Skip to content

chore(deps): bump io.github.cdklabs:cdknag from 2.38.2 to 3.0.1 in /infra/cdk#914

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/infra/cdk/io.github.cdklabs-cdknag-3.0.1
Closed

chore(deps): bump io.github.cdklabs:cdknag from 2.38.2 to 3.0.1 in /infra/cdk#914
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/infra/cdk/io.github.cdklabs-cdknag-3.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps io.github.cdklabs:cdknag from 2.38.2 to 3.0.1.

Release notes

Sourced from io.github.cdklabs:cdknag's releases.

v3.0.1

3.0.1 (2026-06-15)

Bug Fixes

  • walk ancestor tree in isAcknowledged and WriteNagSuppressions (#2349) (9c2d2cb)

v3.0.0

3.0.0 (2026-06-12)

⚠ BREAKING CHANGES

  • cdk nag v3 rewrites the core engine from an IAspect to an IPolicyValidationPlugin. Rule packs now participate in CDK's native policy validation framework instead of emitting annotations during synthesis.

Features

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jul 2, 2026
Bumps [io.github.cdklabs:cdknag](https://github.com/cdklabs/cdk-nag) from 2.38.2 to 3.0.1.
- [Release notes](https://github.com/cdklabs/cdk-nag/releases)
- [Commits](cdklabs/cdk-nag@v2.38.2...v3.0.1)

---
updated-dependencies:
- dependency-name: io.github.cdklabs:cdknag
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/infra/cdk/io.github.cdklabs-cdknag-3.0.1 branch from 913d572 to 68ec208 Compare July 2, 2026 08:29
@ybezsonov

Copy link
Copy Markdown
Contributor

Holding this one: cdknag 3.0.1 is a major bump that removes NagSuppressions and NagPackSuppression from io.github.cdklabs.cdknag. infra/cdk/src/main/java/sample/com/WorkshopApp.java uses these APIs in 30+ places, so the build-infra check fails. Merging requires migrating the suppression code to the cdknag 3.x API first — leaving open until that's done.

@ybezsonov

Copy link
Copy Markdown
Contributor

Deferring cdk-nag 3.x. cdk-nag 3.0.1's NagPack is plugin-only (IPolicyValidationPlugin, no IAspect) and its findings can only be suppressed via CDK's native Validations.acknowledge(), which rejects rule ids containing '::' — i.e. every AWS managed-policy (IAM4) and ARN-based (IAM5) finding. So 3.x cannot suppress this stack's IAM findings and cannot run report-only. infra/cdk is instead moving to aws-cdk-lib 2.250.0 (highest before the native Validations framework in 2.251 breaks cdk-nag 2.x suppression) + cdk-nag 2.38.2 + the graduated stable eks_v2 module, with cdk synth passing with 0 findings. Rationale and the concrete re-adoption trigger are documented in infra/cdk/NAG.md. This PR will effectively re-appear (as a future cdk-nag 3.x bump) once upstream fixes acknowledge id parsing; that PR's build-infra check is the tripwire to switch.

@ybezsonov ybezsonov closed this Jul 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/maven/infra/cdk/io.github.cdklabs-cdknag-3.0.1 branch July 2, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant