Skip to content

fix(deploy): pin vended aws-cdk-lib and enforce cloud-assembly schema compat#1759

Open
jesseturner21 wants to merge 2 commits into
mainfrom
pin-template-aws-cdk-lib
Open

fix(deploy): pin vended aws-cdk-lib and enforce cloud-assembly schema compat#1759
jesseturner21 wants to merge 2 commits into
mainfrom
pin-template-aws-cdk-lib

Conversation

@jesseturner21

Copy link
Copy Markdown
Contributor

Description

The vended CDK template declared aws-cdk-lib with a caret range (^2.248.0), so freshly created projects resolve whatever version npm serves. When upstream aws-cdk-lib bumps its cloud-assembly schema major (as 2.258.0 did with schema v54), new projects write manifests that the CLI's bundled readers (@aws-cdk/toolkit-lib, @aws-cdk/cdk-assets-lib) cannot parse, and agentcore deploy fails with AssemblyVersionMismatch. Readers accept older schemas but hard-fail on newer ones, so an unpinned template can always drift into this breakage between CLI releases.

This PR pins the template and makes the writer/reader coupling impossible to break silently:

  • Pin: src/assets/cdk/package.json now exact-pins aws-cdk-lib to 2.261.0 (writes schema v54, matching the bundled readers). The root aws-cdk-lib devDependency is exact-pinned to the same version as a lockstep anchor; npm-shrinkwrap.json regenerated.
  • Enforcement: new unit test src/assets/__tests__/cdk-schema-compat.test.ts asserts (1) the template pin is exact, (2) template pin === root devDep === installed copy, and (3) each bundled reader's max supported schema major >= the schema major the pinned aws-cdk-lib writes. Any one-sided bump fails CI with an actionable message.
  • Maintenance: new scripts/sync-template-cdk.mjs re-syncs the root devDep, template pin, and asset snapshots in one command. On Dependabot aws-cdk group PRs: npm ci && node scripts/sync-template-cdk.mjs. Documented in docs/testing/unit-tests.md, with a pointer comment in dependabot.yml.

Existing projects (already scaffolded with the caret) are unaffected by this change; newly created projects get the exact pin.

Related Issue

Closes #

Documentation PR

N/A — docs updated in-repo (docs/testing/unit-tests.md).

Type of Change

  • Bug fix

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Additional verification:

  • Built the CLI and ran agentcore create: the generated project vends "aws-cdk-lib": "2.261.0" and its install resolves @aws-cdk/cloud-assembly-schema@54.11.0 (major 54, readable by both bundled readers).
  • Negative tests: a drifted template pin fails the lockstep assertions; simulating a schema-55 writer fails both reader-compat assertions with the AssemblyVersionMismatch explanation and sync-script instructions.
  • Sync script is idempotent (reports nothing to do on a synced tree) and correctly re-pins a drifted template.

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

… compat

The vended CDK template declared aws-cdk-lib with a caret range, so fresh
projects resolve whatever npm serves. When upstream aws-cdk-lib bumps its
cloud-assembly schema major, new projects write manifests the CLI's bundled
readers (@aws-cdk/toolkit-lib, @aws-cdk/cdk-assets-lib) cannot parse, and
agentcore deploy fails with AssemblyVersionMismatch.

Pin the template's aws-cdk-lib to an exact version (2.261.0, schema v54)
and keep it in lockstep with the CLI's readers:

- src/assets/cdk/package.json: aws-cdk-lib ^2.248.0 -> 2.261.0 (exact)
- package.json: exact-pin the aws-cdk-lib devDependency as the lockstep
  anchor; regenerate npm-shrinkwrap.json
- New unit test (cdk-schema-compat.test.ts) asserts the template pin, root
  devDep, and installed copy match, and that each bundled reader supports
  a schema major >= what the pinned aws-cdk-lib writes
- New scripts/sync-template-cdk.mjs re-syncs the pins and snapshots in one
  command; the test's failure messages point to it
- dependabot.yml comment + docs/testing/unit-tests.md section describing
  the workflow for aws-cdk group bumps

Verified: full unit suite green; fresh agentcore create vends the exact
pin and resolves cloud-assembly-schema 54.x; negative tests (drifted pin,
simulated schema-55 writer) fail with actionable messages.
@jesseturner21 jesseturner21 requested a review from a team July 14, 2026 21:18
@github-actions github-actions Bot added the size/m PR size: M label Jul 14, 2026
@github-actions github-actions Bot added agentcore-harness-reviewing AgentCore Harness review in progress and removed agentcore-harness-reviewing AgentCore Harness review in progress labels Jul 14, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.24.1.tgz

How to install

gh release download pr-1759-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.24.1.tgz

@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 14, 2026
@github-actions github-actions Bot added size/m PR size: M and removed size/m PR size: M labels Jul 14, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 14, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 39.91% 14809 / 37101
🔵 Statements 39.17% 15782 / 40286
🔵 Functions 33.97% 2522 / 7423
🔵 Branches 33.41% 9863 / 29521
Generated in workflow #4097 for commit 4b15e8e by the Vitest Coverage Report Action

"dependencies": {
"@aws/agentcore-cdk": "^0.1.0-alpha.19",
"aws-cdk-lib": "^2.248.0",
"aws-cdk-lib": "2.261.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if a customer creates a project with this version, is it their responsibility for updating it going forward? What happens if aws-cdk-lib releases new features we depend on for a new feature, but the customers existing project is on an older version?

* If any test here fails after a dependency bump, run:
*
* node scripts/sync-template-cdk.mjs
*/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like we have similar comments in the dependabot.yml, the script to update, the readme, and the test here. Does it make sense to establish a source of truth and link to it?

return Number(match[1]);
}

describe('vended CDK template / bundled cloud-assembly reader compatibility', () => {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to test this at a higher level? This feels highly specific to the implementation rather than the behavior.

"@aws/agentcore-cdk": "^0.1.0-alpha.19",
"aws-cdk-lib": "^2.248.0",
"aws-cdk-lib": "2.261.0",
"constructs": "^10.0.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we pin other dependencies as well? Even though we own the cdk package, we don't currently have backwards-compat testing gating release, and wondering if there's a risk we break existing projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/m PR size: M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants