Bump the npm group across 2 directories with 5 updates

[dependabot]

Bumps the npm group with 5 updates in the / directory:

Package	From	To
@types/node	24.10.3	25.0.1
pnpm	10.25.0	10.26.0
aws-cdk-lib	2.232.1	2.232.2
constructs	10.4.3	10.4.4
aws-cdk	2.1033.0	2.1034.0

Bumps the npm group with 4 updates in the /test directory: @types/node, aws-cdk-lib, constructs and aws-cdk.

Updates @types/node from 24.10.3 to 25.0.1

Commits

• See full diff in compare view

Updates pnpm from 10.25.0 to 10.26.0

Release notes

Sourced from pnpm's releases.

pnpm 10.26

Minor Changes

• Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.

• Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #10287.

• Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

  When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

  This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

  Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

  Related PR: #10265.

• Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

  Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

  allowBuilds:
    esbuild: true
    core-js: false

  The example above achieves the same result as the previous configuration:

  onlyBuiltDependencies:
    - esbuild
  ignoredBuiltDependencies:
    - core-js

  Related PR: #10311

• Added support for --dry-run to the pack command #10301.

Patch Changes

• Show deprecation in table/list formats when latest version is deprecated #8658.
• Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.
• Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #10273.
• When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #10197.

Platinum Sponsors

... (truncated)

Changelog

Sourced from pnpm's changelog.

10.26.0

Minor Changes

• Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.

• Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #10287.

• Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

  When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

  This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

  Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

  Related PR: #10265.

• Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

  Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

  allowBuilds:
    esbuild: true
    core-js: false

  The example above achieves the same result as the previous configuration:

  onlyBuiltDependencies:
    - esbuild
  ignoredBuiltDependencies:
    - core-js

  Related PR: #10311

• Added support for --dry-run to the pack command #10301.

Patch Changes

• Show deprecation in table/list formats when latest version is deprecated #8658.
• Remove the injectWorkspacePackages setting from the lockfile on the deploy command #10294.
• Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #10273.
• When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #10197.

Commits

• 244e33b chore(release): 10.26.0
• 4077539 fix(git-fetcher): block git dependencies from running prepare scripts unless ...
• See full diff in compare view

Updates aws-cdk-lib from 2.232.1 to 2.232.2

Release notes

Sourced from aws-cdk-lib's releases.

v2.232.2

Bug Fixes

• re-export of ResourceEnvironment is not an alias (#36370) (6178d32)

---

Alpha modules (2.232.2-alpha.0)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.232.2-alpha.0 (2025-12-12)

2.232.1-alpha.0 (2025-12-05)

2.232.0-alpha.0 (2025-12-04)

Bug Fixes

• bedrock-agentcore-alpha: use static construct ID for asset-based runtime artifacts (#36241) (e2bdddd), closes #35968
• mixins-preview: service exports are different then in aws-cdk-lib (#36201) (5858006), closes #36210
• mixins-preview: strongly-typed ConstructSelector interface (#36266) (1d2f473)

2.231.0-alpha.0 (2025-12-01)

Features

• glue-alpha: support Glue Version 5.1 (#36223) (b956492)
• imagebuilder-alpha: add support for Image Construct (#36154) (eee3ae6), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789

2.230.0-alpha.0 (2025-11-26)

Features

• bedrock-agentcore-alpha: update resources on grantInvokeXXX for runtime (#35864) (5dad62f)
• imagebuilder-alpha: add support for Image Pipeline Construct (#36153) (d8c324a), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789
• imagebuilder-alpha: add support for Lifecycle Policy Construct (#36152) (7e31eb6), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789
• mixins-preview: adds LogDelivery Mixins for 47 resources (#36158) (6607ce9)
• mixins-preview: vended log deliveries (#36138) (69442a8)
• mixins-preview: helpers to generate EventBridge event patterns for 26 services (#36121) (073185d)

Bug Fixes

• mixins-preview: AutoDeleteObjects mixin fails with cannot find file error (#36188) (3ef337d), closes aws-cdk/mixins-preview/lib/custom-resource-handlers/aws-s3/auto-delete-objects-provider.ts#L21
• mixins-preview: ResourcePolicy with this name already exists error when setting up LogDelivery (#36195) (f9aa31d)
• mixins-preview: cannot use string literal types for S3LogsDeliveryProps.permissionsVersion (#36197) (cc491df)

2.229.1-alpha.0 (2025-11-25)

2.229.0-alpha.0 (2025-11-24)

Features

... (truncated)

Commits

• 6178d32 fix: re-export of ResourceEnvironment is not an alias (#36370)
• See full diff in compare view

Updates constructs from 10.4.3 to 10.4.4

Release notes

Sourced from constructs's releases.

v10.4.4

10.4.4 (2025-12-11)

Bug Fixes

• python: only allow Typeguard 2.x (#2831) (04ca69c)

Commits

• 04ca69c fix(python): only allow Typeguard 2.x (#2831)
• aaf6d77 chore(deps): upgrade dev dependencies (#2830)
• 0980d56 chore(deps): upgrade dev dependencies (#2829)
• 41c7a17 chore(deps): upgrade dev dependencies (#2828)
• b0ac5f9 chore(deps): upgrade dev dependencies (#2827)
• 8860667 chore(deps): upgrade dev dependencies (#2826)
• d792389 chore(deps): upgrade dev dependencies (#2824)
• See full diff in compare view

Updates aws-cdk from 2.1033.0 to 2.1034.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1034.0

2.1034.0 (2025-12-11)

Features

• cli: add package manager option to cdk init (#961) (4f01af8), closes #940
• init-templates enable test cleanup by default (#986) (82fb0f3)
• show early validation errors on deploy (#970) (3ca8b70)

Bug Fixes

• cli: flag report is inconsistent with warnings (#967) (6693243)

Commits

• 82fb0f3 feat: init-templates enable test cleanup by default (#986)
• 563f702 chore: upgrade SDK and remove process.exit (#981)
• 4f01af8 feat(cli): add package manager option to cdk init (#961)
• 3ca8b70 feat: show early validation errors on deploy (#970)
• 2a6f8d3 chore: upgrade dependencies (#966)
• 6693243 fix(cli): flag report is inconsistent with warnings (#967)
• 33464fc chore(cli): integ tests assert telemetry successfully sent to endpoint (#775)
• See full diff in compare view

Updates @types/node from 24.10.3 to 25.0.1

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.232.1 to 2.232.2

Release notes

Sourced from aws-cdk-lib's releases.

v2.232.2

Bug Fixes

• re-export of ResourceEnvironment is not an alias (#36370) (6178d32)

---

Alpha modules (2.232.2-alpha.0)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.232.2-alpha.0 (2025-12-12)

2.232.1-alpha.0 (2025-12-05)

2.232.0-alpha.0 (2025-12-04)

Bug Fixes

• bedrock-agentcore-alpha: use static construct ID for asset-based runtime artifacts (#36241) (e2bdddd), closes #35968
• mixins-preview: service exports are different then in aws-cdk-lib (#36201) (5858006), closes #36210
• mixins-preview: strongly-typed ConstructSelector interface (#36266) (1d2f473)

2.231.0-alpha.0 (2025-12-01)

Features

• glue-alpha: support Glue Version 5.1 (#36223) (b956492)
• imagebuilder-alpha: add support for Image Construct (#36154) (eee3ae6), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789

2.230.0-alpha.0 (2025-11-26)

Features

• bedrock-agentcore-alpha: update resources on grantInvokeXXX for runtime (#35864) (5dad62f)
• imagebuilder-alpha: add support for Image Pipeline Construct (#36153) (d8c324a), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789
• imagebuilder-alpha: add support for Lifecycle Policy Construct (#36152) (7e31eb6), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789
• mixins-preview: adds LogDelivery Mixins for 47 resources (#36158) (6607ce9)
• mixins-preview: vended log deliveries (#36138) (69442a8)
• mixins-preview: helpers to generate EventBridge event patterns for 26 services (#36121) (073185d)

Bug Fixes

• mixins-preview: AutoDeleteObjects mixin fails with cannot find file error (#36188) (3ef337d), closes aws-cdk/mixins-preview/lib/custom-resource-handlers/aws-s3/auto-delete-objects-provider.ts#L21
• mixins-preview: ResourcePolicy with this name already exists error when setting up LogDelivery (#36195) (f9aa31d)
• mixins-preview: cannot use string literal types for S3LogsDeliveryProps.permissionsVersion (#36197) (cc491df)

2.229.1-alpha.0 (2025-11-25)

2.229.0-alpha.0 (2025-11-24)

Features

... (truncated)

Commits

• 6178d32 fix: re-export of ResourceEnvironment is not an alias (#36370)
• See full diff in compare view

Updates constructs from 10.4.3 to 10.4.4

Release notes

Sourced from constructs's releases.

v10.4.4

10.4.4 (2025-12-11)

Bug Fixes

• python: only allow Typeguard 2.x (#2831) (04ca69c)

Commits

• 04ca69c fix(python): only allow Typeguard 2.x (#2831)
• aaf6d77 chore(deps): upgrade dev dependencies (#2830)
• 0980d56 chore(deps): upgrade dev dependencies (#2829)
• 41c7a17 chore(deps): upgrade dev dependencies (#2828)
• b0ac5f9 chore(deps): upgrade dev dependencies (#2827)
• 8860667 chore(deps): upgrade dev dependencies (#2826)
• d792389 chore(deps): upgrade dev dependencies (#2824)
• See full diff in compare view

Updates aws-cdk from 2.1033.0 to 2.1034.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1034.0

2.1034.0 (2025-12-11)

Features

• cli: add package manager option to cdk init (#961) (4f01af8), closes #940
• init-templates enable test cleanup by default (#986) (82fb0f3)
• show early validation errors on deploy (#970) (3ca8b70)

Bug Fixes

• cli: flag report is inconsistent with warnings (#967) (6693243)

Commits

• 82fb0f3 feat: init-templates enable test cleanup by default (#986)
• 563f702 chore: upgrade SDK and remove process.exit (#981)
• 4f01af8 feat(cli): add package manager option to cdk init (#961)
• 3ca8b70 feat: show early validation errors on deploy (#970)
• 2a6f8d3 chore: upgrade dependencies (#966)
• 6693243 fix(cli): flag report is inconsistent with warnings (#967)
• 33464fc chore(cli): integ tests assert telemetry successfully sent to endpoint (#775)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@types/node	25.0.1	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/node	25.0.2	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/aws-cdk	2.1034.0	Unknown	Unknown
npm/aws-cdk-lib	2.232.2	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 0 22 existing vulnerabilities detected
npm/constructs	10.4.4	🟢 7.4	Details Check Score Reason Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Token-Permissions 🟢 5 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6
npm/pnpm	10.26.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 5 Found 15/28 approved changesets -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 124 existing vulnerabilities detected
npm/@types/node	^25.0.1	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/aws-cdk	^2.1034.0	Unknown	Unknown
npm/aws-cdk-lib	^2.232.2	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 0 22 existing vulnerabilities detected
npm/constructs	^10.4.4	🟢 7.4	Details Check Score Reason Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Token-Permissions 🟢 5 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6

Scanned Files

• pnpm-lock.yaml
• test/package.json