 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2345,9 +2345,9 @@ available-typed-arrays@^1.0.5:
integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==
axios@^1.0.0:
- version "1.5.1"
- resolved "https://registry.yarnpkg.com/axios/-/axios-1.5.1.tgz#11fbaa11fc35f431193a9564109c88c1f27b585f"
- integrity sha512-Q28iYCWzNHjAm+yEAot5QaAMxhMghWLFVf7rRdwhUI+c2jix2DUXjAHXVi+s1ibs3mjPO/cCgbA++3BjD0vP/A==
+ version "1.6.1"
+ resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.1.tgz#76550d644bf0a2d469a01f9244db6753208397d7"
+ integrity sha512-vfBmhDpKafglh0EldBEbVuoe7DyAavGSLWhuSm5ZSEKQnHhBf0xAAwybbNH1IkrJNGnS/VG4I5yxig1pCEXE4g==
dependencies:
follow-redirects "^1.15.0"
form-data "^4.0.0"
From 7197b4f21e7f6776fbbfe5bac7f03a308cd9f7c0 Mon Sep 17 00:00:00 2001
From: Momo Kornher
Date: Tue, 14 Nov 2023 14:48:08 +0000
Subject: [PATCH 4/4] feat(superchain): publish a bullseye image with node18 &
python 3.9 (#4326)
This will become the new default for most use cases.
---
By submitting this pull request, I confirm that my contribution is made under the terms of the [Apache 2.0 license].
[Apache 2.0 license]: https://www.apache.org/licenses/LICENSE-2.0
---
.github/workflows/docker-images.yml | 3 +--
CONTRIBUTING.md | 5 +++--
superchain/README.md | 20 ++++++--------------
3 files changed, 10 insertions(+), 18 deletions(-)
diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml
index b9daa0fc3b..3df903d346 100644
--- a/.github/workflows/docker-images.yml
+++ b/.github/workflows/docker-images.yml
@@ -23,10 +23,9 @@ jobs:
matrix:
debian:
- 'buster' # 10
+ - 'bullseye' # 11
node: ['18', '20']
include:
- - debian: 'bullseye' # 11
- node: '20'
- debian: 'bookworm' #12
node: '20'
env:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5d313502da..e83234bd5b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -228,13 +228,14 @@ The [Python](./packages/jsii-pacmak/lib/targets/python.ts) target is a good
example to work from.
## Releasing
+
### The `public.ecr.aws/jsii/superchain` Docker image
-Upon merging new changes to the `main` branch, the `public.ecr.aws/jsii/superchain:1-buster-slim-nightly`
+Upon merging new changes to the `main` branch, the `public.ecr.aws/jsii/superchain:1-bullseye-slim-nightly`
image will be released after a last validation build.
Upon making a new `jsii` release (when the GitHub release entry - and its
-corresponding git tag - is created), the `public.ecr.aws/jsii/superchain:1-buster-slim` image will
+corresponding git tag - is created), the `public.ecr.aws/jsii/superchain:1-bullseye-slim` image will
be released after a last validation build.
The latest release information (for both of the Docker image tags) can be seen
diff --git a/superchain/README.md b/superchain/README.md
index a50226a9e2..c1a718be7b 100644
--- a/superchain/README.md
+++ b/superchain/README.md
@@ -38,16 +38,10 @@ public.ecr.aws/jsii/superchain:-(-node)(-nightly)
The previous image tags have been discontinued:
-- `:latest` (users should migrate to `:1-buster-slim`)
-- `:nightly` (users should migrate to `:1-buster-slim-nightly`)
-- `:node10` (users should migrate to `:1-buster-slim-node18`)
-- `:node10-nightly` (users should migrate to `:1-buster-slim-node18-nightly`)
-- `:node12` (users should migrate to `:1-buster-slim-node18`)
-- `:node12-nightly` (users shoudl migrate to `:1-buster-slim-node18-nightly`)
-- `:node14` (users should migrate to `:1-buster-slim-node18`)
-- `:node14-nightly` (users shoudl migrate to `:1-buster-slim-node18-nightly`)
-- `:node16` (users should migrate to `:1-buster-slim-node18`)
-- `:node16-nightly` (users shoudl migrate to `:1-buster-slim-node18-nightly`)
+- `:latest` (users should migrate to `:1-bullseye-slim`)
+- `:nightly` (users should migrate to `:1-bullseye-slim-nightly`)
+- `:nodeX` (users should migrate to an image using a supported node version)
+- `:nodeX-nightly` (users should migrate to a nightly image using a supported node version)
## Building
@@ -68,10 +62,8 @@ jsii$ docker build . -f superchain/Dockerfile -t jsii/superchain:local --target=
We build multiple versions of this image, for different versions of Node. They are available as:
-* `public.ecr.aws/jsii/superchain:1-buster-slim-node14(-nightly)`
-* `public.ecr.aws/jsii/superchain:1-buster-slim-node16(-nightly)`
-* `public.ecr.aws/jsii/superchain:1-buster-slim-node18(-nightly)`
-* `public.ecr.aws/jsii/superchain:1-buster-slim-node20(-nightly)`
+* `public.ecr.aws/jsii/superchain:1-bullseye-slim-node18(-nightly)`
+* `public.ecr.aws/jsii/superchain:1-bullseye-slim-node20(-nightly)`
If you are building this image from source, you can control the Node version with the
`NODE_MAJOR_VERSION` build argument: