Return full list of adverse actions as top-level field

.github/workflows/check-common-cdk.yml

@@ -24,6 +24,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v5
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
+
       - name: Install dev dependencies
         run: "pip install -r backend/common-cdk/requirements-dev.in"
 
@@ -45,6 +49,10 @@ jobs:
         with:
           python-version: '3.14'
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
+
       - name: Install dev dependencies
         run: "pip install -r backend/common-cdk/requirements-dev.in"
 

.github/workflows/check-compact-connect-ui-app.yml

@@ -25,8 +25,8 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect-ui-app/requirements-dev.txt"
@@ -87,8 +87,8 @@ jobs:
           python-version: '3.14'
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       # Setup Node
       - name: Setup Node

.github/workflows/check-compact-connect.yml

@@ -25,8 +25,8 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect/requirements-dev.txt"
@@ -87,8 +87,8 @@ jobs:
           python-version: '3.14'
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       # Setup Node
       - name: Setup Node
@@ -129,8 +129,8 @@ jobs:
           python-version: '3.12'
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       - name: Install dependencies
         run: "cd backend/compact-connect/lambdas/python/purchases; pip install -r requirements.txt"
@@ -142,8 +142,8 @@ jobs:
         run: "cd backend/compact-connect/lambdas/python/purchases; ruff check $(git ls-files '*.py')"
 
       - name: Check Dependencies
-        # Ignore pip vulnerability that does not affect Python 3.12+
-        run: "pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph"
+        # Ignore known pip and lxml advisories currently accepted for this repo.
+        run: "pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph --ignore-vuln CVE-2026-41066"
 
       - name: Test backend
         run: "cd backend/compact-connect/lambdas/python/purchases; PYTHONPATH=../common pytest tests --cov --cov-fail-under=90"

.github/workflows/check-cosmetology-app.yml

@@ -25,8 +25,8 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       - name: Install dev dependencies
         run: "pip install -r backend/cosmetology-app/requirements-dev.txt"
@@ -86,8 +86,8 @@ jobs:
           python-version: '3.14'
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       # Setup Node
       - name: Setup Node

.github/workflows/check-multi-account.yml

@@ -25,8 +25,8 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       - name: Install dev dependencies
         run: "pip install -r backend/multi-account/control-tower/requirements-dev.txt"
@@ -50,8 +50,8 @@ jobs:
           python-version: '3.12'
 
       - name: Upgrade pip
-        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
-        run: pip install --upgrade 'pip>=26.0'
+        # Runner image ships pip 25.3; Upgrade to 26.1+ to include fix for CVE-2026-3219.
+        run: pip install --upgrade 'pip>=26.1'
 
       - name: Install dev dependencies
         run: "pip install -r backend/multi-account/control-tower/requirements-dev.txt"

backend/common-cdk/requirements.in

@@ -1,4 +1,4 @@
-aws-cdk-lib>=2.142.0
-aws-cdk-aws-lambda-python-alpha>=2.142.0a0
-constructs>=10.0.0,<11.0.0
-cdk-nag>=2.28.10, <3
+aws-cdk-lib>=2.250.0
+aws-cdk-aws-lambda-python-alpha>=2.250.0a0
+constructs>=10.6.0,<11.0.0
+cdk-nag>=2.37.55,<3

backend/compact-connect-ui-app/lambdas/nodejs/package.json

@@ -16,11 +16,11 @@
   "devDependencies": {
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
-    "esbuild": "0.28.0",
-    "eslint": "^9.13.0",
     "chai": "^4.1.2",
     "chai-match-pattern": "^1.1.0",
     "chalk": "^4.1.2",
+    "esbuild": "0.28.0",
+    "eslint": "10.2.1",
     "lambda-local": "^2.2.0",
     "mocha": "^11.7.5"
   },
@@ -32,6 +32,6 @@
     "zod": "^3.23.8"
   },
   "resolutions": {
-    "fast-xml-parser": "^5.5.7"
+    "fast-xml-parser": "5.7.0"
   }
 }