fix(deps): vuln minor upgrades — 7 packages (minor: 3 · patch: 4) [examples/step-functions-typescript-stack]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 7 packages upgraded (MINOR changes included)

Manifests changed:

• examples/step-functions-typescript-stack (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
fast-uri	3.0.3	3.1.2	minor	Transitive	2 HIGH
aws-cdk-lib	2.189.1	2.259.0	minor	Direct	1 HIGH
ajv	8.17.1	8.20.0	minor	Transitive	2 MEDIUM
brace-expansion	1.1.12	1.1.15	patch	Transitive	2 MEDIUM
yaml	1.10.2	1.10.3	patch	Transitive	2 MEDIUM
diff	4.0.2	4.0.4	patch	Transitive	2 LOW

---

Security Details

🚨 Critical & High Severity (9 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
aws-cdk-lib	GHSA-999r-qq7v-r334	HIGH	aws-cdk-lib: OS Command Injection in NodejsFunction Bundling	2.189.1	2.246.0
fast-uri	GHSA-q3j6-qgpj-74h6	HIGH	fast-uri vulnerable to path traversal via percent-encoded dot segments	3.0.3	3.1.1
fast-uri	GHSA-v39h-62p7-jpjc	HIGH	fast-uri vulnerable to host confusion via percent-encoded authority delimiters	3.0.3	3.1.2
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3

ℹ️ Other Vulnerabilities (8)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
ajv	GHSA-2g4f-4pwh-qvx6	MODERATE	ajv has ReDoS when using $data option	8.17.1	8.18.0
ajv	CVE-2025-69873	MODERATE	-	8.17.1	-
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.12	-
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.12	5.0.5
yaml	GHSA-48c2-rrv3-qjmp	MODERATE	yaml is vulnerable to Stack Overflow via deeply nested YAML collections	1.10.2	2.8.3
yaml	CVE-2026-33532	MODERATE	yaml is vulnerable to Stack Overflow via deeply nested YAML collections	1.10.2	-
diff	CVE-2026-24001	LOW	jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch	4.0.2	-
diff	GHSA-73rr-hh4g-fpgx	LOW	jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch	4.0.2	8.0.3

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[gh-worker-campaigns-3e9aa4]

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

• Custom Action: registry.ddbuild.io/images/engraver-custom-action:update-yarn-lockfile ❌ (0.00s) - container exited with non-zero status code: 1:

Error Logs (last 30 lines)

�!Sourcing Yarn Switch environment
��Starting classic install
�error This project's package.json defines "packageManager": "yarn@4.12.0". However the current global version of Yarn is 1.22.22.
��
�Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
�Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.
��Restoring package.json...
��package.json restored

---

_{Auto-Rebase · Add no-auto-rebase to opt out}