Bump the npm group across 2 directories with 4 updates

[dependabot]

Bumps the npm group with 4 updates in the / directory: @aws-sdk/client-cloudformation, @stylistic/eslint-plugin, @types/node and aws-cdk-lib.
Bumps the npm group with 2 updates in the /test directory: @types/node and aws-cdk-lib.

Updates @aws-sdk/client-cloudformation from 3.965.0 to 3.966.0

Release notes

Sourced from @​aws-sdk/client-cloudformation's releases.

v3.966.0

3.966.0(2026-01-09)

Chores

• codegen:
  • release smithy-typescript-aws-codegen v0.41.1 (#7633) (f5048a66)
  • set rimraf to 5.0.10 (#7630) (367465e7)
• util-arn-parser: mark arn parser internal (#7629) (7baf559c)
• scripts: script to get changed package list (#7628) (a470a0e1)

New Features

• clients: update client endpoints as of 2026-01-09 (060fef34)
• client-medialive: MediaPackage v2 output groups in MediaLive can now accept one additional destination for single pipeline channels and up to two additional destinations for standard channels. MediaPackage v2 destinations now support sending to cross region MediaPackage channels. (ce039310)
• client-bedrock-agentcore-control: Adds optional field "view" to GetMemory API input to give customers control over whether CMK encrypted data such as strategy decryption or override prompts is returned or not. (c68a59e8)
• client-transcribe: Adds waiters to Amazon Transcribe. (93eb18c5)
• client-glue: Adding MaterializedViews task run APIs (d430d646)
• client-cloudfront: Added EntityLimitExceeded exception handling to the following API operations AssociateDistributionWebACL, AssociateDistributionTenantWebACL, UpdateDistributionWithStagingConfig (858e6e8b)

---

For list of updated packages, view updated-packages.md in assets-3.966.0.zip

Changelog

Sourced from @​aws-sdk/client-cloudformation's changelog.

3.966.0 (2026-01-09)

Note: Version bump only for package @​aws-sdk/client-cloudformation

Commits

• 8796f3a Publish v3.966.0
• f5048a6 chore(codegen): release smithy-typescript-aws-codegen v0.41.1 (#7633)
• See full diff in compare view

Updates @stylistic/eslint-plugin from 5.6.1 to 5.7.0

Release notes

Sourced from @​stylistic/eslint-plugin's releases.

v5.7.0

5.7.0 (2026-01-09)

Features

• customize: allow indent option as full rule options (#1091) (ab50c71)
• deprecate jsx-sort-props in favor of eslint-plugin-perfectionist (#1071) (622b888)
• dot-location: support MetaProperty, TSQualifiedName, TSImportType, JSXMemberExpression (#1063) (c296e42)
• eol-last: improve to make language-agnostic (#1051) (9152494)
• linebreak-style: improve to make language-agnostic (#1050) (132926d)
• type-annotation-spacing: allow ignore check arrow (#1080) (1aaf61f)
• update deps, support @​typescript-eslint/parser >=8.48.0 (#1095) (172ef89)

Bug Fixes

• list-style: replace text range with delimiter directly (#1062) (c2ac348)
• object-curly-spacing: allow space before comment in multi-line objects (#1076) (d73c03e)

Documentation

• fix command to run docs (#1058) (f597441)

Build Related

• deps: bump actions/checkout from 5 to 6 (#1061) (767efe4)
• deps: bump actions/download-artifact from 6 to 7 (#1067) (272e75d)
• deps: bump actions/upload-artifact from 5 to 6 (#1068) (50239e3)

Chores

• docs: extract local vite plugins from vite.config.ts (#1081) (79e6c6b)
• indent: simplify handling of TSConditionalType (#1075) (233c967)
• indent: simplify handling of TSMappedType (#1073) (30b6bb3)
• member-delimiter-style: use auto-generated types (#1089) (580164b)
• padding-line-between-statements: use auto-generated types (#1090) (a80aefb)
• replace hasCommentsBetween with sourceCode.commentsExistBetween (#1094) (77e1370)
• test-utils: replace language conditionals with a config object (#1064) (e78a122)
• utils: simplify type guards, cleanup typings & docs (#1086) (843428e)

Changelog

Sourced from @​stylistic/eslint-plugin's changelog.

5.7.0 (2026-01-09)

Features

• customize: allow indent option as full rule options (#1091) (ab50c71)
• deprecate jsx-sort-props in favor of eslint-plugin-perfectionist (#1071) (622b888)
• dot-location: support MetaProperty, TSQualifiedName, TSImportType, JSXMemberExpression (#1063) (c296e42)
• eol-last: improve to make language-agnostic (#1051) (9152494)
• linebreak-style: improve to make language-agnostic (#1050) (132926d)
• type-annotation-spacing: allow ignore check arrow (#1080) (1aaf61f)
• update deps, support @​typescript-eslint/parser >=8.48.0 (#1095) (172ef89)

Bug Fixes

• list-style: replace text range with delimiter directly (#1062) (c2ac348)
• object-curly-spacing: allow space before comment in multi-line objects (#1076) (d73c03e)

Documentation

• fix command to run docs (#1058) (f597441)

Build Related

• deps: bump actions/checkout from 5 to 6 (#1061) (767efe4)
• deps: bump actions/download-artifact from 6 to 7 (#1067) (272e75d)
• deps: bump actions/upload-artifact from 5 to 6 (#1068) (50239e3)

Chores

• docs: extract local vite plugins from vite.config.ts (#1081) (79e6c6b)
• indent: simplify handling of TSConditionalType (#1075) (233c967)
• indent: simplify handling of TSMappedType (#1073) (30b6bb3)
• member-delimiter-style: use auto-generated types (#1089) (580164b)
• padding-line-between-statements: use auto-generated types (#1090) (a80aefb)
• replace hasCommentsBetween with sourceCode.commentsExistBetween (#1094) (77e1370)
• test-utils: replace language conditionals with a config object (#1064) (e78a122)
• utils: simplify type guards, cleanup typings & docs (#1086) (843428e)

Commits

• 94ba6b3 chore: release v5.7.0 (main) (#1060)
• 172ef89 feat: update deps, support @​typescript-eslint/parser >=8.48.0 (#1095)
• ab50c71 feat(customize): allow indent option as full rule options (#1091)
• 77e1370 refactor: replace hasCommentsBetween with sourceCode.commentsExistBetween...
• 6494fdc chore: cleanup unused constants (#1093)
• a80aefb refactor(padding-line-between-statements): use auto-generated types (#1090)
• 580164b refactor(member-delimiter-style): use auto-generated types (#1089)
• 622b888 feat: deprecate jsx-sort-props in favor of eslint-plugin-perfectionist (#...
• 1aaf61f feat(type-annotation-spacing): allow ignore check arrow (#1080)
• d73c03e fix(object-curly-spacing): allow space before comment in multi-line objects (...
• Additional commits viewable in compare view

Updates @types/node from 25.0.3 to 25.0.5

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.233.0 to 2.234.1

Release notes

Sourced from aws-cdk-lib's releases.

v2.234.1

Bug Fixes

• RuntimeError: apiEndpoint is not configured on the imported HttpApi (revert of "chore(apigatewayv2): reference interfaces") (#36623) (1c10d49), closes aws/aws-cdk#36378

---

Alpha modules (2.234.1-alpha.0)

v2.234.0

⚠ BREAKING CHANGES

• batch: unfortunately JobQueue exposes public readonly computeEnvironments: OrderedComputeEnvironment[]. The computeEnvironment member of that structure now fewer guarantees, and needs casting. This should not have been exposed, and we assume the use of the exposed property here is rare.
• backup: unfortunately BackupPlanRule exposes public readonly props: BackupPlanRuleProps. The backupVault member of that structure now guarantees less, and needs casting. This should never have been exposed, and we assume the use of the exposed property here is rare.
• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthUrl attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.CloudId attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.Domain attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.ServiceNow.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: JiraCloud type removed, replaced by JiraCloudProviderConfiguration.
aws-securityhub: AWS::SecurityHub::ConnectorV2: ServiceNow type removed, replaced by ServiceNowProviderConfiguration.
aws-ssm: AWS::SSM::MaintenanceWindowTarget: Id attribute removed.

Features

• ecs: automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider (#35796) (9218ea8)
• rds: add name property to option group (#36319) (708d0ac), closes #35720
• stepfunctions-tasks: allow EcsRunTask on fargate and ec2 to set capacity provider strategy (#35465) (63ca2ae), closes #20013 #30171 #7967
• synthetics: add puppeteer 12.0/13.0 runtime (#36562) (5b74dd4), closes #36501

Bug Fixes

• cloudwatch: skip MathExpression validation when prop is a token (#36487) (2845d47)
• core: App.of() returns incorrect values (#36475) (78034d3)
• core: arnForXxxx() helpers ignore environments from referenced resources (#36599) (4744c59)
• core: account for { Ref } incompatibility between schema and CFN (#36493) (3b06942)
• ec2: add proper handling for VPC endpoint service name prefix eu.amazonaws for new region eusc-de-east-1 for ECR & API Gateway services (#36471) (d5561e0)
• lambda: add token resolution validation to capacity providers (#36275) (c5fbd97)

Miscellaneous Chores

• backup: reference interfaces (#36415) (4418612)
• batch: reference interfaces (#36522) (fefc7be)

---

Alpha modules (2.234.0-alpha.0)

Features

• msk-alpha: support express broker for Kafka v3.9 (#36450) (afcc953)

... (truncated)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.234.1-alpha.0 (2026-01-08)

2.234.0-alpha.0 (2026-01-08)

Features

• msk-alpha: support express broker for Kafka v3.9 (#36450) (afcc953)

Bug Fixes

• elasticache-alpha: deployment fails when serverlessCacheName or userGroupId is not specified (#36459) (b3f62f7), closes #36458
• elasticache-alpha: security group for ServerlessCache does not use default endpoint port (#35738) (79d91ad)

2.233.0-alpha.0 (2025-12-18)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: Runtime constructs will no longer automatically include lifecycleConfiguration with default values when not explicitly specified by users.
• elasticache-alpha: The engine property in NoPasswordUserProps has been removed.

Bug Fixes

• bedrock-agentcore-alpha: runtime construct incorrectly forces default lifecycleConfiguration values (#36379) (7954354), closes #36376
• elasticache-alpha: the default engine for NoPasswordUser contradict in the docs (#35920) (495fa37), closes #35847
• mixins-preview: improving delivery source and delivery destination creation (#36314) (86092ab)

2.232.2-alpha.0 (2025-12-12)

2.232.1-alpha.0 (2025-12-05)

2.232.0-alpha.0 (2025-12-04)

Bug Fixes

• bedrock-agentcore-alpha: use static construct ID for asset-based runtime artifacts (#36241) (e2bdddd), closes #35968
• mixins-preview: service exports are different then in aws-cdk-lib (#36201) (5858006), closes #36210
• mixins-preview: strongly-typed ConstructSelector interface (#36266) (1d2f473)

2.231.0-alpha.0 (2025-12-01)

Features

... (truncated)

Commits

• 1c10d49 fix: RuntimeError: apiEndpoint is not configured on the imported HttpApi (r...
• 51ce93a chore: update analytics metadata blueprints
• f5892c6 chore: npm-check-updates && yarn upgrade (#36579)
• ffaccc0 chore(route53): reference interfaces (#36574)
• 46188f8 chore(codepipeline): reference interfaces (#36526)
• d43951a chore(appsync): reference interfaces (#36521)
• fefc7be chore(batch): reference interfaces (#36522)
• f7802a7 chore(secretsmanager): reference interfaces (#36576)
• f85be6f chore(inspector): reference interfaces (#36488)
• 9180ca6 chore(elasticloadbalancing): reference interfaces (#36533)
• Additional commits viewable in compare view

Updates @types/node from 25.0.3 to 25.0.5

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.233.0 to 2.234.1

Release notes

Sourced from aws-cdk-lib's releases.

v2.234.1

Bug Fixes

• RuntimeError: apiEndpoint is not configured on the imported HttpApi (revert of "chore(apigatewayv2): reference interfaces") (#36623) (1c10d49), closes aws/aws-cdk#36378

---

Alpha modules (2.234.1-alpha.0)

v2.234.0

⚠ BREAKING CHANGES

• batch: unfortunately JobQueue exposes public readonly computeEnvironments: OrderedComputeEnvironment[]. The computeEnvironment member of that structure now fewer guarantees, and needs casting. This should not have been exposed, and we assume the use of the exposed property here is rare.
• backup: unfortunately BackupPlanRule exposes public readonly props: BackupPlanRuleProps. The backupVault member of that structure now guarantees less, and needs casting. This should never have been exposed, and we assume the use of the exposed property here is rare.
• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthUrl attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.CloudId attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.Domain attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.ServiceNow.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: JiraCloud type removed, replaced by JiraCloudProviderConfiguration.
aws-securityhub: AWS::SecurityHub::ConnectorV2: ServiceNow type removed, replaced by ServiceNowProviderConfiguration.
aws-ssm: AWS::SSM::MaintenanceWindowTarget: Id attribute removed.

Features

• ecs: automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider (#35796) (9218ea8)
• rds: add name property to option group (#36319) (708d0ac), closes #35720
• stepfunctions-tasks: allow EcsRunTask on fargate and ec2 to set capacity provider strategy (#35465) (63ca2ae), closes #20013 #30171 #7967
• synthetics: add puppeteer 12.0/13.0 runtime (#36562) (5b74dd4), closes #36501

Bug Fixes

• cloudwatch: skip MathExpression validation when prop is a token (#36487) (2845d47)
• core: App.of() returns incorrect values (#36475) (78034d3)
• core: arnForXxxx() helpers ignore environments from referenced resources (#36599) (4744c59)
• core: account for { Ref } incompatibility between schema and CFN (#36493) (3b06942)
• ec2: add proper handling for VPC endpoint service name prefix eu.amazonaws for new region eusc-de-east-1 for ECR & API Gateway services (#36471) (d5561e0)
• lambda: add token resolution validation to capacity providers (#36275) (c5fbd97)

Miscellaneous Chores

• backup: reference interfaces (#36415) (4418612)
• batch: reference interfaces (#36522) (fefc7be)

---

Alpha modules (2.234.0-alpha.0)

Features

• msk-alpha: support express broker for Kafka v3.9 (#36450) (afcc953)

... (truncated)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.234.1-alpha.0 (2026-01-08)

2.234.0-alpha.0 (2026-01-08)

Features

• msk-alpha: support express broker for Kafka v3.9 (#36450) (afcc953)

Bug Fixes

• elasticache-alpha: deployment fails when serverlessCacheName or userGroupId is not specified (#36459) (b3f62f7), closes #36458
• elasticache-alpha: security group for ServerlessCache does not use default endpoint port (#35738) (79d91ad)

2.233.0-alpha.0 (2025-12-18)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: Runtime constructs will no longer automatically include lifecycleConfiguration with default values when not explicitly specified by users.
• elasticache-alpha: The engine property in NoPasswordUserProps has been removed.

Bug Fixes

• bedrock-agentcore-alpha: runtime construct incorrectly forces default lifecycleConfiguration values (#36379) (7954354), closes #36376
• elasticache-alpha: the default engine for NoPasswordUser contradict in the docs (#35920) (495fa37), closes #35847
• mixins-preview: improving delivery source and delivery destination creation (#36314) (86092ab)

2.232.2-alpha.0 (2025-12-12)

2.232.1-alpha.0 (2025-12-05)

2.232.0-alpha.0 (2025-12-04)

Bug Fixes

• bedrock-agentcore-alpha: use static construct ID for asset-based runtime artifacts (#36241) (e2bdddd), closes #35968
• mixins-preview: service exports are different then in aws-cdk-lib (#36201) (5858006), closes #36210
• mixins-preview: strongly-typed ConstructSelector interface (#36266) (1d2f473)

2.231.0-alpha.0 (2025-12-01)

Features

... (truncated)

Commits

• 1c10d49 fix: RuntimeError: apiEndpoint is not configured on the imported HttpApi (r...
• 51ce93a chore: update analytics metadata blueprints
• f5892c6 chore: npm-check-updates && yarn upgrade (#36579)
• ffaccc0 chore(route53): reference interfaces (#36574)
• 46188f8 chore(codepipeline): reference interfaces (#36526)
• d43951a chore(appsync): reference interfaces (#36521)
• fefc7be chore(batch): reference interfaces (#36522)
• f7802a7 chore(secretsmanager): reference interfaces (#36576)
• f85be6f chore(inspector): reference interfaces (#36488)
• 9180ca6 chore(elasticloadbalancing): reference interfaces (#36533)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

pnpm-lock.yaml

Package	Version	License	Issue Type
@types/node	25.0.5	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@aws-cdk/asset-awscli-v1	2.2.258	Unknown	Unknown
npm/@aws-sdk/client-cloudformation	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/client-sso	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/core	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-env	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-http	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-ini	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-login	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-node	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-process	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-sso	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-web-identity	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/middleware-user-agent	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/nested-clients	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/token-providers	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/util-user-agent-node	3.966.0	🟢 5.1	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Vulnerabilities ⚠️ 0 27 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@smithy/core	3.20.2	Unknown	Unknown
npm/@smithy/middleware-endpoint	4.4.3	Unknown	Unknown
npm/@smithy/middleware-retry	4.4.19	Unknown	Unknown
npm/@smithy/smithy-client	4.10.4	Unknown	Unknown
npm/@smithy/util-defaults-mode-browser	4.3.18	Unknown	Unknown
npm/@smithy/util-defaults-mode-node	4.2.21	Unknown	Unknown
npm/@stylistic/eslint-plugin	5.7.0	Unknown	Unknown
npm/@types/node	25.0.5	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@types/node	25.0.6	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/aws-cdk-lib	2.234.1	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 0 23 existing vulnerabilities detected
npm/eslint-visitor-keys	5.0.0	Unknown	Unknown
npm/espree	11.0.0	Unknown	Unknown
npm/@types/node	^25.0.5	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/aws-cdk-lib	^2.234.1	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Vulnerabilities ⚠️ 0 23 existing vulnerabilities detected

Scanned Files

• pnpm-lock.yaml
• test/package.json