chore(release): 2.236.0 by aws-cdk-automation · Pull Request #36783 · aws/aws-cdk

aws-cdk-automation · 2026-01-23T08:46:46Z

In a recent change we changed the signature of `IAlarmAction`: ```ts export interface IAlarmAction { - bind(scope: Construct, alarm: IAlarm): AlarmActionConfig; + bind(scope: Construct, alarm: IAlarmRef): AlarmActionConfig; } ``` This breaks too many current implementors of this interface, so we are reverting the change. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Resolve noisy rules seen in #36600 ### Reason for this change The existing `CODEPIPELINE_CROSS_ACCOUNT_ROLE_TRUST_SCOPE` rule was too narrow - it only targeted CodePipeline-specific roles. However, the security concern of `:root` principals without restrictive conditions applies to **all IAM roles**, not just CodePipeline roles. Additionally, the rule accepted `ArnLike` and `StringLike` conditions which support wildcards and can be overly permissive (e.g., `"ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/*" }` would bypass the check while still being insecure). ### Description of changes 1. **Deleted** `codepipeline/codepipeline-cross-account-role-trust-scope.guard` - Removed the narrow CodePipeline-specific rule 2. **Added** `iam/iam-role-root-principal-needs-conditions.guard` - New generalized rule that: - Applies to **all IAM roles** with `:root` principals (not just CodePipeline) - Requires **strict conditions** (`ArnEquals` or `StringEquals` only) - Rejects `ArnLike`/`StringLike` conditions as they allow wildcards - Handles both string and array principal formats - Includes comprehensive documentation with AWS reference links 3. **Updated** `iam/iam-role-no-broad-principals.guard`: - Removed `:root` principal check (now handled by the new dedicated rule) - Improved array handling to properly iterate and check only string items - Added clarifying comments about rule separation 4. **Updated** `README.md`: - Updated rule directory structure to reflect current state - Added `IAM_ROLE_ROOT_PRINCIPAL_NEEDS_CONDITIONS` to the rule list - Updated documentation about root principal handling 5. **Updated** `test/guard-rules.test.ts`: - Renamed test from CodePipeline-specific to IAM root principal test - Updated test to use the new generalized rule ### Describe any new or updated permissions being added No new IAM permissions are being added. This change only affects Security Guardian validation rules. ### Description of how you validated changes Validated by running the updated rules against resolved CloudFormation templates from integration tests The rules correctly detect IAM roles using `:root` principals without the required `ArnEquals` or `StringEquals` conditions. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.235.0/CHANGELOG.md)

…-needs-conditions.guard (#36705) ### Issue # (if applicable) ### Reason for this change The existing `guard-hooks` rule (`NO_ROOT_PRINCIPALS_EXCEPT_KMS_SECRETS`) was causing conflicts with the `IAM_ROLE_ROOT_PRINCIPAL_NEEDS_CONDITIONS` rule. The guard-hooks rule blocked ALL root principals, while the IAM role rule correctly allows root principals WITH strict conditions. Now that Security Guardian resolves CFN templates before validation, the guard-hooks rule is obsolete and should be refactored into a proper resource-policies rule that checks for conditions. ### Description of changes 1. **Deleted** `guard-hooks/guardhooks-no-root-principals-except-kms-secrets.guard` - obsolete rule 2. **Created** `resource-policies/resource-policy-root-principal-needs-conditions.guard` - new generic rule that: - Checks ALL resources (except KMS, Secrets Manager, Logs, IAM Role) for root principals in `PolicyDocument`, `Policy`, and `ResourcePolicy` properties - Requires `ArnEquals` or `StringEquals` conditions (no wildcards) - Includes AWS documentation links for each policy type confirming condition support 3. **Updated** `iam/iam-role-root-principal-needs-conditions.guard` - added documentation explaining why only `AssumeRolePolicyDocument` is checked (identity-based policies in `Policies` property don't have Principal element) 4. **Updated** tests and added test template for the new rule ### Describe any new or updated permissions being added N/A - This is a static analysis rule change, no IAM permissions affected. ### Description of how you validated changes - All 69 existing tests pass - Added new test case for `RESOURCE_POLICY_ROOT_PRINCIPAL_NEEDS_CONDITIONS` rule - Created test template `resource-policy-root-principal.template.json` with compliant and non-compliant resource policies ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…name when importing domain name via fromDomainNameAttributes (#36710) Fixes: #36708 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue #36554 Closes #36554 This is my very first PR for aws-cdk. Any hints on what I could do better are greatly appreciated. I am not aware whether I would have to do something additionally to also have DeletionProtectionEnabled be available on the[ L1 resource CfnLogGroup](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.CfnLogGroup.html), but am happy to do so if instructed. ### Reason for this change aws-logs.LogGroup did not yet support the [DeletionProtectionEnabled](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-loggroup.html#aws-resource-logs-loggroup-properties) property. This PR adds it. ### Description of changes This is a standard change to support a boolean property that was added in CloudFormation. I added the property to the interface LogGroupProps, copying the description from the CloudFormation definition. I also extended the initialization of CfnLogGroup in the constructor. Finally, I created a unit test for the new property. ### Describe any new or updated permissions being added No further changes required. ### Description of how you validated changes Added a unit test which ran successfully. --- The following are unrelated to my change, but I wanted to have them mentioned in case it points to me setting up something wrongly in my local environment and introducing errors down the line. Following the commands in CONTRIBUTING.MD: The command `npx lerna run build --skip-nx-cache` had 16/17 targets succeed, with the one failing being: > aws-cdk/tools/@aws-cdk/spec2cdk/lib/cdk/typedefinition-struct.ts > 9:1 error `./cdk` import should occur before import of `./cloudformation-mapping` import/order Likewise, `yarn build` in the packages/aws-cdk-lib folder failed with messages like > /aws-cdk/packages/aws-cdk-lib/aws-eks/test/kubectl-provider.test.ts > 5:1 error `./util` import should occur before import of `../../assertions` import/order > > /aws-cdk/packages/aws-cdk-lib/aws-kinesisfirehose/lib/s3-bucket.ts > 7:1 error `./private/helpers` import should occur before import of `./record-format` import/order but `yarn test` completed successfully ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #35986 Closes #35987 ### Reason for this change Add new built-in Linear and Canary deployment strategies for ECS services to enable progressive and controlled production deployments. Ref: [Amazon ECS now supports built-in Linear and Canary deployments ](https://aws.amazon.com/about-aws/whats-new/2025/10/amazon-ecs-built-in-linear-canary-deployments/) ### Description of changes - Add `CanaryConfiguration` and `LinearConfiguration` interfaces to `BaseServiceOptions` - Extend `DeploymentStrategy` enum with `LINEAR` and `CANARY` values ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::CapacityProvider │ └ types │ └[~] type InstanceLaunchTemplate │ └ properties │ └[+] FipsEnabled: boolean (immutable) └[~] service aws-rds └ resources └[~] resource AWS::RDS::DBInstance └ types └[~] type AdditionalStorageVolume └ - documentation: undefined + documentation: Contains details about an additional storage volume for a DB instance. RDS support additional storage volumes for RDS for Oracle and RDS for SQL Server. ```

### Issue # (if applicable) Closes #36715 ### Reason for this change Aurora PostgreSQL 14.20 is now available on Amazon RDS. ### Description of changes Add `AuroraPostgresEngineVersion.VER_14_20` to support Aurora PostgreSQL version 14.20. ### Describe any new or updated permissions being added ### Description of how you validated changes This is a simple addition of a new version constant following the existing pattern. No additional tests are required as the underlying `AuroraPostgresEngineVersion.of()` method is already tested. ``` aws rds describe-db-engine-versions --engine aurora-postgresql --engine-version 14 --query "DBEngineVersions[].EngineVersion" [ "14.6", "14.13", "14.15", "14.17", "14.18", "14.19", "14.20" ] ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

) Bumps the uv group with 2 updates in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-uv directory: [requests](https://github.com/psf/requests) and [urllib3](https://github.com/urllib3/urllib3). Updates `requests` from 2.32.3 to 2.32.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.32.4</h2> <h2>2.32.4 (2025-06-10)</h2> <p><strong>Security</strong></p> <ul> <li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Numerous documentation improvements</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li> <li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.32.4 (2025-06-10)</h2> <p><strong>Security</strong></p> <ul> <li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Numerous documentation improvements</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Added support for pypy 3.11 for Linux and macOS.</li> <li>Dropped support for pypy 3.9 following its end of support.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li> <li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li> <li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li> <li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li> <li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li> <li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li> <li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li> <li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li> <li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li> <li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li> <li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.32.3...v2.32.4">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.3.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> <h2>2.6.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <ul> <li>Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>, 8.9 High, GHSA-2xpw-w6gg-jr37)</li> <li>Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the <code>Content-Encoding</code> header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by <a href="https://github.com/illia-v"><code>@illia-v</code></a>, 8.9 High, GHSA-gm62-xv2j-4w53)</li> </ul> <blockquote> <p>[!IMPORTANT]</p> <ul> <li>If urllib3 is not installed with the optional <code>urllib3[brotli]</code> extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using <code>urllib3[brotli]</code> to install a compatible Brotli package automatically.</li> </ul> </blockquote> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](urllib3/urllib3#3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](urllib3/urllib3#3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](urllib3/urllib3#3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](urllib3/urllib3#3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> <h1>2.6.0 (2025-12-05)</h1> <h2>Security</h2> <ul> <li>Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (<code>GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37></code>__)</li> <li>Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the <code>Content-Encoding</code> header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (<code>GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53></code>__)</li> </ul> <p>.. caution::</p> <ul> <li>If urllib3 is not installed with the optional <code>urllib3[brotli]</code> extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://redirect.github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://redirect.github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://redirect.github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://redirect.github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://redirect.github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.3.0...2.6.3">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.235.1/CHANGELOG.md)

…ce (#36696) This requires that `IBucket extends IBucketRef`, etc. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #36291. ### Reason for this change The `useOptimalInstanceClasses` property was deprecated in v2.220 in favor of `defaultInstanceClasses`, but there is no way to exclude the `optimal` instance type using `defaultInstanceClasses` alone. Users who want to specify only custom instance types (e.g., R4 only) without `optimal` being automatically added have no non-deprecated path forward. Setting `defaultInstanceClasses: []` (empty array) does not prevent `optimal` from being added because the current logic treats an empty array the same as `undefined`. ### Description of changes - Removed `@deprecated` annotation from `useOptimalInstanceClasses` property - Updated README to remove the deprecation warning and reorganized the "Choosing Your Instance Types" section with: - Clear subsections for each use case (Default Instance Classes, Specific Instance Types Only, Optimal Instance Classes) - A configuration reference table for quick lookup - Example showing how to use `useOptimalInstanceClasses: false` to exclude `optimal` #### Alternatives considered Three options were discussed in #36291: 1. **Remove deprecation** (this PR) - Restores `useOptimalInstanceClasses` as a non-deprecated property 2. **Treat empty `defaultInstanceClasses: []` as "exclude all defaults"** - Would introduces implicit behavior 3. **Change default behavior** - Breaking change, not acceptable Option 1 was chosen because: - Minimal code change (documentation only) - No risk of breaking existing users - `useOptimalInstanceClasses` provides explicit, clear control that `defaultInstanceClasses` cannot fully replace ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Existing tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#36400) ### Issue # (if applicable) Closes #36361. ### Reason for this change When importing a schedule using `Schedule.fromScheduleArn()`, the `scheduleName` property returns `undefined` instead of the actual schedule name. ### Description of changes Fixed the ARN parsing logic in `Schedule.fromScheduleArn()` to correctly extract the schedule name from the resource path. AWS Scheduler ARNs have the format `arn:aws:scheduler:region:account:schedule/GROUP/NAME`, and the previous implementation only captured the group name. ### Describe any new or updated permissions being added No new or updated permissions. ### Description of how you validated changes Added unit tests to verify correct parsing and error handling. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…updates (#36673) Bumps the npm_and_yarn group with 1 update in the / directory: [esbuild](https://github.com/evanw/esbuild). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.027f028f56ccd09ca70c404bb25cae814956ca2956efb3bfd3d516f96b8b1e48 directory: [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/sdk-call-integ-test-docker-app/app directory: [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-route53-targets/test/integ.elastic-beanstalk-environment-target-assets directory: [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-route53-targets/test/integ.elastic-beanstalk-environment-target.js.snapshot/asset.c5adcffb96a3522eb8a42f7d9a02a401482046a2930e2b086ecf0e8666a24579.elastic-beanstalk-environment-target-assets directory: [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 1 update in the /tools/@aws-cdk/construct-metadata-updater directory: [esbuild](https://github.com/evanw/esbuild). Bumps the npm_and_yarn group with 1 update in the /tools/@aws-cdk/enum-updater directory: [js-yaml](https://github.com/nodeca/js-yaml). Bumps the npm_and_yarn group with 1 update in the /tools/@aws-cdk/security-guardian directory: [js-yaml](https://github.com/nodeca/js-yaml). Updates `esbuild` from 0.24.2 to 0.25.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.25.0</h2> <p><strong>This release deliberately contains backwards-incompatible changes.</strong> To avoid automatically picking up releases like this, you should either be pinning the exact version of <code>esbuild</code> in your <code>package.json</code> file (recommended) or be using a version range syntax that only accepts patch upgrades such as <code>^0.24.0</code> or <code>~0.24.0</code>. See npm's documentation about <a href="https://docs.npmjs.com/cli/v6/using-npm/semver/">semver</a> for more information.</p> <ul> <li> <p>Restrict access to esbuild's development server (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">GHSA-67mh-4wv8-2f99</a>)</p> <p>This change addresses esbuild's first security vulnerability report. Previously esbuild set the <code>Access-Control-Allow-Origin</code> header to <code>*</code> to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in <a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">the report</a>.</p> <p>Starting with this release, <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a> will now be disabled, and requests will now be denied if the host does not match the one provided to <code>--serve=</code>. The default host is <code>0.0.0.0</code>, which refers to all of the IP addresses that represent the local machine (e.g. both <code>127.0.0.1</code> and <code>192.168.0.1</code>). If you want to customize anything about esbuild's development server, you can <a href="https://esbuild.github.io/api/#serve-proxy">put a proxy in front of esbuild</a> and modify the incoming and/or outgoing requests.</p> <p>In addition, the <code>serve()</code> API call has been changed to return an array of <code>hosts</code> instead of a single <code>host</code> string. This makes it possible to determine all of the hosts that esbuild's development server will accept.</p> <p>Thanks to <a href="https://github.com/sapphi-red"><code>@sapphi-red</code></a> for reporting this issue.</p> </li> <li> <p>Delete output files when a build fails in watch mode (<a href="https://redirect.github.com/evanw/esbuild/issues/3643">#3643</a>)</p> <p>It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.</p> </li> <li> <p>Fix correctness issues with the CSS nesting transform (<a href="https://redirect.github.com/evanw/esbuild/issues/3620">#3620</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3877">#3877</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3933">#3933</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3997">#3997</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/4005">#4005</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4037">#4037</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4038">#4038</a>)</p> <p>This release fixes the following problems:</p> <ul> <li> <p>Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using <code>:is()</code> to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.</p> <pre lang="css"><code>/* Original code */ .parent { > .a, > .b1 > .b2 { color: red; } } <p>/* Old output (with --supported:nesting=false) */<br /> .parent > :is(.a, .b1 > .b2) {<br /> color: red;<br /> }</p> <p>/* New output (with --supported:nesting=false) */<br /> .parent > .a,<br /> .parent > .b1 > .b2 {<br /> color: red;<br /> }<br /> </code></pre></p> <p>Thanks to <a href="https://github.com/tim-we"><code>@tim-we</code></a> for working on a fix.</p> </li> <li> <p>The <code>&</code> CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered <code>&&</code> to have the same specificity as <code>&</code>. With this release, this should now work correctly:</p> <pre lang="css"><code>/* Original code (color should be red) */ </code></pre> </li> </ul> </li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md">esbuild's changelog</a>.</em></p> <blockquote> <h1>Changelog: 2024</h1> <p>This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/e9174d671b1882758cd32ac5e146200f5bee3e45"><code>e9174d6</code></a> publish 0.25.0 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/c27dbebb9e7a55dd9a084dd151dddd840787490e"><code>c27dbeb</code></a> fix <code>hosts</code> in <code>plugin-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/6794f602a453cf0255bcae245871de120a89a559"><code>6794f60</code></a> fix <code>hosts</code> in <code>node-unref-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d"><code>de85afd</code></a> Merge commit from fork</li> <li><a href="https://github.com/evanw/esbuild/commit/da1de1bf77a65f06654b49878d9ec4747ddaa21f"><code>da1de1b</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4065">#4065</a>: bitwise operators can return bigints</li> <li><a href="https://github.com/evanw/esbuild/commit/f4e9d19fb20095a98bf40634f0380f6a16be91e7"><code>f4e9d19</code></a> switch case liveness: <code>default</code> is always last</li> <li><a href="https://github.com/evanw/esbuild/commit/7aa47c3e778ea04849f97f18dd9959df88fa0886"><code>7aa47c3</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4028">#4028</a>: minify live/dead <code>switch</code> cases better</li> <li><a href="https://github.com/evanw/esbuild/commit/22ecd306190b8971ec4474b5485266c20350e266"><code>22ecd30</code></a> minify: more constant folding for strict equality</li> <li><a href="https://github.com/evanw/esbuild/commit/4cdf03c03697128044fa8fb76e5c478e9765b353"><code>4cdf03c</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4053">#4053</a>: reordering of <code>.tsx</code> in <code>node_modules</code></li> <li><a href="https://github.com/evanw/esbuild/commit/dc719775b7140120916bd9e6777ca1cb8a1cdc0e"><code>dc71977</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/3692">#3692</a>: <code>0</code> now picks a random ephemeral port</li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.24.2...v0.25.0">compare view</a></li> </ul> </details> <br /> Updates `@smithy/config-resolver` from 3.0.5 to 3.0.13 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md"><code>@smithy/config-resolver</code>'s changelog</a>.</em></p> <blockquote> <h2>3.0.13</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [b52b4e8] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.7.2</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.12</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.11</li> </ul> </li> </ul> <h2>3.0.12</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [fcd5ca8] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.7.1</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.11</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.10</li> </ul> </li> </ul> <h2>3.0.11</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [cd1929b] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.7.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.10</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.9</li> </ul> </li> </ul> <h2>3.0.10</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [84bec05] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.6.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.9</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.8</li> </ul> </li> </ul> <h2>3.0.9</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [a4c1285] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.5.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.8</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.7</li> </ul> </li> </ul> <h2>3.0.8</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [e7b438b]</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/50d8c5457e7feea41169a37fb2fdb1e448f82e9e"><code>50d8c54</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/7877c9e3681a9b5aa6e16d15ce8bce8fda0477ea"><code>7877c9e</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/012775ca4d9f3c9c3b0067fafefeda5be421d404"><code>012775c</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/cd1929bb6e1eefe5430804d90714f1e60cd438d5"><code>cd1929b</code></a> test: convert tests to vitest (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1440">#1440</a>)</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/5de4524d147db44e627dadf222238552d6ff613d"><code>5de4524</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/80515513f9b4ff3e6140d335a8edfb2126b8c352"><code>8051551</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/b12dc1de610c91d3daab39315a62b04826a93439"><code>b12dc1d</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/b2be4f32e45432da17b0dcbc777a11855a53a13f"><code>b2be4f3</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/f95b9c3eeda338ff4e69c90e786b852657ceb199"><code>f95b9c3</code></a> Version NPM packages</li> <li>See full diff in <a href="https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@3.0.13/packages/config-resolver">compare view</a></li> </ul> </details> <br /> Updates `@smithy/config-resolver` from 3.0.5 to 3.0.13 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md"><code>@smithy/config-resolver</code>'s changelog</a>.</em></p> <blockquote> <h2>3.0.13</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [b52b4e8] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.7.2</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.12</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.11</li> </ul> </li> </ul> <h2>3.0.12</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [fcd5ca8] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.7.1</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.11</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.10</li> </ul> </li> </ul> <h2>3.0.11</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [cd1929b] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.7.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.10</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.9</li> </ul> </li> </ul> <h2>3.0.10</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [84bec05] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.6.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.9</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.8</li> </ul> </li> </ul> <h2>3.0.9</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [a4c1285] <ul> <li><code>@smithy/types</code><a href="https://github.com/3"><code>@3</code></a>.5.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/3"><code>@3</code></a>.1.8</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/3"><code>@3</code></a>.0.7</li> </ul> </li> </ul> <h2>3.0.8</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [e7b438b]</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/50d8c5457e7feea41169a37fb2fdb1e448f82e9e"><code>50d8c54</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/7877c9e3681a9b5aa6e16d15ce8bce8fda0477ea"><code>7877c9e</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/012775ca4d9f3c9c3b0067fafefeda5be421d404"><code>012775c</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/cd1929bb6e1eefe5430804d90714f1e60cd438d5"><code>cd1929b</code></a> test: convert tests to vitest (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1440">#1440</a>)</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/5de4524d147db44e627dadf222238552d6ff613d"><code>5de4524</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/80515513f9b4ff3e6140d335a8edfb2126b8c352"><code>8051551</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/b12dc1de610c91d3daab39315a62b04826a93439"><code>b12dc1d</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/b2be4f32e45432da17b0dcbc777a11855a53a13f"><code>b2be4f3</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/f95b9c3eeda338ff4e69c90e786b852657ceb199"><code>f95b9c3</code></a> Version NPM packages</li> <li>See full diff in <a href="https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@3.0.13/packages/config-resolver">compare view</a></li> </ul> </details> <br /> Updates `qs` from 6.13.0 to 6.14.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> <h2><strong>6.14.0</strong></h2> <ul> <li>[New] <code>parse</code>: add <code>throwOnParameterLimitExceeded</code> option (<a href="https://redirect.github.com/ljharb/qs/issues/517">#517</a>)</li> <li>[Refactor] <code>parse</code>: use <code>utils.combine</code> more</li> <li>[patch] <code>parse</code>: add explicit <code>throwOnLimitExceeded</code> default</li> <li>[actions] use shared action; re-add finishers</li> <li>[meta] Fix changelog formatting bug</li> <li>[Deps] update <code>side-channel</code></li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>has-bigints</code>, <code>has-proto</code>, <code>has-symbols</code></li> <li>[Tests] increase coverage</li> </ul> <h2><strong>6.13.1</strong></h2> <ul> <li>[Fix] <code>stringify</code>: avoid a crash when a <code>filter</code> key is <code>null</code></li> <li>[Fix] <code>utils.merge</code>: functions should not be stringified into keys</li> <li>[Fix] <code>parse</code>: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset</li> <li>[Fix] <code>stringify</code>: ensure a non-string <code>filter</code> does not crash</li> <li>[Refactor] use <code>__proto__</code> syntax instead of <code>Object.create</code> for null objects</li> <li>[Refactor] misc cleanup</li> <li>[Tests] <code>utils.merge</code>: add some coverage</li> <li>[Tests] fix a test case</li> <li>[actions] split out node 10-20, and 20+</li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>mock-property</code>, <code>object-inspect</code>, <code>tape</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/3fa11a5f643c76896387bd2d86904a2d0141fdf7"><code>3fa11a5</code></a> v6.14.1</li> <li><a href="https://github.com/ljharb/qs/commit/a62670423c1ccab0dd83c621bfb98c7c024e314d"><code>a626704</code></a> [Dev Deps] update <code>npmignore</code></li> <li><a href="https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"><code>3086902</code></a> [Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li><a href="https://github.com/ljharb/qs/commit/fc7930e86c2264c1568c9f5606830e19b0bc2af2"><code>fc7930e</code></a> [Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/0b06aac566abee45ef0327667a7cc89e7aed8b58"><code>0b06aac</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/64951f6200a1fb72cc003c6e8226dde3d2ef591f"><code>64951f6</code></a> [Refactor] <code>parse</code>: extract key segment splitting helper</li> <li><a href="https://github.com/ljharb/qs/commit/e1bd2599cdff4c936ea52fb1f16f921cbe7aa88c"><code>e1bd259</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/f4b3d39709fef6ddbd85128d1ba4c6b566c4902e"><code>f4b3d39</code></a> [eslint] add eslint 9 optional peer dep</li> <li><a href="https://github.com/ljharb/qs/commit/6e94d9596ca50dffafcef40a5f64eca89962cf34"><code>6e94d95</code></a> [Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code></li> <li><a href="https://github.com/ljharb/qs/commit/973dc3c51c86da9f4e30edeb4b1725158d439102"><code>973dc3c</code></a> [actions] add workflow permissions</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.13.0...v6.14.1">compare view</a></li> </ul> </details> <br /> Updates `qs` from 6.13.0 to 6.14.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> <h2><strong>6.14.0</strong></h2> <ul> <li>[New] <code>parse</code>: add <code>throwOnParameterLimitExceeded</code> option (<a href="https://redirect.github.com/ljharb/qs/issues/517">#517</a>)</li> <li>[Refactor] <code>parse</code>: use <code>utils.combine</code> more</li> <li>[patch] <code>parse</code>: add explicit <code>throwOnLimitExceeded</code> default</li> <li>[actions] use shared action; re-add finishers</li> <li>[meta] Fix changelog formatting bug</li> <li>[Deps] update <code>side-channel</code></li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>has-bigints</code>, <code>has-proto</code>, <code>has-symbols</code></li> <li>[Tests] increase coverage</li> </ul> <h2><strong>6.13.1</strong></h2> <ul> <li>[Fix] <code>stringify</code>: avoid a crash when a <code>filter</code> key is <code>null</code></li> <li>[Fix] <code>utils.merge</code>: functions should not be stringified into keys</li> <li>[Fix] <code>parse</code>: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset</li> <li>[Fix] <code>stringify</code>: ensure a non-string <code>filter</code> does not crash</li> <li>[Refactor] use <code>__proto__</code> syntax instead of <code>Object.create</code> for null objects</li> <li>[Refactor] misc cleanup</li> <li>[Tests] <code>utils.merge</code>: add some coverage</li> <li>[Tests] fix a test case</li> <li>[actions] split out node 10-20, and 20+</li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>mock-property</code>, <code>object-inspect</code>, <code>tape</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/3fa11a5f643c76896387bd2d86904a2d0141fdf7"><code>3fa11a5</code></a> v6.14.1</li> <li><a href="https://github.com/ljharb/qs/commit/a62670423c1ccab0dd83c621bfb98c7c024e314d"><code>a626704</code></a> [Dev Deps] update <code>npmignore</code></li> <li><a href="https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"><code>3086902</code></a> [Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li><a href="https://github.com/ljharb/qs/commit/fc7930e86c2264c1568c9f5606830e19b0bc2af2"><code>fc7930e</code></a> [Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/0b06aac566abee45ef0327667a7cc89e7aed8b58"><code>0b06aac</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/64951f6200a1fb72cc003c6e8226dde3d2ef591f"><code>64951f6</code></a> [Refactor] <code>parse</code>: extract key segment splitting helper</li> <li><a href="https://github.com/ljharb/qs/commit/e1bd2599cdff4c936ea52fb1f16f921cbe7aa88c"><code>e1bd259</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/f4b3d39709fef6ddbd85128d1ba4c6b566c4902e"><code>f4b3d39</code></a> [eslint] add eslint 9 optional peer dep</li> <li><a href="https://github.com/ljharb/qs/commit/6e94d9596ca50dffafcef40a5f64eca89962cf34"><code>6e94d95</code></a> [Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code></li> <li><a href="https://github.com/ljharb/qs/commit/973dc3c51c86da9f4e30edeb4b1725158d439102"><code>973dc3c</code></a> [actions] add workflow permissions</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.13.0...v6.14.1">compare view</a></li> </ul> </details> <br /> Updates `esbuild` from 0.24.2 to 0.25.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.25.0</h2> <p><strong>This release deliberately contains backwards-incompatible changes.</strong> To avoid automatically picking up releases like this, you should either be pinning the exact version of <code>esbuild</code> in your <code>package.json</code> file (recommended) or be using a version range syntax that only accepts patch upgrades such as <code>^0.24.0</code> or <code>~0.24.0</code>. See npm's documentation about <a href="https://docs.npmjs.com/cli/v6/using-npm/semver/">semver</a> for more information.</p> <ul> <li> <p>Restrict access to esbuild's development server (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">GHSA-67mh-4wv8-2f99</a>)</p> <p>This change addresses esbuild's first security vulnerability report. Previously esbuild set the <code>Access-Control-Allow-Origin</code> header to <code>*</code> to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in <a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">the report</a>.</p> <p>Starting with this release, <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a> will now be disabled, and requests will now be denied if the host does not match the one provided to <code>--serve=</code>. The default host is <code>0.0.0.0</code>, which refers to all of the IP addresses that represent the local machine (e.g. both <code>127.0.0.1</code> and <code>192.168.0.1</code>). If you want to customize anything about esbuild's development server, you can <a href="https://esbuild.github.io/api/#serve-proxy">put a proxy in front of esbuild</a> and modify the incoming and/or outgoing requests.</p> <p>In addition, the <code>serve()</code> API call has been changed to return an array of <code>hosts</code> instead of a single <code>host</code> string. This makes it possible to determine all of the hosts that esbuild's development server will accept.</p> <p>Thanks to <a href="https://github.com/sapphi-red"><code>@sapphi-red</code></a> for reporting this issue.</p> </li> <li> <p>Delete output files when a build fails in watch mode (<a href="https://redirect.github.com/evanw/esbuild/issues/3643">#3643</a>)</p> <p>It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.</p> </li> <li> <p>Fix correctness issues with the CSS nesting transform (<a href="https://redirect.github.com/evanw/esbuild/issues/3620">#3620</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3877">#3877</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3933">#3933</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3997">#3997</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/4005">#4005</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4037">#4037</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4038">#4038</a>)</p> <p>This release fixes the following problems:</p> <ul> <li> <p>Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using <code>:is()</code> to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.</p> <pre lang="css"><code>/* Original code */ .parent { > .a, > .b1 > .b2 { color: red; } } <p>/* Old output (with --supported:nesting=false) */<br /> .parent > :is(.a, .b1 > .b2) {<br /> color: red;<br /> }</p> <p>/* New output (with --supported:nesting=false) */<br /> .parent > .a,<br /> .parent > .b1 > .b2 {<br /> color: red;<br /> }<br /> </code></pre></p> <p>Thanks to <a href="https://github.com/tim-we"><code>@tim-we</code></a> for working on a fix.</p> </li> <li> <p>The <code>&</code> CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered <code>&&</code> to have the same specificity as <code>&</code>. With this release, this should now work correctly:</p> <pre lang="css"><code>/* Original code (color should be red) */ </code></pre> </li> </ul> </li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md">esbuild's changelog</a>.</em></p> <blockquote> <h1>Changelog: 2024</h1> <p>This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/e9174d671b1882758cd32ac5e146200f5bee3e45"><code>e9174d6</code></a> publish 0.25.0 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/c27dbebb9e7a55dd9a084dd151dddd840787490e"><code>c27dbeb</code></a> fix <code>hosts</code> in <code>plugin-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/6794f602a453cf0255bcae245871de120a89a559"><code>6794f60</code></a> fix <code>hosts</code> in <code>node-unref-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d"><code>de85afd</code></a> Merge commit from fork</li> <li><a href="https://github.com/evanw/esbuild/commit/da1de1bf77a65f06654b49878d9ec4747ddaa21f"><code>da1de1b</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4065">#4065</a>: bitwise operators can return bigints</li> <li><a href="https://github.com/evanw/esbuild/commit/f4e9d19fb20095a98bf40634f0380f6a16be91e7"><code>f4e9d19</code></a> switch case liveness: <code>default</code> is always last</li> <li><a href="https://github.com/evanw/esbuild/commit/7aa47c3e778ea04849f97f18dd9959df88fa0886"><code>7aa47c3</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4028">#4028</a>: minify live/dead <code>switch</code> cases better</li> <li><a href="https://github.com/evanw/esbuild/commit/22ecd306190b8971ec4474b5485266c20350e266"><code>22ecd30</code></a> minify: more constant folding for strict equality</li> <li><a href="https://github.com/evanw/esbuild/commit/4cdf03c03697128044fa8fb76e5c478e9765b353"><code>4cdf03c</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4053">#4053</a>: reordering of <code>.tsx</code> in <code>node_modules</code></li> <li><a href="https://github.com/evanw/esbuild/commit/dc719775b7140120916bd9e6777ca1cb8a1cdc0e"><code>dc71977</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/3692">#3692</a>: <code>0</code> now picks a random ephemeral port</li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.24.2...v0.25.0">compare view</a></li> </ul> </details> <br /> Updates `js-yaml` from 3.14.1 to 3.14.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[3.14.2] - 2025-11-15</h2> <h3>Security</h3> <ul> <li>Backported v4.1.1 fix to v3</li> </ul> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> <h2>[4.1.0] - 2021-04-15</h2> <h3>Added</h3> <ul> <li>Types are now exported as <code>yaml.types.XXX</code>.</li> <li>Every type now has <code>options</code> property with original arguments kept as they were (see <code>yaml.types.int.options</code> as an example).</li> </ul> <h3>Changed</h3> <ul> <li><code>Schema.extend()</code> now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as <code>abcd</code> instead of <code>cbad</code>).</li> </ul> <h2>[4.0.0] - 2021-01-03</h2> <h3>Changed</h3> <ul> <li>Check <a href="https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md">migration guide</a> to see details for all breaking changes.</li> <li>Breaking: "unsafe" tags <code>!!js/function</code>, <code>!!js/regexp</code>, <code>!!js/undefined</code> are moved to <a href="https://github.com/nodeca/js-yaml-js-types">js-yaml-js-types</a> package.</li> <li>Breaking: removed <code>safe*</code> functions. Use <code>load</code>, <code>loadAll</code>, <code>dump</code> instead which are all now safe by default.</li> <li><code>yaml.DEFAULT_SAFE_SCHEMA</code> and <code>yaml.DEFAULT_FULL_SCHEMA</code> are removed, use <code>yaml.DEFAULT_SCHEMA</code> instead.</li> <li><code>yaml.Schema.create(schema, tags)</code> is removed, use <code>schema.extend(tags)</code> instead.</li> <li><code>!!binary</code> now always mapped to <code>Uint8Array</code> on load.</li> <li>Reduced nesting of <code>/lib</code> folder.</li> <li>Parse numbers according to YAML 1.2 instead of YAML 1.1 (<code>01234</code> is now decimal, <code>0o1234</code> is octal, <code>1:23</code> is parsed as string instead of base60).</li> <li><code>dump()</code> no longer quotes <code>:</code>, <code>[</code>, <code>]</code>, <code>(</code>, <code>)</code> except when necessary, <a href="https://redirect.github.com/nodeca/js-yaml/issues/470">#470</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/557">#557</a>.</li> <li>Line and column in exceptions are now formatted as <code>(X:Y)</code> instead of <code>at line X, column Y</code> (also present in compact format), <a href="https://redirect.github.com/nodeca/js-yaml/issues/332">#332</a>.</li> <li>Code snippet created in exceptions now contains multiple lines with line numbers.</li> <li><code>dump()</code> now serializes <code>undefined</code> as <code>null</code> in collections and removes keys with <code>undefined</code> in mappings, <a href="https://redirect.github.com/nodeca/js-yaml/issues/571">#571</a>.</li> <li><code>dump()</code> with <code>skipInvalid=true</code> now serializes invalid items in collections as null.</li> <li>Custom tags starting with <code>!</code> are now dumped as <code>!tag</code> instead of <code>!<!tag></code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/576">#576</a>.</li> <li>Custom tags starting with <code>tag:yaml.org,2002:</code> are now shorthanded using <code>!!</code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/258">#258</a>.</li> </ul> <h3>Added</h3> <ul> <li>Added <code>.mjs</code> (es modules) support.</li> <li>Added <code>quotingType</code> and <code>forceQuotes</code> options for dumper to configure string literal style, <a href="https://redirect.github.com/nodeca/js-yaml/issues/290">#290</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/529">#529</a>.</li> <li>Added <code>styles: { '!!null': 'empty' }</code> option for dumper (serializes <code>{ foo: null }</code> as "<code>foo: </code>"), <a href="https://redirect.github.com/nodeca/js-yaml/issues/570">#570</a>.</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/9963d366dfbde0c69722452bcd40b41e7e4160a0"><code>9963d36</code></a> 3.14.2 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/10d3c8e70a6888543f5cdb656bb39f73e0ea77c1"><code>10d3c8e</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"><code>5278870</code></a> fix prototype pollution in merge (<<) (<a href="https://redirect.github.com/nodeca/js-yaml/issues/731">#731</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2">compare view</a></li> </ul> </details> <br /> Updates `js-yaml` from 3.14.1 to 3.14.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[3.14.2] - 2025-11-15</h2> <h3>Security</h3> <ul> <li>Backported v4.1.1 fix to v3</li> </ul> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (<<) operator.</li> </ul> <h2>[4.1.0] - 2021-04-15</h2> <h3>Added</h3> <ul> <li>Types are now exported as <code>yaml.types.XXX</code>.</li> <li>Every type now has <code>options</code> property with original arguments kept as they were (see <code>yaml.types.int.options</code> as an example).</li> </ul> <h3>Changed</h3> <ul> <li><code>Schema.extend()</code> now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as <code>abcd</code> instead of <code>cbad</code>).</li> </ul> <h2>[4.0.0] - 2021-01-03</h2> <h3>Changed</h3> <ul> <li>Check <a href="https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md">migration guide</a> to see details for all breaking changes.</li> <li>Breaking: "unsafe" tags <code>!!js/function</code>, <code>!!js/regexp</code>, <code>!!js/undefined</code> are moved to <a href="https://github.com/nodeca/js-yaml-js-types">js-yaml-js-types</a> package.</li> <li>Breaking: removed <code>safe*</code> functions. Use <code>load</code>, <code>loadAll</code>, <code>dump</code> instead which are all now safe by default.</li> <li><code>yaml.DEFAULT_SAFE_SCHEMA</code> and <code>yaml.DEFAULT_FULL_SCHEMA</code> are removed, use <code>yaml.DEFAULT_SCHEMA</code> instead.</li> <li><code>yaml.Schema.create(schema, tags)</code> is removed, use <code>schema.extend(tags)</code> instead.</li> <li><code>!!binary</code> now always mapped to <code>Uint8Array</code> on load.</li> <li>Reduced nesting of <code>/lib</code> folder.</li> <li>Parse numbers according to YAML 1.2 instead of YAML 1.1 (<code>01234</code> is now decimal, <code>0o1234</code> is octal, <code>1:23</code> is parsed as string instead of base60).</li> <li><code>dump()</code> no longer quotes <code>:</code>, <code>[</code>, <code>]</code>, <code>(</code>, <code>)</code> except when necessary, <a href="https://redirect.github.com/nodeca/js-yaml/issues/470">#470</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/557">#557</a>.</li> <li>Line and column in exceptions are now formatted as <code>(X:Y)</code> instead of <code>at line X, column Y</code> (also present in compact format), <a href="https://redirect.github.com/nodeca/js-yaml/issues/332">#332</a>.</li> <li>Code snippet created in exceptions now contains multiple lines with line numbers.</li> <li><code>dump()</code> now serializes <code>undefined</code> as <code>null</code> in collections and removes keys with <code>undefined</code> in mappings, <a href="https://redirect.github.com/nodeca/js-yaml/issues/571">#571</a>.</li> <li><code>dump()</code> with <code>skipInvalid=true</code> now serializes invalid items in collections as null.</li> <li>Custom tags starting with <code>!</code> are now dumped as <code>!tag</code> instead of <code>!<!tag></code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/576">#576</a>.</li> <li>Custom tags starting with <code>tag:yaml.org,2002:</code> are now shorthanded using <code>!!</code>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/258">#258</a>.</li> </ul> <h3>Added</h3> <ul> <li>Added <code>.mjs</code> (es modules) support.</li> <li>Added <code>quotingType</code> and <code>forceQuotes</code> options for dumper to configure string literal style, <a href="https://redirect.github.com/nodeca/js-yaml/issues/290">#290</a>, <a href="https://redirect.github.com/nodeca/js-yaml/issues/529">#529</a>.</li> <li>Added <code>styles: { '!!null': 'empty' }</code> option for dumper (serializes <code>{ foo: null }</code> as "<code>foo: </code>"), <a href="https://redirect.github.com/nodeca/js-yaml/issues/570">#570</a>.</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/9963d366dfbde0c69722452bcd40b41e7e4160a0"><code>9963d36</code></a> 3.14.2 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/10d3c8e70a6888543f5cdb656bb39f73e0ea77c1"><code>10d3c8e</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"><code>5278870</code></a> fix prototype pollution in merge (<<) (<a href="https://redirect.github.com/nodeca/js-yaml/issues/731">#731</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

@Abogical

…#36699) If a PR had a new merge commit from main before it was about merged to main, the integration test deployment workflow was triggered and waited for user input to start the workflow. This blocked merge queues unnecessarily. This PR disables this conditions only if the PR is in the merge queue. Note that by default `merge_conditions` is the same as `queue_conditions` if its not specified. We specify them in this PR without the integ test workflow check, so it would be skipped during merge check. This change has been made by @Abogical from the Mergify config editor.

This reverts commit 77baea1. ### Reason for this change The recent ci change is not compatible with branch protection settings of this repository. See https://github.com/aws/aws-cdk/pull/36588/checks?check_run_id=60891387085 ### Description of changes Reverts change. ### Describe any new or updated permissions being added No permissions added. ### Description of how you validated changes N/A ### Checklist - [s] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…updates (#36738) Bumps the npm_and_yarn group with 1 update in the / directory: [diff](https://github.com/kpdecker/jsdiff). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.027f028f56ccd09ca70c404bb25cae814956ca2956efb3bfd3d516f96b8b1e48 directory: [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/sdk-call-integ-test-docker-app/app directory: [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver). Updates `diff` from 8.0.2 to 8.0.3 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kpdecker/jsdiff/blob/master/release-notes.md">diff's changelog</a>.</em></p> <blockquote> <h2>8.0.3</h2> <ul> <li><a href="https://redirect.github.com/kpdecker/jsdiff/pull/631">#631</a> - <strong>fix support for using an <code>Intl.Segmenter</code> with <code>diffWords</code></strong>. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).</li> <li><a href="https://redirect.github.com/kpdecker/jsdiff/pull/635">#635</a> - <strong>small tweaks to tokenization behaviour of <code>diffWords</code></strong> when used <em>without</em> an <code>Intl.Segmenter</code>. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (<code>×</code> and <code>÷</code>) are now treated as punctuation instead of as letters / word characters.</li> <li><a href="https://redirect.github.com/kpdecker/jsdiff/pull/641">#641</a> - <strong>the format of file headers in <code>createPatch</code> etc. patches can now be customised somewhat</strong>. It now takes a <code>headerOptions</code> option that can be used to disable the file headers entirely, or omit the <code>Index:</code> line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with <code>headerOptions: FILE_HEADERS_ONLY</code>.</li> <li><a href="https://redirect.github.com/kpdecker/jsdiff/pull/647">#647</a> and <a href="https://redirect.github.com/kpdecker/jsdiff/pull/649">#649</a> - <strong>fix denial-of-service vulnerabilities in <code>parsePatch</code> whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process</strong>. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, <code>parsePatch</code> should reliably take linear time. (Handling of headers that include the line break characters <code>\r</code>, <code>\u2028</code>, or <code>\u2029</code> in non-trailing positions is also now more reasonable as side effect of the fix.)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kpdecker/jsdiff/commit/13576bfbcc444ce48f71cfd1e08529bd13962411"><code>13576bf</code></a> 8.0.3 release (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/652">#652</a>)</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/1179ccb0d31f497449e998a6e67b1b9220565764"><code>1179ccb</code></a> Ignore .zed (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/651">#651</a>)</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/949d6e2a44622b15b5a5be3ffcf196869c5a6b4c"><code>949d6e2</code></a> Add test for the vuln I just fixed (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/650">#650</a>)</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5"><code>15a1585</code></a> Fix the second denial-of-service vulnerability in parsePatch (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/649">#649</a>)</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/de95cca5329730cf9dcdd85c634633693b3ab3db"><code>de95cca</code></a> Fix potentially cubic-time regex in parsePatch (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/647">#647</a>)</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/b9aeedef3fe4764c3408b52990767bd7ac0425ab"><code>b9aeede</code></a> Allow more customisation of file headers in patches (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/641">#641</a>)</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/43c716c4a38aeb72939e41e7ef353a33615335bf"><code>43c716c</code></a> Merge pull request <a href="https://redirect.github.com/kpdecker/jsdiff/issues/636">#636</a> from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/b8162c77d711e9c17e440e4f62bad7c88fad1a88"><code>b8162c7</code></a> Bump node-forge from 1.3.1 to 1.3.2</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/ad6dc1728e52e4124abcbf906072eaeaa9e63aea"><code>ad6dc17</code></a> Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/3e1774afcfadc806baa58ee780923e4d4097319a"><code>3e1774a</code></a> Fix a comment typo (<a href="https://redirect.github.com/kpdecker/jsdiff/issues/633">#633</a>)</li> <li>Additional commits viewable in <a href="https://github.com/kpdecker/jsdiff/compare/v8.0.2...v8.0.3">compare view</a></li> </ul> </details> <br /> Updates `@smithy/config-resolver` from 3.0.13 to 4.4.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/smithy-lang/smithy-typescript/releases"><code>@smithy/config-resolver</code>'s releases</a>.</em></p> <blockquote> <h2><code>@smithy/config-resolver</code><a href="https://github.com/4"><code>@4</code></a>.4.6</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [745867a] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.12.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.8</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.8</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.8</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md"><code>@smithy/config-resolver</code>'s changelog</a>.</em></p> <blockquote> <h2>4.4.6</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [745867a] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.12.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.8</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.8</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.8</li> </ul> </li> </ul> <h2>4.4.5</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [9ccb841] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.11.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.7</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.7</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.7</li> </ul> </li> </ul> <h2>4.4.4</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [5a56762] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.10.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.6</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.6</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.6</li> </ul> </li> </ul> <h2>4.4.3</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [3926fd7] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.9.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.5</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.5</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.5</li> </ul> </li> </ul> <h2>4.4.2</h2> <h3>Patch Changes</h3> <ul> <li>372b46f: allow * region with warning</li> </ul> <h2>4.4.1</h2> <h3>Patch Changes</h3> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/0e8cc4926dee4e081bfc3fe9945813f7118da73b"><code>0e8cc49</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/7e4bbf64112652f6bb5171ce2c14eebfc6aab964"><code>7e4bbf6</code></a> chore: upgrade rimraf to v5.0.10 (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1829">#1829</a>)</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/521d67c38f8928c514d1fcea3fc08e40c2300513"><code>521d67c</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/8b90f360df2a5c80c105db732b3c2f6972994854"><code>8b90f36</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/cc0124e69e2d6943f0960854bcc3abf2defd2c20"><code>cc0124e</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/07f95d95712b511256b542c4dfa368bd70580be8"><code>07f95d9</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/372b46fb0751e6e61cdfccee1fa7e6a531cf6aa4"><code>372b46f</code></a> fix(config-resolver): allow asterisk region with warning (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1760">#1760</a>)</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/472a5ea035237e10c560ed362c0e0105805ad26f"><code>472a5ea</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/8af2d330260513d3e51c98f1f137793b5330ceb4"><code>8af2d33</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/13c5cd95b682c9252e6cf15b771b5decdc860729"><code>13c5cd9</code></a> chore(config-resolver): add region validation cache (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1750">#1750</a>)</li> <li>Additional commits viewable in <a href="https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.6/packages/config-resolver">compare view</a></li> </ul> </details> <br /> Updates `@smithy/config-resolver` from 3.0.13 to 4.4.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/smithy-lang/smithy-typescript/releases"><code>@smithy/config-resolver</code>'s releases</a>.</em></p> <blockquote> <h2><code>@smithy/config-resolver</code><a href="https://github.com/4"><code>@4</code></a>.4.6</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [745867a] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.12.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.8</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.8</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.8</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md"><code>@smithy/config-resolver</code>'s changelog</a>.</em></p> <blockquote> <h2>4.4.6</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [745867a] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.12.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.8</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.8</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.8</li> </ul> </li> </ul> <h2>4.4.5</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [9ccb841] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.11.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.7</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.7</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.7</li> </ul> </li> </ul> <h2>4.4.4</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [5a56762] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.10.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.6</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.6</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.6</li> </ul> </li> </ul> <h2>4.4.3</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [3926fd7] <ul> <li><code>@smithy/types</code><a href="https://github.com/4"><code>@4</code></a>.9.0</li> <li><code>@smithy/node-config-provider</code><a href="https://github.com/4"><code>@4</code></a>.3.5</li> <li><code>@smithy/util-endpoints</code><a href="https://github.com/3"><code>@3</code></a>.2.5</li> <li><code>@smithy/util-middleware</code><a href="https://github.com/4"><code>@4</code></a>.2.5</li> </ul> </li> </ul> <h2>4.4.2</h2> <h3>Patch Changes</h3> <ul> <li>372b46f: allow * region with warning</li> </ul> <h2>4.4.1</h2> <h3>Patch Changes</h3> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/0e8cc4926dee4e081bfc3fe9945813f7118da73b"><code>0e8cc49</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/7e4bbf64112652f6bb5171ce2c14eebfc6aab964"><code>7e4bbf6</code></a> chore: upgrade rimraf to v5.0.10 (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1829">#1829</a>)</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/521d67c38f8928c514d1fcea3fc08e40c2300513"><code>521d67c</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/8b90f360df2a5c80c105db732b3c2f6972994854"><code>8b90f36</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/cc0124e69e2d6943f0960854bcc3abf2defd2c20"><code>cc0124e</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/07f95d95712b511256b542c4dfa368bd70580be8"><code>07f95d9</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/372b46fb0751e6e61cdfccee1fa7e6a531cf6aa4"><code>372b46f</code></a> fix(config-resolver): allow asterisk region with warning (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1760">#1760</a>)</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/472a5ea035237e10c560ed362c0e0105805ad26f"><code>472a5ea</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/8af2d330260513d3e51c98f1f137793b5330ceb4"><code>8af2d33</code></a> Version NPM packages</li> <li><a href="https://github.com/smithy-lang/smithy-typescript/commit/13c5cd95b682c9252e6cf15b771b5decdc860729"><code>13c5cd9</code></a> chore(config-resolver): add region validation cache (<a href="https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver/issues/1750">#1750</a>)</li> <li>Additional commits viewable in <a href="https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.6/packages/config-resolver">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

### Reason for this change It was incorrectly assumed that `git diff A..B` would behave similarly to `git log A..B`, but that is not the case. Counterintuitively, it behaves like `git log A...B`, getting changes from the main branch as well, which is not what we want. See https://stackoverflow.com/questions/7251477/what-are-the-differences-between-double-dot-and-triple-dot-in-git-dif/46345364#46345364 ### Description of changes The correct command is `git diff A...B`. This behaves like `git log A..B` as expected. ### Describe any new or updated permissions being added No new permissions are added. ### Description of how you validated changes Ran security guardian build and tests to verify ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… for AgentCore resources (#36354) ### Issue # (if applicable) Closes #36341. ### Reason for this change Improve AWS Bedrock AgentCore constructs by making physical name properties optional, following CDK best practices where names are auto-generated when not specified for better usability and to avoid naming conflicts. ### Description of changes Made physical name properties optional for all AWS Bedrock AgentCore constructs: - Implemented auto-generation using `Names.uniqueResourceName()` when names are omitted - Applied to: Gateway, Runtime, RuntimeEndpoint, Memory, BrowserCustom, CodeInterpreterCustom, and all GatewayTarget types ### Describe any new or updated permissions being added None. ### Description of how you validated changes Added unit tests for auto-generation functionality for all constructs ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…pon by downstream resources (#36734) _Note: Copied from #34898 with updated snapshots, credit to @msessa._ Closes #34897 ### Reason for this change The `AccessEntry` for kubectl provider should be included as a dependency of the kubectl ready barrier. ### Description of changes Add the kubectl `AccessEntry` to the explicit dependencies for the ready barrier resource ### Description of how you validated changes - Updated unit test - Updated integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ort for EndpointConfig (#35626) Implements container startup health check timeout configuration for SageMaker endpoint production variants as available in CloudFormation but missing in CDK constructs. Issue #35566 * Add containerStartupHealthCheckTimeout property to InstanceProductionVariantProps interface * Add comprehensive validation for timeout range (60-3600 seconds) * Add CloudFormation template generation for ContainerStartupHealthCheckTimeoutInSeconds property * Include test coverage for validation scenarios and edge cases * Update README documentation with usage examples and constraints #### Reason for this change AWS SageMaker EndpointConfig supports ContainerStartupHealthCheckTimeoutInSeconds in CloudFormation to configure health check timeout for inference containers, but this property is not exposed in the CDK SageMaker L2 constructs. Users with models that require longer initialization time cannot configure appropriate health check timeouts, leading to premature health check failures. #### Description of changes Implements AWS SageMaker container startup health check timeout support in CDK SageMaker L2 constructs, enabling users to configure appropriate health check timeouts for inference containers: * New containerStartupHealthCheckTimeout property in InstanceProductionVariantProps interface with AWS-compliant validation: Range: 60-3600 seconds (1 minute to 1 hour) Type: cdk.Duration for intuitive time specification Optional property maintaining backward compatibility * Enhanced addInstanceProductionVariant() method with comprehensive input validation * Automatic conversion from cdk.Duration to seconds for CloudFormation compatibility * Synthesis-time validation with clear, actionable error messages * CloudFormation integration mapping to ContainerStartupHealthCheckTimeoutInSeconds property #### Usage Example: ```typescript import * as cdk from 'aws-cdk-lib'; import * as sagemaker from '@aws-cdk/aws-sagemaker-alpha'; declare const model: sagemaker.IModel; // Create endpoint configuration with health check timeout const endpointConfig = new sagemaker.EndpointConfig(this, 'EndpointConfig', { instanceProductionVariants: [{ variantName: 'my-variant', model: model, containerStartupHealthCheckTimeout: cdk.Duration.minutes(5), // 5 minutes timeout }], }); ``` #### Describe any new or updated permissions being added N/A - No new IAM permissions required. Leverages existing SageMaker endpoint configuration permissions. #### Description of how you validated changes Unit tests: Added 5 comprehensive container startup health check timeout tests covering all validation scenarios: * Property inclusion in CloudFormation template when provided * Property absence in CloudFormation template when not provided * Range validation for minimum value (60 seconds) * Range validation for maximum value (3600 seconds) * Acceptance of valid timeout values at boundaries * Duration to seconds conversion verification By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

…y-guardian in the npm_and_yarn group across 1 directory (#36744) Bumps the npm_and_yarn group with 1 update in the /tools/@aws-cdk/security-guardian directory: [diff](https://github.com/kpdecker/jsdiff). Updates `diff` from 4.0.2 to 4.0.4 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/kpdecker/jsdiff/commit/f06f3e4cacad5955caf891a8a02c5bb1c954bcb5"><code>f06f3e4</code></a> v4.0.4</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/0179a484ffaec7c8d5d6b69d8c3905473383de75"><code>0179a48</code></a> v4.0.3</li> <li><a href="https://github.com/kpdecker/jsdiff/commit/4568cae5ae7646962bf3c5641907d1fb5af90683"><code>4568cae</code></a> Backport <a href="https://redirect.github.com/kpdecker/jsdiff/pull/649">kpdecker/jsdiff#649</a></li> <li><a href="https://github.com/kpdecker/jsdiff/commit/4de0ffa13ad51db7a27567c2b870fb4e43f0814a"><code>4de0ffa</code></a> Backport <a href="https://redirect.github.com/kpdecker/jsdiff/pull/647">kpdecker/jsdiff#647</a></li> <li>See full diff in <a href="https://github.com/kpdecker/jsdiff/compare/v4.0.2...v4.0.4">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~explodingcabbage">explodingcabbage</a>, a new releaser for diff since your current version.</p> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=diff&package-manager=npm_and_yarn&previous-version=4.0.2&new-version=4.0.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

…ation (#36692) All L1 resources and a lot of L2 resource use `Token.asString()`, `this.getResourceNameAttribute` and `this.getResourceArnAttribute` in their constructors. These allocate string tokens in a global lookup table, in case these strings ever end up in a template and need to be reversed. This work happens even if those class members are never read, leading to a lot of unnecessary work and memory usage. Move that code to getters, so that it is only done if the value is actually used. Hopefully this will noticeably reduce memory usage for large applications. In a test 10,000 construct project it seems to save ~50MB/30% of memory, but in a more complex project of 100 accounts / 80,000 constructs I've seen it save 100s of MBs (but a much smaller %). The latter one is a tad hard to quantify because I needed to fiddle with the program in order to even be able to measure it somewhat usefully. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR updates the enum values for ec2.

This PR updates the enum values for kms.

This PR updates the enum values for lambda.

Ran npm-check-updates and yarn upgrade for the following dependencies: ``` @aws-cdk/asset-awscli-v1 ``` Checkout this branch and run integration tests locally to update snapshots. ``` (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed) ``` See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.

) ### Reason for this change The `ConstructInfo` interface is used both for telemetry analytics (sent to AWS) and for the `tree.json` output. Previously, telemetry metadata was being added to `ConstructInfo`, which caused it to leak into `tree.json` - a file that should only contain basic construct information (fqn and version). ### Description of changes This PR separates the concerns by: 1. Keeping `ConstructInfo` clean with only `fqn` and `version` - this is the public contract for `tree.json` 2. Introducing a new `ConstructAnalytics` interface that extends `ConstructInfo` with optional `telemetryMetadata` 3. Moving the analytics-specific logic from `runtime-info.ts` to a new `stack-metadata.ts` file 4. The telemetry metadata is now only collected and used within the analytics pipeline, never touching `tree.json` The feature flag `ENABLE_ADDITIONAL_METADATA_COLLECTION` continues to control whether telemetry metadata is included in the analytics sent to AWS. ### Description of how you validated changes - Existing unit tests updated and passing - Added new test for metadata type filtering - Moved jsii-dependent tests to framework-integ package where they can properly test against compiled aws-cdk-lib ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

) ### Issue # (if applicable) N/A ### Reason for this change To pin serverless cache version to 1.6 when using Memcached. ### Description of changes Add Memcached 1.6 enum. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#36772) Improve the documentation about auto-generated grants for construct developers, including the structure of the `grants.json` file and the meaning and implications of each field. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change To understand adoption and usage patterns of CDK Mixins, we need to track when mixins are applied to constructs. This telemetry data helps the CDK team make informed decisions about the feature's development and prioritization. Unlike other telemetry metadata which requires an opt-in feature flag, mixin usage is always collected because it's essential for understanding how this new feature is being used in the wild. ### Description of changes When a mixin is applied to a construct, we now attach metadata containing the mixin's fully qualified name (FQN). This metadata is collected via the existing CDK analytics infrastructure. Key changes: - Add `MetadataType.MIXIN` to the core metadata types - Create a new `metadata` field on `ConstructAnalytics` that is always reported, separate from `additionalTelemetry` which requires the feature flag - Mixin metadata is collected from all constructs, not just resources - The `MixinApplicator` now calls `addMetadata` when applying mixins ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit tests for: - Metadata is added when a mixin with jsii FQN is applied - No metadata is added for mixins without FQN - Multiple mixins result in multiple metadata entries - Mixin metadata is collected regardless of the additional telemetry feature flag ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…36771) ### Reason for this change The `BucketPolicyStatementsMixin` was previously located in a private directory (`lib/mixins/private/s3.ts`), making it inaccessible to users of the mixins-preview package. This change makes the mixin publicly available so developers can use it to add `PolicyStatement`s to existing `BucketPolicy` resources. ### Description of changes - Moved `BucketPolicyStatementsMixin` from `lib/mixins/private/s3.ts` to `lib/services/aws-s3/bucket-policy.ts` - Renamed the class from `BucketPolicyStatementsMixins` to `BucketPolicyStatementsMixin` (singular) for consistency with other mixin naming conventions - Exported the mixin from `lib/services/aws-s3/mixins.ts` - Updated the import in `logs-delivery.ts` to use the new public location ### Describe any new or updated permissions being added None. ### Description of how you validated changes Existing tests continue to pass. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change We are starting to use refs more in some parts of the `aws-cdk` repo, in particular in relation to some Mixins. While `I__Refs` are great in the way that they allow for an L1 or an L2 construct to be passed in, sometimes we need information that is only accessible via a construct. Enter, `findL1FromRef`, when given some `I__Ref`, it is able to find the L1 construct associated with that ref. ### Description of changes Adds function that can be used to find an L1 construct when given a ref. ### Description of how you validated changes Added new unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…update (#36756) Bumps the npm_and_yarn group with 1 update in the / directory: [esbuild](https://github.com/evanw/esbuild). Bumps the npm_and_yarn group with 1 update in the /tools/@aws-cdk/construct-metadata-updater directory: [esbuild](https://github.com/evanw/esbuild). Updates `esbuild` from 0.24.2 to 0.25.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.25.0</h2> <p><strong>This release deliberately contains backwards-incompatible changes.</strong> To avoid automatically picking up releases like this, you should either be pinning the exact version of <code>esbuild</code> in your <code>package.json</code> file (recommended) or be using a version range syntax that only accepts patch upgrades such as <code>^0.24.0</code> or <code>~0.24.0</code>. See npm's documentation about <a href="https://docs.npmjs.com/cli/v6/using-npm/semver/">semver</a> for more information.</p> <ul> <li> <p>Restrict access to esbuild's development server (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">GHSA-67mh-4wv8-2f99</a>)</p> <p>This change addresses esbuild's first security vulnerability report. Previously esbuild set the <code>Access-Control-Allow-Origin</code> header to <code>*</code> to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in <a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">the report</a>.</p> <p>Starting with this release, <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a> will now be disabled, and requests will now be denied if the host does not match the one provided to <code>--serve=</code>. The default host is <code>0.0.0.0</code>, which refers to all of the IP addresses that represent the local machine (e.g. both <code>127.0.0.1</code> and <code>192.168.0.1</code>). If you want to customize anything about esbuild's development server, you can <a href="https://esbuild.github.io/api/#serve-proxy">put a proxy in front of esbuild</a> and modify the incoming and/or outgoing requests.</p> <p>In addition, the <code>serve()</code> API call has been changed to return an array of <code>hosts</code> instead of a single <code>host</code> string. This makes it possible to determine all of the hosts that esbuild's development server will accept.</p> <p>Thanks to <a href="https://github.com/sapphi-red"><code>@sapphi-red</code></a> for reporting this issue.</p> </li> <li> <p>Delete output files when a build fails in watch mode (<a href="https://redirect.github.com/evanw/esbuild/issues/3643">#3643</a>)</p> <p>It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.</p> </li> <li> <p>Fix correctness issues with the CSS nesting transform (<a href="https://redirect.github.com/evanw/esbuild/issues/3620">#3620</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3877">#3877</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3933">#3933</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3997">#3997</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/4005">#4005</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4037">#4037</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4038">#4038</a>)</p> <p>This release fixes the following problems:</p> <ul> <li> <p>Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using <code>:is()</code> to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.</p> <pre lang="css"><code>/* Original code */ .parent { > .a, > .b1 > .b2 { color: red; } } <p>/* Old output (with --supported:nesting=false) */<br /> .parent > :is(.a, .b1 > .b2) {<br /> color: red;<br /> }</p> <p>/* New output (with --supported:nesting=false) */<br /> .parent > .a,<br /> .parent > .b1 > .b2 {<br /> color: red;<br /> }<br /> </code></pre></p> <p>Thanks to <a href="https://github.com/tim-we"><code>@tim-we</code></a> for working on a fix.</p> </li> <li> <p>The <code>&</code> CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered <code>&&</code> to have the same specificity as <code>&</code>. With this release, this should now work correctly:</p> <pre lang="css"><code>/* Original code (color should be red) */ </code></pre> </li> </ul> </li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md">esbuild's changelog</a>.</em></p> <blockquote> <h1>Changelog: 2024</h1> <p>This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/e9174d671b1882758cd32ac5e146200f5bee3e45"><code>e9174d6</code></a> publish 0.25.0 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/c27dbebb9e7a55dd9a084dd151dddd840787490e"><code>c27dbeb</code></a> fix <code>hosts</code> in <code>plugin-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/6794f602a453cf0255bcae245871de120a89a559"><code>6794f60</code></a> fix <code>hosts</code> in <code>node-unref-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d"><code>de85afd</code></a> Merge commit from fork</li> <li><a href="https://github.com/evanw/esbuild/commit/da1de1bf77a65f06654b49878d9ec4747ddaa21f"><code>da1de1b</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4065">#4065</a>: bitwise operators can return bigints</li> <li><a href="https://github.com/evanw/esbuild/commit/f4e9d19fb20095a98bf40634f0380f6a16be91e7"><code>f4e9d19</code></a> switch case liveness: <code>default</code> is always last</li> <li><a href="https://github.com/evanw/esbuild/commit/7aa47c3e778ea04849f97f18dd9959df88fa0886"><code>7aa47c3</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4028">#4028</a>: minify live/dead <code>switch</code> cases better</li> <li><a href="https://github.com/evanw/esbuild/commit/22ecd306190b8971ec4474b5485266c20350e266"><code>22ecd30</code></a> minify: more constant folding for strict equality</li> <li><a href="https://github.com/evanw/esbuild/commit/4cdf03c03697128044fa8fb76e5c478e9765b353"><code>4cdf03c</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4053">#4053</a>: reordering of <code>.tsx</code> in <code>node_modules</code></li> <li><a href="https://github.com/evanw/esbuild/commit/dc719775b7140120916bd9e6777ca1cb8a1cdc0e"><code>dc71977</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/3692">#3692</a>: <code>0</code> now picks a random ephemeral port</li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.24.2...v0.25.0">compare view</a></li> </ul> </details> <br /> Updates `esbuild` from 0.24.2 to 0.25.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.25.0</h2> <p><strong>This release deliberately contains backwards-incompatible changes.</strong> To avoid automatically picking up releases like this, you should either be pinning the exact version of <code>esbuild</code> in your <code>package.json</code> file (recommended) or be using a version range syntax that only accepts patch upgrades such as <code>^0.24.0</code> or <code>~0.24.0</code>. See npm's documentation about <a href="https://docs.npmjs.com/cli/v6/using-npm/semver/">semver</a> for more information.</p> <ul> <li> <p>Restrict access to esbuild's development server (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">GHSA-67mh-4wv8-2f99</a>)</p> <p>This change addresses esbuild's first security vulnerability report. Previously esbuild set the <code>Access-Control-Allow-Origin</code> header to <code>*</code> to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in <a href="https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99">the report</a>.</p> <p>Starting with this release, <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a> will now be disabled, and requests will now be denied if the host does not match the one provided to <code>--serve=</code>. The default host is <code>0.0.0.0</code>, which refers to all of the IP addresses that represent the local machine (e.g. both <code>127.0.0.1</code> and <code>192.168.0.1</code>). If you want to customize anything about esbuild's development server, you can <a href="https://esbuild.github.io/api/#serve-proxy">put a proxy in front of esbuild</a> and modify the incoming and/or outgoing requests.</p> <p>In addition, the <code>serve()</code> API call has been changed to return an array of <code>hosts</code> instead of a single <code>host</code> string. This makes it possible to determine all of the hosts that esbuild's development server will accept.</p> <p>Thanks to <a href="https://github.com/sapphi-red"><code>@sapphi-red</code></a> for reporting this issue.</p> </li> <li> <p>Delete output files when a build fails in watch mode (<a href="https://redirect.github.com/evanw/esbuild/issues/3643">#3643</a>)</p> <p>It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.</p> </li> <li> <p>Fix correctness issues with the CSS nesting transform (<a href="https://redirect.github.com/evanw/esbuild/issues/3620">#3620</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3877">#3877</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3933">#3933</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/3997">#3997</a>, <a href="https://redirect.github.com/evanw/esbuild/issues/4005">#4005</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4037">#4037</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4038">#4038</a>)</p> <p>This release fixes the following problems:</p> <ul> <li> <p>Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using <code>:is()</code> to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.</p> <pre lang="css"><code>/* Original code */ .parent { > .a, > .b1 > .b2 { color: red; } } <p>/* Old output (with --supported:nesting=false) */<br /> .parent > :is(.a, .b1 > .b2) {<br /> color: red;<br /> }</p> <p>/* New output (with --supported:nesting=false) */<br /> .parent > .a,<br /> .parent > .b1 > .b2 {<br /> color: red;<br /> }<br /> </code></pre></p> <p>Thanks to <a href="https://github.com/tim-we"><code>@tim-we</code></a> for working on a fix.</p> </li> <li> <p>The <code>&</code> CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered <code>&&</code> to have the same specificity as <code>&</code>. With this release, this should now work correctly:</p> <pre lang="css"><code>/* Original code (color should be red) */ </code></pre> </li> </ul> </li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md">esbuild's changelog</a>.</em></p> <blockquote> <h1>Changelog: 2024</h1> <p>This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/e9174d671b1882758cd32ac5e146200f5bee3e45"><code>e9174d6</code></a> publish 0.25.0 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/c27dbebb9e7a55dd9a084dd151dddd840787490e"><code>c27dbeb</code></a> fix <code>hosts</code> in <code>plugin-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/6794f602a453cf0255bcae245871de120a89a559"><code>6794f60</code></a> fix <code>hosts</code> in <code>node-unref-tests.js</code></li> <li><a href="https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d"><code>de85afd</code></a> Merge commit from fork</li> <li><a href="https://github.com/evanw/esbuild/commit/da1de1bf77a65f06654b49878d9ec4747ddaa21f"><code>da1de1b</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4065">#4065</a>: bitwise operators can return bigints</li> <li><a href="https://github.com/evanw/esbuild/commit/f4e9d19fb20095a98bf40634f0380f6a16be91e7"><code>f4e9d19</code></a> switch case liveness: <code>default</code> is always last</li> <li><a href="https://github.com/evanw/esbuild/commit/7aa47c3e778ea04849f97f18dd9959df88fa0886"><code>7aa47c3</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4028">#4028</a>: minify live/dead <code>switch</code> cases better</li> <li><a href="https://github.com/evanw/esbuild/commit/22ecd306190b8971ec4474b5485266c20350e266"><code>22ecd30</code></a> minify: more constant folding for strict equality</li> <li><a href="https://github.com/evanw/esbuild/commit/4cdf03c03697128044fa8fb76e5c478e9765b353"><code>4cdf03c</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4053">#4053</a>: reordering of <code>.tsx</code> in <code>node_modules</code></li> <li><a href="https://github.com/evanw/esbuild/commit/dc719775b7140120916bd9e6777ca1cb8a1cdc0e"><code>dc71977</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/3692">#3692</a>: <code>0</code> now picks a random ephemeral port</li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.24.2...v0.25.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

) ### Reason for this change Mixin analytics metadata should only report the full FQN of any 1P mixins, but not third-party mixins. ### Description of changes Added an allowlist of FQN prefixes for AWS-owned packages. When a mixin's FQN matches one of these prefixes, the full FQN is reported in the metadata. For all other mixins (third-party), the FQN is redacted to `'*'` to preserve privacy while still tracking that a mixin was applied. Allowed prefixes include: - AWS CDK scopes: `@aws-cdk/`, `@aws-cdk-containers/`, `@aws-solutions-konstruk/`, `@aws-solutions-constructs/`, `@amzn/`, `@cdklabs/` - AWS CDK packages: `aws-rfdk.`, `aws-cdk-lib.`, `cdk8s.` ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit test to verify third-party mixin FQNs are redacted to `'*'`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…arn group across 1 directory (#36779) Bumps the npm_and_yarn group with 1 update in the / directory: [lodash](https://github.com/lodash/lodash). Updates `lodash` from 4.17.21 to 4.17.23 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/dec55b7a3b382da075e2eac90089b4cd00a26cbb"><code>dec55b7</code></a> Bump main to v4.17.23 (<a href="https://redirect.github.com/lodash/lodash/issues/6088">#6088</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/19c9251b3631d7cf220b43bc757eb33f1084f117"><code>19c9251</code></a> fix: setCacheHas JSDoc return type should be boolean (<a href="https://redirect.github.com/lodash/lodash/issues/6071">#6071</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/b5e672995ae26929d111a6e94589f8d03fb8e578"><code>b5e6729</code></a> jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (<a href="https://redirect.github.com/lodash/lodash/issues/6062">#6062</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81"><code>edadd45</code></a> Prevent prototype pollution on baseUnset function</li> <li><a href="https://github.com/lodash/lodash/commit/4879a7a7d0a4494b0e83c7fa21bcc9fc6e7f1a6d"><code>4879a7a</code></a> doc: fix autoLink function, conversion of source links (<a href="https://redirect.github.com/lodash/lodash/issues/6056">#6056</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/9648f692b0fc7c2f6a7a763d754377200126c2e8"><code>9648f69</code></a> chore: remove <code>yarn.lock</code> file (<a href="https://redirect.github.com/lodash/lodash/issues/6053">#6053</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/dfa407db0bf5b200f2c7a9e4f06830ceaf074be9"><code>dfa407d</code></a> ci: remove legacy configuration files (<a href="https://redirect.github.com/lodash/lodash/issues/6052">#6052</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/156e1965ae78b121a88f81178ab81632304e8d64"><code>156e196</code></a> feat: add renovate setup (<a href="https://redirect.github.com/lodash/lodash/issues/6039">#6039</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/933e1061b8c344d3fc742cdc400175d5ffc99bce"><code>933e106</code></a> ci: add pipeline for Bun (<a href="https://redirect.github.com/lodash/lodash/issues/6023">#6023</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/072a807ff7ad8ffc7c1d2c3097266e815d138e20"><code>072a807</code></a> docs: update links related to Open JS Foundation (<a href="https://redirect.github.com/lodash/lodash/issues/5968">#5968</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.21...4.17.23">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=lodash&package-manager=npm_and_yarn&previous-version=4.17.21&new-version=4.17.23)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

mergify · 2026-01-23T09:40:16Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

mergify · 2026-01-23T09:40:25Z

github-actions · 2026-01-23T09:40:33Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

rix0rrr and others added 30 commits January 15, 2026 15:45

Merge branch 'main' into merge-back/2.235.0

ea980b5

chore(merge-back): 2.235.0 (#36704)

e6de947

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.235.0/CHANGELOG.md)

Merge branch 'main' into merge-back/2.235.1

84a2f51

chore(merge-back): 2.235.1 (#36732)

a08d9c7

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.235.1/CHANGELOG.md)

chore: linter rule requires L2 interfaces to extend reference interfa…

2d5c210

…ce (#36696) This requires that `IBucket extends IBucketRef`, etc. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore(ec2): add new enum values for ec2 (#36726)

213fa0f

This PR updates the enum values for ec2.

chore(kms): add new enum values for kms (#36728)

d3b87fe

This PR updates the enum values for kms.

chore(lambda): add new enum values for lambda (#36729)

b3c858b

This PR updates the enum values for lambda.

aws-cdk-automation and others added 11 commits January 22, 2026 11:17

chore(release): 2.236.0

7e84b9f

aws-cdk-automation requested a review from a team as a code owner January 23, 2026 08:46

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Jan 23, 2026

aws-cdk-automation requested a review from a team January 23, 2026 08:46

github-actions bot added the p2 label Jan 23, 2026

github-actions bot approved these changes Jan 23, 2026

View reviewed changes

mergify bot added the contribution/core This is a PR that came from AWS. label Jan 23, 2026

leonmk-aws added the pr/do-not-merge This PR should not be merged at this time. label Jan 23, 2026

aws-cdk-automation and others added 2 commits January 23, 2026 08:49

chore: update analytics metadata blueprints

b2add3f

chore: update CHANGELOG.v2.md

a079671

leonmk-aws removed the pr/do-not-merge This PR should not be merged at this time. label Jan 23, 2026

mergify bot merged commit 7c81002 into v2-release Jan 23, 2026
23 of 24 checks passed

mergify bot deleted the bump/2.236.0 branch January 23, 2026 09:40

github-actions bot locked as resolved and limited conversation to collaborators Jan 23, 2026

aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 23, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.236.0#36783

chore(release): 2.236.0#36783
mergify[bot] merged 48 commits intov2-releasefrom
bump/2.236.0

aws-cdk-automation commented Jan 23, 2026 •

edited

Loading

Uh oh!

mergify bot commented Jan 23, 2026

Uh oh!

Uh oh!

mergify bot commented Jan 23, 2026

Uh oh!

github-actions bot commented Jan 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

16 participants

Conversation

aws-cdk-automation commented Jan 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mergify bot commented Jan 23, 2026

Uh oh!

Uh oh!

mergify bot commented Jan 23, 2026

Merge Queue Status

Uh oh!

github-actions bot commented Jan 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

16 participants

aws-cdk-automation commented Jan 23, 2026 •

edited

Loading