Skip to content

feat: integrate lsp feature branch#1681

Open
megha-narayanan wants to merge 15 commits into
mainfrom
feat/cdk-lsp
Open

feat: integrate lsp feature branch#1681
megha-narayanan wants to merge 15 commits into
mainfrom
feat/cdk-lsp

Conversation

@megha-narayanan

@megha-narayanan megha-narayanan commented Jun 29, 2026

Copy link
Copy Markdown

Merges thefeat/cdk-lsp' branch into main`. The change is additive and introduces no behavior change to existing CLI commands.

  • New @aws-cdk/cdk-explorer package containing the Language Server under lib/lsp (server, diagnostics, CodeLens, template locator, position mapping).
  • Extends @aws-cdk/cloud-assembly-api with two parsing modules consumed by the server: construct-tree.ts (builds the construct tree from a cloud assembly) and template-ranges.ts (resolves a logical ID or property to its byte range in the template).

Capabilities (folds in #1559, #1593, #1592, #1617, #1624, #1630, #1631, #1662, #1634, #1674):

  • Diagnostics: surfaces synth errors and policy-validation violations in the editor, mapped back to the source.
  • Surfaces CFN resources and adds CodeLens navigation from a construct to its template resource.
  • Navigation between construct source and the synthesized template in both directions.
  • Live refresh: diagnostics and CodeLens update when cdk.out changes.
  • Reads are constrained to the project directory, and template reads run off the LSP event loop.

This PR is the server and parsing foundation. It does not add a shipped CLI command or the web explorer.

Checklist

  • This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed
    • Release notes for the new version:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

megha-narayanan and others added 9 commits May 27, 2026 15:33
Basic scaffolding for new packages to be implemented: a core
functionality library, the lsp server, and the web explorer.

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Refactor: put LSP skeleton in a unique branch from web explorer

- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Adds an assembly reader that joins `cdk.out/`'s `tree.json` with each
stack's manifest metadata into a `ConstructNode` tree carrying
`logicalId`, CFN type, and source location.
- LSP publishes CDK validation violations as `Diagnostic`s anchored to
the construct's TypeScript source line, with rule-level severity.
- LSP serves `CodeLens` entries above each construct creation site
summarising the CFN resources it produces.
- Source resolution covers `.ts` and `.js` (with sibling `.js.map`);
non-TS apps degrade gracefully (no crash, no source-linked features).

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Builds on #1592, which surfaced display-only CodeLens entries for the
CFN
resources each construct produces. This PR makes them **clickable**.
Selecting a
lens jumps to the resource's definition in the synthesized
CloudFormation template.

Features:
- **Clickable navigation** — each lens carries an `openResource` command
that opens
  the resource's template file at its logical-ID line.
- **Multi-resource picker** — constructs producing several resources
show a QuickPick;
  single-resource constructs open directly.
- **Positional `templateFile` resolution (cloud-assembly-api)** —
`buildConstructTree`
threads the owning template through the tree, switching at NestedStack
boundaries.
- **Clearer titles** — `Creates AWS::S3::Bucket`, or
`Creates 3 resources: AWS::S3::Bucket, AWS::S3::BucketPolicy,
AWS::KMS::Key`.

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Computes character ranges for CloudFormation resource blocks in
synthesized templates and uses them for navigation in both directions:
- 
- CodeLens "go to" now selects the whole resource block (was a
zero-width cursor).
- New go-to-definition from a synthesized template back to the
construct's source.

A note on the JSON parser dependency Computing character ranges needs a
position-aware JSON parser, since JSON.parse discards offsets. The
natural choice is jsonc-parser (what the VS Code JSON language service
uses). We could not use it here: its UMD entry loads internal modules
through a parameter-shadowed require("./impl/...") that esbuild (used by
node-backpack to bundle the CLI) cannot statically trace, so the bundled
`cdk/cdk-assets` binaries fail with `Cannot find module
'./impl/format'`. Known, still-open:
[microsoft/node-jsonc-parser#57](microsoft/node-jsonc-parser#57),
[evanw/esbuild#1619](evanw/esbuild#1619). Its
ESM build bundles fine, but the esbuild mainFields workaround isn't
exposed by node-backpack, and importing the ESM build directly breaks
our CommonJS tests; marking it external isn't appropriate for a
self-contained CLI. So we use
[json-source-map](https://www.npmjs.com/package/json-source-map), a
single-file CommonJS module that bundles cleanly.


### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
The LSP currently reads `cdk.out` once at startup and never refreshes.
After this PR, any
rewrite of `cdk.out` refreshes the editor's diagnostics and CodeLenses
automatically. 

* New `lib/core/assembly-watcher.ts`: a chokidar-backed watcher with a
debounced
  200ms `onChange`, filtered to `manifest.json`, `tree.json`,
  `validation-report.json`. RWLock marker files (`synth.lock`,
`read.<pid>.<n>.lock`) are excluded. Throws from `onChange` route
through
`onError` rather than leaking from the timer. Lives in `lib/core/` so
the web
  explorer can reuse it.
* `refreshFromAssembly` is now the single fan-out for new assembly data:
rebuild `cachedIndex`, publish empty diagnostics for URIs that no longer
have
violations (clearing resolved squiggles), republish current diagnostics,
and
send `workspace/codeLens/refresh` (gated on
`workspace.codeLens.refreshSupport`).
* When the validation report fails to load, last-good diagnostics are
preserved,
  matching the existing contract for `'error'` and `'not-found'` reads.
* Watcher started in `onInitialized` after the initial refresh, closed
in
  `onShutdown`.
Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
The LSP followed source/template paths from the cloud assembly
(stack-trace
frames, source maps, template paths) with only an extension allow-list.
If
cdk.out is tampered with, a crafted path like `../../../etc/passwd.js`
could be
read or surfaced as a nav target.

Adds a symlink-aware `isWithinRoot` and gates every read: source paths
against
the project dir, `templateFile` against the assembly dir. Out-of-root
paths are
dropped as not-navigable (same as non-TS apps). No change for valid
assemblies.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Convert the two synchronous template reads on the LSP request paths
(onDefinition and the CodeLens provider) to fs.promises, continuing the
async direction from #1631.

resourceTarget, codeLensesForFile, and commandFor are now async and read
sequentially, so the number of concurrent reads never grows with app
size. The LspHandlers interface widens onCodeLens and onDefinition to
return Promises; the connection wiring passes the Promise through
unchanged.

readAssembly and the source-map reads stay synchronous: they run at
startup and on watch events, not per request, and convert-source-map
takes a synchronous reader.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
@github-actions github-actions Bot added the p2 label Jun 29, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team June 29, 2026 16:02
# Conflicts:
#	packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES
#	packages/aws-cdk/THIRD_PARTY_LICENSES
#	packages/cdk-assets/THIRD_PARTY_LICENSES
#	yarn.lock
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 12 package(s) with unknown licenses.
  • ⚠️ 1 packages with OpenSSF Scorecard issues.
See the Details below.

License Issues

packages/@aws-cdk/cdk-explorer/package.json

PackageVersionLicenseIssue Type
@aws-cdk/cloud-assembly-api^0.0.0NullUnknown License
@aws-cdk/cloud-assembly-schema^0.0.0NullUnknown License
@aws-cdk/toolkit-lib^0.0.0NullUnknown License
@jridgewell/trace-mapping^0.3NullUnknown License
chokidar^4NullUnknown License
convert-source-map^2NullUnknown License
express^4NullUnknown License
vscode-jsonrpc^8NullUnknown License
vscode-languageserver^9NullUnknown License
vscode-languageserver-textdocument^1NullUnknown License

packages/@aws-cdk/cloud-assembly-api/package.json

PackageVersionLicenseIssue Type
json-source-map^0.6.1NullUnknown License

yarn.lock

PackageVersionLicenseIssue Type
@aws-cdk/cdk-explorer@workspace:packages/0.0.0-use.localNullUnknown License

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@aws-cdk/cloud-assembly-api ^0.0.0 UnknownUnknown
npm/@aws-cdk/cloud-assembly-schema ^0.0.0 UnknownUnknown
npm/@aws-cdk/toolkit-lib ^0.0.0 UnknownUnknown
npm/@cdklabs/eslint-plugin ^2.0.9 UnknownUnknown
npm/@jridgewell/trace-mapping ^0.3 UnknownUnknown
npm/@stylistic/eslint-plugin ^3 UnknownUnknown
npm/@types/convert-source-map ^2 UnknownUnknown
npm/@types/express ^4 UnknownUnknown
npm/@types/jest ^29.5.14 UnknownUnknown
npm/@types/node ^20 UnknownUnknown
npm/@typescript-eslint/eslint-plugin ^8 UnknownUnknown
npm/@typescript-eslint/parser ^8 UnknownUnknown
npm/chokidar ^4 UnknownUnknown
npm/constructs ^10.0.0 UnknownUnknown
npm/convert-source-map ^2 UnknownUnknown
npm/eslint ^9 UnknownUnknown
npm/eslint-config-prettier ^10.1.8 UnknownUnknown
npm/eslint-import-resolver-typescript ^4.4.5 UnknownUnknown
npm/eslint-plugin-import ^2.32.0 UnknownUnknown
npm/eslint-plugin-jest ^29.15.2 UnknownUnknown
npm/eslint-plugin-jsdoc ^62.9.0 UnknownUnknown
npm/eslint-plugin-prettier ^4.2.5 UnknownUnknown
npm/express ^4 UnknownUnknown
npm/jest ^29.7.0 UnknownUnknown
npm/jest-junit ^16 UnknownUnknown
npm/nx ^22.7.5 UnknownUnknown
npm/prettier ^2.8 UnknownUnknown
npm/projen ^0.99.73 UnknownUnknown
npm/ts-jest ^29.4.11 UnknownUnknown
npm/typescript 5.9 UnknownUnknown
npm/vscode-jsonrpc ^8 UnknownUnknown
npm/vscode-languageserver ^9 UnknownUnknown
npm/vscode-languageserver-protocol ^3 UnknownUnknown
npm/vscode-languageserver-textdocument ^1 UnknownUnknown
npm/@types/json-source-map ^0.6.0 UnknownUnknown
npm/json-source-map ^0.6.1 UnknownUnknown
npm/@aws-cdk/cdk-explorer@workspace:packages/ 0.0.0-use.local UnknownUnknown
npm/@types/body-parser 1.19.6 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/connect 3.4.38 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/convert-source-map 2.0.3 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/express 4.17.25 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/express-serve-static-core 4.19.8 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/http-errors 2.0.5 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/json-source-map 0.6.0 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/mime 1.3.5 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/qs 6.15.1 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/range-parser 1.2.7 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/send 1.2.1 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/send 0.17.6 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/serve-static 1.15.10 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 25/28 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/body-parser 1.20.5 🟢 8.1
Details
CheckScoreReason
Code-Review🟢 8Found 11/13 approved changesets -- score normalized to 8
Maintained🟢 1015 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Vulnerabilities🟢 100 existing vulnerabilities detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
SAST🟢 10SAST tool is run on all commits
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 10security policy file detected
CI-Tests🟢 1029 out of 29 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 31 contributing companies or organizations
npm/express 4.22.2 🟢 8.9
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
Maintained🟢 1017 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Dependency-Update-Tool🟢 10update tool detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 100 existing vulnerabilities detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
SAST🟢 10SAST tool is run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 108 contributing companies or organizations
npm/json-source-map 0.6.1 ⚠️ 2
Details
CheckScoreReason
Dangerous-Workflow⚠️ -1no workflows found
Code-Review⚠️ 0Found 0/21 approved changesets -- score normalized to 0
Pinned-Dependencies⚠️ -1no dependencies found
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Token-Permissions⚠️ -1No tokens found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/qs 6.15.3 🟢 5.4
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1017 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 2Found 6/30 approved changesets -- score normalized to 2
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices🟢 5badge detected: Passing
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/side-channel 1.1.1 🟢 4.3
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained🟢 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0no SAST tool detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy🟢 10security policy file detected
npm/vscode-jsonrpc 8.2.0 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-jsonrpc 9.0.0 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-jsonrpc 8.2.1 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver 9.0.1 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-protocol 3.17.5 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-protocol 3.18.1 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-textdocument 1.0.13 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-types 3.17.5 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-types 3.18.0 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed

Scanned Files

  • packages/@aws-cdk/cdk-explorer/package.json
  • packages/@aws-cdk/cloud-assembly-api/package.json
  • yarn.lock

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@codecov-commenter

codecov-commenter commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.59%. Comparing base (c03ed20) to head (8762f7b).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1681      +/-   ##
==========================================
+ Coverage   89.37%   89.59%   +0.22%     
==========================================
  Files          77       77              
  Lines       11716    11711       -5     
  Branches     1625     1643      +18     
==========================================
+ Hits        10471    10493      +22     
+ Misses       1214     1189      -25     
+ Partials       31       29       -2     
Flag Coverage Δ
suite.unit 89.59% <ø> (+0.22%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Adds manual synth and auto-synth-on-save to the CDK LSP. The cdk.out
watcher (landed in #1630) handles all diagnostics/lens refreshes --
these commands just add new ways to produce a fresh assembly.

Features:
↻ Synth now CodeLens at the top of any CDK source file (only when
auto-synth is off)
▶ Enable auto-synth / ⏹ Disable auto-synth toggle
Auto-synth starts disabled
When auto-synth is on, saving any non-ignored file in the project
triggers a synth
All feedback/output goes to the Output panel, no popups

Design decisions (the important ones):

Concurrent synths are supressed: if a save fires during a slow synth,
that save is skipped. The next save picks it up.
cdk.json is read once at startup. Changing it requires an LSP restart.
The toggle/synth lenses only appear on files that already have L1
resource lenses. Files with no CDK resources see nothing.
Toggle state resets to disabled on LSP restart (not persisted).

NOTE: One thing not in this PR (but must land before prod) is a
workspace trust gate. We should verify with the user that they trust
this workspace before running any synth. I may need to set up some way
to preserve this between sessions.

Open questions / things I need some feedback on:
- Is "auto-synth" the right name? Alternatives: "synth on save", "live
synth"?
- Where should the toggle live? Line 0 of a CDK file works for LSP-only,
but it's only visible when you're in a file with constructs. Status bar
item would be better UX but needs a client extension. Is there a better
alternative?
- Should synth failures (app compile errors) be more visible than the
Output panel? A diagnostic on the first line of the failing file, for
example?
- If the app has context lookups and no cached cdk.context.json, synth
fails with an auth/context error. Should the error message detect this
and suggest running cdk synth in terminal first?

<img width="809" height="161" alt="Screenshot 2026-06-16 at 3 41 01 PM"
src="https://github.com/user-attachments/assets/b542927c-0206-462f-8464-2c43f19bbe0b"
/>
<img width="771" height="166" alt="Screenshot 2026-06-16 at 3 41 10 PM"
src="https://github.com/user-attachments/assets/52695e76-2e1d-4fc8-ada7-d1ce338512cf"
/>

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
@github-actions

Copy link
Copy Markdown
Contributor

Total lines changed 4129 is greater than 1000. Please consider breaking this PR down.

Setting JSII_HOST_STACK_TRACES=1 on the synth subprocess makes jsii
forward the host-language frames, so resolveFrames finds the .py/.java
source.

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

p2 pr/exempt-size-check Skips PR size check

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants