chore: enable eslint for the repo config #67
Merged
aws-cdk-automation merged 1 commit intomainfrom Feb 19, 2025
Merged
Conversation
mrgrain
commented
Feb 19, 2025
Comment on lines
-41
to
-52
| // Require all imported dependencies are actually declared in package.json | ||
| 'import/no-extraneous-dependencies': [ | ||
| 'error', | ||
| { | ||
| devDependencies: [ // Only allow importing devDependencies from: | ||
| '**/build-tools/**', // --> Build tools | ||
| '**/test/**', // --> Unit tests | ||
| ], | ||
| optionalDependencies: false, // Disallow importing optional dependencies (those shouldn't be in use in the project) | ||
| }, | ||
| ], | ||
|
|
Contributor
Author
There was a problem hiding this comment.
Removed this in favor of the projen built-in rule, which is pretty much the same but allows for a dynamic configuration of the paths in devDependencies.
mrgrain
commented
Feb 19, 2025
Contributor
Author
There was a problem hiding this comment.
Change here and in the other package lint configs are due to now using the projen built-in rule for import/no-extraneous-dependencies.
As you can see these are pretty much the same. The main difference is that we now allow imports of peerDependencies which seems acceptable if not desired.
mrgrain
commented
Feb 19, 2025
Comment on lines
+184
to
+194
| // Eslint for projen config | ||
| // @ts-ignore | ||
| repoProject.eslint = new pj.javascript.Eslint(repoProject, { | ||
| tsconfigPath: `./${repoProject.tsconfigDev.fileName}`, | ||
| dirs: [], | ||
| devdirs: ['projenrc', '.projenrc.ts'], | ||
| fileExtensions: ['.ts', '.tsx'], | ||
| lintProjenRc: false, | ||
| }); | ||
|
|
||
| const repo = configureProject(repoProject); |
Contributor
Author
There was a problem hiding this comment.
This is the only actual change in here: We are adding a custom eslint config for the repo root.
79e828e to
b47ba7f
Compare
iliapolo
approved these changes
Feb 19, 2025
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 20, 2026
The `glob` and `minimatch` packages have been long-standing dependencies in this project, but they have become problematic for two reasons. First, there are known security vulnerabilities in the currently pinned versions. For example, [dependabot alert #67](https://github.com/aws/aws-cdk-cli/security/dependabot/67) flags an issue that requires upgrading. However, upgrading to the latest major versions of `glob` and `minimatch` is not a viable path forward because newer releases have moved to the BlueOak-1.0.0 license, which is not compatible with the licensing requirements of this project. Second, these packages come with a significant transitive dependency tree that includes `jackspeak`, `path-scurry`, `minipass`, and `foreground-child` among others. These packages are maintained by the same author and have historically seen frequent major version bumps that require attention from dependabot and manual review, creating ongoing maintenance overhead. This change replaces `glob` with `fast-glob` and `minimatch` with `picomatch` across all packages in the monorepo. Both are well-established, MIT-licensed alternatives that provide equivalent functionality with a smaller dependency footprint. The `picomatch` library was already a transitive dependency through `chokidar`, and `toolkit-lib` already had a direct dependency on `picomatch@^4`, so this change consolidates the glob matching implementation rather than introducing something entirely new. The API migration is straightforward. For globbing, `glob.sync('**', options)` becomes `globSync('**', options)` from `fast-glob`, with option names updated to match the `fast-glob` API (e.g. `nodir` → `onlyFiles`, `follow` → `followSymbolicLinks`). For pattern matching, `minimatch(str, pattern)` becomes `isMatch(str, pattern)` from `picomatch`, and `minimatch.filter(expression)` is replaced with a compiled `picomatch(expression)` matcher function, which is actually more efficient since it avoids recompiling the pattern for each test. The `yarn.lock` cleanup removes several packages that are no longer needed: `glob@^11`, `glob@^9`, `minimatch@10.0.1`, `minimatch@^8`, `jackspeak@^4`, `minipass@^4`, and `path-scurry@^2`. This reduces the overall dependency count and install size. ### Checklist - [ ] This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed - Release notes for the new version: --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes repo config not being linted.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license