From 9b113007b30bc8409f73cb4cb091c4021abef914 Mon Sep 17 00:00:00 2001
From: epolon <epolon@amazon.com>
Date: Tue, 23 May 2023 10:08:52 +0300
Subject: [PATCH 1/4] add notices

---
 data/notices.json | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/data/notices.json b/data/notices.json
index d7c4ebb..7da0bfd 100644
--- a/data/notices.json
+++ b/data/notices.json
@@ -207,6 +207,46 @@
         }
       ],
       "schemaVersion": "1"
+    },
+    {
+      "title": "(eks) eks overly permissive trust policies",
+      "issueNumber": 25674,
+      "overview": "The default MastersRole allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.",
+      "components": [
+        {
+          "name": "@aws-cdk/aws-eks.Cluster",
+          "version": ">=1.57.0 <1.62.0"
+        },
+        {
+          "name": "@aws-cdk/aws-eks.FargateCluster",
+          "version": ">=1.57.0 <1.62.0"
+        }
+      ],
+      "schemaVersion": "1"
+    },
+    {
+      "title": "(eks) eks overly permissive trust policies",
+      "issueNumber": 25674,
+      "overview": "Cluster CreationRole and default MastersRole allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.",
+      "components": [
+        {
+          "name": "@aws-cdk/aws-eks.Cluster",
+          "version": ">=1.62.0 <1.202.0"
+        },
+        {
+          "name": "@aws-cdk/aws-eks.FargateCluster",
+          "version": ">=1.62.0 <1.202.0"
+        },
+        {
+          "name": "aws-cdk-lib.aws_eks.Cluster",
+          "version": ">=2.0.0-rc.1 <2.80.0"
+        },
+        {
+          "name": "aws-cdk-lib.aws_eks.FargateCluster",
+          "version": ">=2.0.0-rc.1 <2.80.0"
+        }
+      ],
+      "schemaVersion": "1"
     }
   ]
 }

From d1c047ee20b964c0087d133709ad07733b8c26db Mon Sep 17 00:00:00 2001
From: epolon <epolon@amazon.com>
Date: Tue, 23 May 2023 10:34:47 +0300
Subject: [PATCH 2/4] fix range used in tests

---
 test/schema.test.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/schema.test.ts b/test/schema.test.ts
index ff7d5ab..62b8c3b 100644
--- a/test/schema.test.ts
+++ b/test/schema.test.ts
@@ -38,9 +38,10 @@ describe('Notices file is valid', () => {
       });
 
       test('v2 version ranges must be bounded at the bottom', () => {
+        const v2Range = '>=2.0.0-rc.1';
         for (const component of notice.components) {
           if (component.version === '1.*') { continue; } // Special range that we allow
-          if (semver.intersects(component.version, '2') && !semver.subset(component.version, '2')) {
+          if (semver.intersects(component.version, v2Range) && !semver.subset(component.version, v2Range)) {
             throw new Error(`${component.version} should have an upper bound in v1 range, or a lower bound in v2 range (version should look like "^2.3.4 <2.5.6")`);
           }
         }

From 69c2b5e1e3d40d3a5afedeef59b129f08bbd242f Mon Sep 17 00:00:00 2001
From: Eli Polonsky <Eli.polonsky@gmail.com>
Date: Tue, 23 May 2023 12:03:06 +0300
Subject: [PATCH 3/4] Update test/schema.test.ts

Co-authored-by: Rico Hermans <rix0rrr@gmail.com>
---
 test/schema.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/schema.test.ts b/test/schema.test.ts
index 62b8c3b..ef1c056 100644
--- a/test/schema.test.ts
+++ b/test/schema.test.ts
@@ -38,7 +38,7 @@ describe('Notices file is valid', () => {
       });
 
       test('v2 version ranges must be bounded at the bottom', () => {
-        const v2Range = '>=2.0.0-rc.1';
+        const v2Range = '>=2.0.0-rc.1 <3.0.0';
         for (const component of notice.components) {
           if (component.version === '1.*') { continue; } // Special range that we allow
           if (semver.intersects(component.version, v2Range) && !semver.subset(component.version, v2Range)) {

From 5aace92236dd2b7e3646bbaa8e6028aaf2d3d241 Mon Sep 17 00:00:00 2001
From: epolon <epolon@amazon.com>
Date: Tue, 23 May 2023 12:36:00 +0300
Subject: [PATCH 4/4] consider prereleases in tests

---
 test/schema.test.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/schema.test.ts b/test/schema.test.ts
index ef1c056..335b95f 100644
--- a/test/schema.test.ts
+++ b/test/schema.test.ts
@@ -38,10 +38,10 @@ describe('Notices file is valid', () => {
       });
 
       test('v2 version ranges must be bounded at the bottom', () => {
-        const v2Range = '>=2.0.0-rc.1 <3.0.0';
         for (const component of notice.components) {
           if (component.version === '1.*') { continue; } // Special range that we allow
-          if (semver.intersects(component.version, v2Range) && !semver.subset(component.version, v2Range)) {
+          if (semver.intersects(component.version, '2', { includePrerelease: true })
+          && !semver.subset(component.version, '2', { includePrerelease: true })) {
             throw new Error(`${component.version} should have an upper bound in v1 range, or a lower bound in v2 range (version should look like "^2.3.4 <2.5.6")`);
           }
         }