Bump the npm group across 2 directories with 3 updates

[dependabot]

Bumps the npm group with 3 updates in the / directory: @aws-sdk/client-cloudformation, aws-cdk-lib and aws-cdk.
Bumps the npm group with 2 updates in the /test directory: aws-cdk-lib and aws-cdk.

Updates @aws-sdk/client-cloudformation from 3.914.0 to 3.917.0

Release notes

Sourced from @​aws-sdk/client-cloudformation's releases.

v3.917.0

3.917.0(2025-10-24)

New Features

• clients: update client endpoints as of 2025-10-24 (5f76bd76)
• client-location: Added support for mobile app restrictions in Amazon Location API keys. (f7e89045)
• client-geo-maps: Added support for optional AdditionalFeatures parameter in the V2 GetTile API. (fd1221d8)
• client-acm: Update endpoint ruleset parameters casing (9fd39c4b)
• client-robomaker: Update endpoint ruleset parameters casing (e5f3bff1)
• client-data-pipeline: Update endpoint ruleset parameters casing (b3727fe8)
• client-s3tables: Update endpoint ruleset parameters casing (2b605337)
• client-payment-cryptography-data: Update endpoint ruleset parameters casing (f385a1b9)
• client-lookoutvision: Update endpoint ruleset parameters casing (cfe98b4b)
• client-billing: Update endpoint ruleset parameters casing (cfca0cf5)
• client-evs: Update endpoint ruleset parameters casing (52113c8e)
• client-securityhub: Release 3 layer filter support in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2,GetResourcesStatisticsV2, AutomationRule V2 APIs. Update filter casing in GetResourcesV2, GetResourcesStatisticsV2 APIs. Add new filters in GetFindingsV2, GetFindingStatisticsV2, AutomationRule V2 APIs. (84afe147)
• client-snow-device-management: Update endpoint ruleset parameters casing (1dd93db7)
• client-mediapackage: Update endpoint ruleset parameters casing (cc44ae84)
• client-dynamodb-streams: Update endpoint ruleset parameters casing (0058eef6)
• client-mediastore: Update endpoint ruleset parameters casing (8296014a)
• client-panorama: Update endpoint ruleset parameters casing (2f334f1e)
• client-cloudtrail: Update endpoint ruleset parameters casing (3837ebed)
• client-iot-managed-integrations: Update endpoint ruleset parameters casing (efaf50b9)
• client-application-signals: Update endpoint ruleset parameters casing (90b2f06d)
• client-qbusiness: Update endpoint ruleset parameters casing (acf432dd)
• client-servicediscovery: Update endpoint ruleset parameters casing (a0179c8b)
• client-iot-wireless: Update endpoint ruleset parameters casing (09631dd4)
• client-translate: Update endpoint ruleset parameters casing (1f72ef5b)
• client-wisdom: Update endpoint ruleset parameters casing (e8b664b8)
• client-gameliftstreams: Add status reasons for TERMINATED stream sessions (7b2d856d)
• client-mq: Update endpoint ruleset parameters casing (7f703c18)
• client-kinesis-video-signaling: Update endpoint ruleset parameters casing (377d9ac0)
• client-eks: Update endpoint ruleset parameters casing (15c01c6e)
• client-route-53-domains: Update endpoint ruleset parameters casing (fa7060a0)
• client-pca-connector-ad: Update endpoint ruleset parameters casing (109911c4)
• client-amplifyuibuilder: Update endpoint ruleset parameters casing (91055aed)
• client-codepipeline: Update endpoint ruleset parameters casing (16d85f26)
• client-inspector: Update endpoint ruleset parameters casing (5999e41d)
• client-sagemaker-metrics: Update endpoint ruleset parameters casing (ea8a941a)
• client-docdb: Update endpoint ruleset parameters casing (89ec103f)
• client-vpc-lattice: Update endpoint ruleset parameters casing (40072ab1)
• client-sso-oidc: Update endpoint ruleset parameters casing (9689f9bb)
• client-sagemaker: Added inference components model data caching feature (6d774006)
• client-payment-cryptography: Update endpoint ruleset parameters casing (1191c679)
• client-verifiedpermissions: Update endpoint ruleset parameters casing (48683fa6)
• client-elastic-load-balancing: Update endpoint ruleset parameters casing (5455bbe8)
• client-migrationhubstrategy: Update endpoint ruleset parameters casing (b5c0b4cc)
• client-rtbfabric: Add support for custom rate limits. (5dafa724)
• client-datazone: This release adds support for MLflow connections Creation in DataZone (1bd75f01)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-cloudformation's changelog.

3.917.0 (2025-10-24)

Note: Version bump only for package @​aws-sdk/client-cloudformation

3.916.0 (2025-10-23)

Note: Version bump only for package @​aws-sdk/client-cloudformation

3.915.0 (2025-10-22)

Features

• client-cloudformation: Update endpoint ruleset parameters casing (b1a66b2)

Commits

• f02cfb8 Publish v3.917.0
• 952e349 Publish v3.916.0
• 2d30ee7 chore(codegen): update for expect 100-continue handling (#7451)
• cc4845b Publish v3.915.0
• b1a66b2 feat(client-cloudformation): Update endpoint ruleset parameters casing
• See full diff in compare view

Updates aws-cdk-lib from 2.220.0 to 2.221.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.221.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-datazone: AWS::DataZone::ProjectProfile: Id property removed.
• aws-logs: AWS::Logs::DeliveryDestination: DeliveryDestinationType attribute removed.
• aws-s3: AWS::S3::AccessGrantsLocation: IamRoleArn property is now required.
• aws-s3: AWS::S3::AccessGrantsLocation: LocationScope property is now required.
• aws-servicecatalog: AWS::ServiceCatalog::TagOptionAssociation: Id attribute removed.

Features

• update L1 CloudFormation resource definitions (#35816) (82bef28)
• agentcore: add agentcore L2 constructs for 1p tools (#35577) (3087ffa)
• agentcore: add agentcore runtime L2 construct (#35623) (c57484a)
• ecr: image tag mutability exclusion filters (#35246) (f6dd5cf), closes #35454
• ecs: implement IConnectable interface for ManagedInstancesCapacityProvider (#35745) (fd5ff76)
• kinesisfirehose: support DeliveryStream record format conversion for S3 Bucket Destination (#35410) (79bcba2), closes #15501 aws/aws-cdk#15501
• update L1 CloudFormation resource definitions (#35769) (a165905)

Bug Fixes

• ecs-patterns: resolve target group conflict when updating ALB internetFacing or loadBalancerName (under feature flag) (#35508) (69b9c03), closes #33253 #33253 #33253
• lambda: can't find entry file under ESM module system (#35797) (7becd79), closes #21630
• lambda-runtime: change fallback for latest lambda node runtime to node 22.x (#35764) (10fcb1b)
• opensearchservice: add i8g nodes validation without EBS (#35668) (9594842), closes #35666
• s3-deployment: handle empty string in Source.data() (#35824) (95c8d73), closes #35809
• stepfunctions-tasks: allow passing apiEndpoint as intrinsic function (under feature flag) (#32139) (ddfef06), closes #29925 #29925 #30749

---

Alpha modules (2.221.0-alpha.0)

Features

• msk-alpha: support Kafka 4.1 (#35759) (67539de)

Bug Fixes

• elasticache-alpha: cannot import Redis 7 serverless cache (#35629) (2bde1a0)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.221.0-alpha.0 (2025-10-24)

Features

• msk-alpha: support Kafka 4.1 (#35759) (67539de)

Bug Fixes

• elasticache-alpha: cannot import Redis 7 serverless cache (#35629) (2bde1a0)

2.220.0-alpha.0 (2025-10-14)

Bug Fixes

• amplify-alpha: handle empty customResponseHeaders array (#35700) (57f9068), closes #35693

2.219.0-alpha.0 (2025-10-01)

2.218.0-alpha.0 (2025-09-29)

• elasticache-alpha: implement Serverless ElastiCache L2 Construct (#35424) (0e08c8c)

2.217.0-alpha.0 (2025-09-25)

2.216.0-alpha.0 (2025-09-22)

2.215.0-alpha.0 (2025-09-15)

Bug Fixes

• bedrock-alpha: added missing validation when prompt uses default variant (#35366) (cbd271e)

2.214.0-alpha.0 (2025-09-02)

Features

• bedrock-alpha: add guardrails l2 construct (#34765) (b4fdb2b)
• eks-v2-alpha: support eks with k8s 1.33 (#34713) (c24565e), closes #34520 #34911
• s3tables-alpha: add TablePolicy support to L2 construct library (#35223) (2741dfb), closes #33054

2.213.0-alpha.0 (2025-08-27)

Features

... (truncated)

Commits

• 780ae85 chore: resolve merge conflict
• 287e1fa chore(release): 2.221.0
• 36140d1 revert: feat(core): cfn constructs (L1s) can now accept constructs as paramet...
• 159703c chore: update analytics metadata blueprints
• 1d2725c chore(release): 2.221.0
• 95c8d73 fix(s3-deployment): handle empty string in Source.data() (#35824)
• c5e7f21 feat(core): cfn constructs (L1s) can now accept constructs as parameters for ...
• 10fcb1b fix(lambda-runtime): change fallback for latest lambda node runtime to node 2...
• 82bef28 feat: update L1 CloudFormation resource definitions (#35816)
• 7becd79 fix(lambda): can't find entry file under ESM module system (#35797)
• Additional commits viewable in compare view

Updates aws-cdk from 2.1030.0 to 2.1031.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1031.0

2.1031.0 (2025-10-22)

⚠ BREAKING CHANGES

• cli: for existing ci/cd pipeline users. Therefore, this idea was discarded

Features

• cli: display warning when --role-arn is used with gc command (#893) (3d7b09b)

Commits

• 3d7b09b feat(cli): display warning when --role-arn is used with gc command (#893)
• See full diff in compare view

Updates aws-cdk-lib from 2.220.0 to 2.221.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.221.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-datazone: AWS::DataZone::ProjectProfile: Id property removed.
• aws-logs: AWS::Logs::DeliveryDestination: DeliveryDestinationType attribute removed.
• aws-s3: AWS::S3::AccessGrantsLocation: IamRoleArn property is now required.
• aws-s3: AWS::S3::AccessGrantsLocation: LocationScope property is now required.
• aws-servicecatalog: AWS::ServiceCatalog::TagOptionAssociation: Id attribute removed.

Features

• update L1 CloudFormation resource definitions (#35816) (82bef28)
• agentcore: add agentcore L2 constructs for 1p tools (#35577) (3087ffa)
• agentcore: add agentcore runtime L2 construct (#35623) (c57484a)
• ecr: image tag mutability exclusion filters (#35246) (f6dd5cf), closes #35454
• ecs: implement IConnectable interface for ManagedInstancesCapacityProvider (#35745) (fd5ff76)
• kinesisfirehose: support DeliveryStream record format conversion for S3 Bucket Destination (#35410) (79bcba2), closes #15501 aws/aws-cdk#15501
• update L1 CloudFormation resource definitions (#35769) (a165905)

Bug Fixes

• ecs-patterns: resolve target group conflict when updating ALB internetFacing or loadBalancerName (under feature flag) (#35508) (69b9c03), closes #33253 #33253 #33253
• lambda: can't find entry file under ESM module system (#35797) (7becd79), closes #21630
• lambda-runtime: change fallback for latest lambda node runtime to node 22.x (#35764) (10fcb1b)
• opensearchservice: add i8g nodes validation without EBS (#35668) (9594842), closes #35666
• s3-deployment: handle empty string in Source.data() (#35824) (95c8d73), closes #35809
• stepfunctions-tasks: allow passing apiEndpoint as intrinsic function (under feature flag) (#32139) (ddfef06), closes #29925 #29925 #30749

---

Alpha modules (2.221.0-alpha.0)

Features

• msk-alpha: support Kafka 4.1 (#35759) (67539de)

Bug Fixes

• elasticache-alpha: cannot import Redis 7 serverless cache (#35629) (2bde1a0)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.221.0-alpha.0 (2025-10-24)

Features

• msk-alpha: support Kafka 4.1 (#35759) (67539de)

Bug Fixes

• elasticache-alpha: cannot import Redis 7 serverless cache (#35629) (2bde1a0)

2.220.0-alpha.0 (2025-10-14)

Bug Fixes

• amplify-alpha: handle empty customResponseHeaders array (#35700) (57f9068), closes #35693

2.219.0-alpha.0 (2025-10-01)

2.218.0-alpha.0 (2025-09-29)

• elasticache-alpha: implement Serverless ElastiCache L2 Construct (#35424) (0e08c8c)

2.217.0-alpha.0 (2025-09-25)

2.216.0-alpha.0 (2025-09-22)

2.215.0-alpha.0 (2025-09-15)

Bug Fixes

• bedrock-alpha: added missing validation when prompt uses default variant (#35366) (cbd271e)

2.214.0-alpha.0 (2025-09-02)

Features

• bedrock-alpha: add guardrails l2 construct (#34765) (b4fdb2b)
• eks-v2-alpha: support eks with k8s 1.33 (#34713) (c24565e), closes #34520 #34911
• s3tables-alpha: add TablePolicy support to L2 construct library (#35223) (2741dfb), closes #33054

2.213.0-alpha.0 (2025-08-27)

Features

... (truncated)

Commits

• 780ae85 chore: resolve merge conflict
• 287e1fa chore(release): 2.221.0
• 36140d1 revert: feat(core): cfn constructs (L1s) can now accept constructs as paramet...
• 159703c chore: update analytics metadata blueprints
• 1d2725c chore(release): 2.221.0
• 95c8d73 fix(s3-deployment): handle empty string in Source.data() (#35824)
• c5e7f21 feat(core): cfn constructs (L1s) can now accept constructs as parameters for ...
• 10fcb1b fix(lambda-runtime): change fallback for latest lambda node runtime to node 2...
• 82bef28 feat: update L1 CloudFormation resource definitions (#35816)
• 7becd79 fix(lambda): can't find entry file under ESM module system (#35797)
• Additional commits viewable in compare view

Updates aws-cdk from 2.1030.0 to 2.1031.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1031.0

2.1031.0 (2025-10-22)

⚠ BREAKING CHANGES

• cli: for existing ci/cd pipeline users. Therefore, this idea was discarded

Features

• cli: display warning when --role-arn is used with gc command (#893) (3d7b09b)

Commits

• 3d7b09b feat(cli): display warning when --role-arn is used with gc command (#893)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@aws-sdk/client-cloudformation	^3.917.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-cdk/cloud-assembly-schema	48.16.0	Unknown	Unknown
npm/@aws-sdk/client-cloudformation	3.917.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/client-sso	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/core	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-env	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-http	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-ini	3.917.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-node	3.917.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-process	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-sso	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-web-identity	3.917.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/middleware-user-agent	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/nested-clients	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/token-providers	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/util-endpoints	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/util-user-agent-node	3.916.0	🟢 4.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/yargs	17.0.34	🟢 7	Details Check Score Reason Code-Review 🟢 9 Found 27/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/aws-cdk	2.1031.0	Unknown	Unknown
npm/aws-cdk-lib	2.221.0	🟢 4.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
npm/electron-to-chromium	1.5.240	Unknown	Unknown
npm/aws-cdk	^2.1031.0	Unknown	Unknown
npm/aws-cdk-lib	^2.221.0	🟢 4.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0

Scanned Files

• package.json
• pnpm-lock.yaml
• test/package.json