Bump the npm group across 2 directories with 6 updates

[dependabot]

Bumps the npm group with 6 updates in the / directory:

Package	From	To
@aws-sdk/client-cloudformation	3.1045.0	3.1048.0
@types/node	24.12.4	25.8.0
eslint	10.3.0	10.4.0
vite	8.0.12	8.0.13
aws-cdk-lib	2.253.1	2.254.0
aws-cdk	2.1121.0	2.1122.0

Bumps the npm group with 3 updates in the /test directory: @types/node, aws-cdk-lib and aws-cdk.

Updates @aws-sdk/client-cloudformation from 3.1045.0 to 3.1048.0

Release notes

Sourced from @​aws-sdk/client-cloudformation's releases.

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

v3.1047.0

3.1047.0(2026-05-14)

Chores

• upgrade fast-xml-parser to 5.7.3 (#8021) (b2aae04e)

New Features

• clients: update client endpoints as of 2026-05-14 (3505575d)
• client-glue: Release --has-databases parameter for AWS Glue get-catalogs API, which filters catalog responses to include only those capable of containing databases, excluding parent catalogs that hold only other catalogs. Remove model-level validation on partition index list size for AWS Glue tables. (e2b076ee)
• client-database-migration-service: Add 9 SDK waiters for DMS Schema Conversion async operations. Eliminates manual polling for import, assessment, conversion, export, and creation jobs. (32d372e7)
• client-mgn: Introducing new option for security groups mapping - with MAP-DHCP the service translates security rules from your source environment with DHCP compatibility. (27c07049)
• client-bedrock: Advanced Prompt Optimization (AdvPO) allows you to optimize and migrate your prompts for any model on Bedrock by automatically evaluating responses and rewriting prompts to improve performance. This release provides a programmatic way to create, get, list, stop, and delete AdvPO jobs. (7e479fde)
• client-cloudfront: Adding a new boolean for OCSP Revocations in Viewer mTLS Create and Update APIs, and adding a new 'Passthrough' option for TrustStore modes (ee96afaa)
• client-datazone: Adds support for SageMaker Unified Studio notebook operations, including notebook import and export (383f4ea2)
• client-qconnect: ListModels is an API that returns the available AI models for a Connect Assistant based on its region and AI prompt type. (0d6d7ec3)
• client-grafana: Adds support for dual-stack (IPv4 and IPv6) connectivity to Amazon Managed Grafana workspaces. Customers can configure the ipAddressType parameter when creating or updating a workspace to choose between IPv4-only or dual-stack (IPv4 and IPv6) access. (1184c5e5)

---

For list of updated packages, view updated-packages.md in assets-3.1047.0.zip

v3.1046.0

3.1046.0(2026-05-14)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-cloudformation's changelog.

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/client-cloudformation

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-cloudformation

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-cloudformation

Commits

• 313813d Publish v3.1048.0
• 1af9047 chore(codegen): updated import sources for aws-sdk core (#8015)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• See full diff in compare view

Updates @types/node from 24.12.4 to 25.8.0

Commits

• See full diff in compare view

Updates eslint from 10.3.0 to 10.4.0

Release notes

Sourced from eslint's releases.

v10.4.0

Features

• 1a45ec5 feat: check sequence expressions in for-direction (#20701) (kuldeep kumar)
• 450040b feat: add includeIgnoreFile() to eslint/config (#20735) (Kirk Waiblinger)

Bug Fixes

• 544c0c3 fix: escape code path DOT labels in debug output (#20866) (Pixel998)
• 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#20850) (renovate[bot])
• f078fef fix: handle non-array deprecated rule replacements (#20825) (xbinaryx)

Documentation

• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869) (Pavel)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865) (Kirk Waiblinger)
• 9084664 docs: Update README (GitHub Actions Bot)
• 9cc7387 docs: Update README (GitHub Actions Bot)
• 3d7b548 docs: Update README (GitHub Actions Bot)
• 191ec3c docs: Update README (GitHub Actions Bot)

Chores

• 6616856 chore: upgrade knip to v6 (#20875) (Pixel998)
• d13b084 ci: ensure auto-created PRs run CI (#20860) (lumir)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862) (dependabot[bot])
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863) (kuldeep kumar)
• 24db8cb test: add tests for SuppressionsService.save() (#20802) (kuldeep kumar)
• 2ef0549 chore: update ecosystem plugins (#20857) (github-actions[bot])
• a429791 ci: remove eslint-webpack-plugin types integration test (#20668) (Milos Djermanovic)
• 9e37386 chore: replace recast with range approach in code-sample-minimizer (#20682) (Copilot)
• 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#20845) (Francesco Trotta)
• 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#20716) (Pixel998)
• 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#20800) (xbinaryx)
• f1dfbc9 chore: update ecosystem plugins (#20836) (github-actions[bot])
• c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#20843) (dependabot[bot])
• 5b817d6 test: add unit tests for lib/shared/ast-utils (#20838) (kuldeep kumar)
• 1c13ae3 test: add unit tests for lib/shared/severity (#20835) (kuldeep kumar)

Commits

• 452c401 10.4.0
• b6417e8 Build: changelog update for 10.4.0
• 6616856 chore: upgrade knip to v6 (#20875)
• d13b084 ci: ensure auto-created PRs run CI (#20860)
• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862)
• 544c0c3 fix: escape code path DOT labels in debug output (#20866)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865)
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863)
• 9084664 docs: Update README
• Additional commits viewable in compare view

Updates vite from 8.0.12 to 8.0.13

Release notes

Sourced from vite's releases.

v8.0.13

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.13 (2026-05-14)

Features

• bundled-dev: add lazy bundling support (#21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
• update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
• make isBundled per environment (#22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#22430) (6ea3838)
• update changelog (#22413) (fcdc87c)

Commits

• a46f11a release: v8.0.13
• d9b18e0 fix(ssr): avoid rewriting labels that collide with imports (#22451)
• 4f0949f feat(bundled-dev): add lazy bundling support (#21406)
• 158e8ae fix(build): copy public directory after building same environment with `write...
• 47071ce feat(optimizer): improve the esbuild plugin converter to pass some properties...
• 8e59c97 fix(css): keep deprecated name/originalFileName in synthetic `assetFileNa...
• a576326 fix: make isBundled per environment (#22257)
• 8c766a6 feat: update rolldown to 1.0.1 (#22444)
• b7edcb7 fix(css): await sass/less/styl worker disposal on teardown (fix #22274) (#22275)
• fcdc87c chore: update changelog (#22413)
• Additional commits viewable in compare view

Updates aws-cdk-lib from 2.253.1 to 2.254.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.254.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-elasticache: AWS::ElastiCache::CacheCluster: Id attribute removed. aws-sagemaker: AWS::SageMaker::Model: Id attribute removed. aws-vpclattice: AWS::VpcLattice::AuthPolicy: State attribute enum values changed from ACTIVE|INACTIVE to Active|Inactive.

Features

• update L1 CloudFormation resource definitions (#37826) (fb4197e)
• cloudwatch: add PromQL Alarm L2 construct (#37793) (13a4924)
• core: PropertyMergeStrategy now supports array merge strategies (#37841) (701305d)
• core: plugin violations can be suppressed (#37808) (a47ad39), closes #37781
• core: weak cross environment references (#37800) (fe23dce)
• core: weak cross-stack references in the same environment (#37824) (167ff3c)
• dynamodb: resource policies for streams (#37254) (7e5679c)
• lambda: add SQS provisionedPollerConfig support with validation and fix type mismatch (#37550) (086738b), closes #37197 aws/aws-cdk#37197 #37197
• ses: auto email validation for configuration sets (#36679) (3a58641)

Bug Fixes

• file fingerprinting is now ~33% faster (#37802) (b871018)
• core: "exports cannot be updated" for cross-region references (#37790) (af11f00)
• rds: add lower bound validation for ClusterInstance promotionTier (#37519) (16c0a29), closes #37518
• s3deploy: empty sources leads to deployment error (#37786) (d28ad30)
• bundled jsonschema in @​aws-cdk/cloud-assembly-api causes ELSPROBLEMS (#37774) (64651d3), closes #37756

---

Alpha modules (2.254.0-alpha.0)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.254.0-alpha.0 (2026-05-13)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

2.253.1-alpha.0 (2026-05-08)

2.253.0-alpha.0 (2026-05-06)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197

2.252.0-alpha.0 (2026-04-29)

2.251.0-alpha.0 (2026-04-24)

Features

• bedrock-agentcore-alpha: add L2 constructs for policy and policy engine (#37238) (1e89e7e)
• bedrock-agentcore-alpha: add observability configuration for Runtime (#36689) (34b43aa), closes #36596
• bedrock-agentcore-alpha: support No Authorization for AgentCore Gateway (#36610) (f20bd8e)
• dsql-alpha: initial L2 construct (#34599) (be1a458), closes #34593

2.250.0-alpha.0 (2026-04-14)

2.249.0-alpha.0 (2026-04-10)

... (truncated)

Commits

• b1864c9 chore: update analytics metadata blueprints
• c9faa87 chore(release): 2.254.0
• fb4197e feat: update L1 CloudFormation resource definitions (#37826)
• 086738b feat(lambda): add SQS provisionedPollerConfig support with validation and fix...
• 69d6457 refactor(core): unify validation plugin execution into single loop (#37809)
• 13a4924 feat(cloudwatch): add PromQL Alarm L2 construct (#37793)
• 2fbe65a chore(docs): put feature flags in alphabetical order in cdk.json section of...
• 701305d feat(core): PropertyMergeStrategy now supports array merge strategies (#37841)
• 3a58641 feat(ses): auto email validation for configuration sets (#36679)
• be82355 chore: remove dead code (#37830)
• Additional commits viewable in compare view

Updates aws-cdk from 2.1121.0 to 2.1122.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1122.0

2.1122.0 (2026-05-14)

Features

• CLI send in performance profile if emitted by app (#1478) (1ea1ae7)
• deps: upgrade aws-cdk-lib (#1481) (d007567)
• deps: upgrade aws-cdk-lib (#1493) (36cbfd3)
• deps: upgrade aws-cdk-lib (#1509) (bf04a33)

Bug Fixes

• remove uuid dependency in favor of node:crypto (#1511) (85751e5)

Commits

• c8f270c chore(deps): fix release workflow and upgrade dependencies (#1513)
• 85751e5 fix: remove uuid dependency in favor of node:crypto (#1511)
• d5f6022 refactor(toolkit-lib): use stack/changeset ARNs for CloudFormation API calls ...
• bf04a33 feat(deps): upgrade aws-cdk-lib (#1509)
• 1ea1ae7 feat: CLI send in performance profile if emitted by app (#1478)
• 19f694d chore(cli): feature flags in alphabetical order in cdk.json when using `cdk...
• 36cbfd3 feat(deps): upgrade aws-cdk-lib (#1493)
• 844ef2f chore(deps): bump @​aws-sdk/client-lambda from 3.1036.0 to 3.1041.0 (#1498)
• fe2b51f chore(deps): bump @​aws-sdk/client-s3 from 3.1036.0 to 3.1041.0 (#1497)
• dd9588f chore(deps): bump @​aws-sdk/client-secrets-manager from 3.1036.0 to 3.1041.0 (...
• Additional commits viewable in compare view

Updates @types/node from 24.12.4 to 25.8.0

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.253.1 to 2.254.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.254.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-elasticache: AWS::ElastiCache::CacheCluster: Id attribute removed. aws-sagemaker: AWS::SageMaker::Model: Id attribute removed. aws-vpclattice: AWS::VpcLattice::AuthPolicy: State attribute enum values changed from ACTIVE|INACTIVE to Active|Inactive.

Features

• update L1 CloudFormation resource definitions (#37826) (fb4197e)
• cloudwatch: add PromQL Alarm L2 construct (#37793) (13a4924)
• core: PropertyMergeStrategy now supports array merge strategies (#37841) (701305d)
• core: plugin violations can be suppressed (#37808) (a47ad39), closes #37781
• core: weak cross environment references (#37800) (fe23dce)
• core: weak cross-stack references in the same environment (#37824) (167ff3c)
• dynamodb: resource policies for streams (#37254) (7e5679c)
• lambda: add SQS provisionedPollerConfig support with validation and fix type mismatch (#37550) (086738b), closes #37197 aws/aws-cdk#37197 #37197
• ses: auto email validation for configuration sets (#36679) (3a58641)

Bug Fixes

• file fingerprinting is now ~33% faster (#37802) (b871018)
• core: "exports cannot be updated" for cross-region references (#37790) (af11f00)
• rds: add lower bound validation for ClusterInstance promotionTier (#37519) (16c0a29), closes #37518
• s3deploy: empty sources leads to deployment error (#37786) (d28ad30)
• bundled jsonschema in @​aws-cdk/cloud-assembly-api causes ELSPROBLEMS (#37774) (64651d3), closes #37756

---

Alpha modules (2.254.0-alpha.0)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.254.0-alpha.0 (2026-05-13)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

2.253.1-alpha.0 (2026-05-08)

2.253.0-alpha.0 (2026-05-06)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197

2.252.0-alpha.0 (2026-04-29)

2.251.0-alpha.0 (2026-04-24)

Features

• bedrock-agentcore-alpha: add L2 constructs for policy and policy engine (#37238) (1e89e7e)
• bedrock-agentcore-alpha: add observability configuration for Runtime (#36689) (34b43aa), closes #36596
• bedrock-agentcore-alpha: support No Authorization for AgentCore Gateway (#36610) (f20bd8e)
• dsql-alpha: initial L2 construct (#34599) (be1a458), closes #34593

2.250.0-alpha.0 (2026-04-14)

2.249.0-alpha.0 (2026-04-10)

... (truncated)

Commits

• b1864c9 chore: update analytics metadata blueprints
• c9faa87 chore(release): 2.254.0
• fb4197e feat: update L1 CloudFormation resource definitions (#37826)
• 086738b feat(lambda): add SQS provisionedPollerConfig support with validation and fix...
• 69d6457 refactor(core): unify validation plugin execution into single loop (#37809)
• 13a4924 feat(cloudwatch): add PromQL Alarm L2 construct (#37793)
• 2fbe65a chore(docs): put feature flags in alphabetical order in cdk.json section of...
• 701305d feat(core): PropertyMergeStrategy now supports array merge strategies (#37841)
• 3a58641 feat(ses): auto email validation for configuration sets (#36679)
• be82355 chore: remove dead code (#37830)
• Additional commits viewable in compare view

Updates aws-cdk from 2.1121.0 to 2.1122.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1122.0

2.1122.0 (2026-05-14)

Features

• CLI send in performance profile if emitted by app (#1478) (1ea1ae7)
• deps: upgrade aws-cdk-lib (#1481) (d007567)
• deps: upgrade aws-cdk-lib (#1493) (36cbfd3)
• deps: upgrade aws-cdk-lib (#1509) (bf04a33)

Bug Fixes

• remove uuid dependency in favor of node:crypto (#1511) (85751e5)

Commits

• c8f270c chore(deps): fix release workflow and upgrade dependencies (#1513)
• 85751e5 fix: remove uuid dependency in favor of node:crypto (#1511)
• d5f6022 refactor(toolkit-lib): use stack/changeset ARNs for CloudFormation API calls ...
• bf04a33 feat(deps): upgrade aws-cdk-lib (#1509)
• 1ea1ae7 feat: CLI send in performance profile if emitted by app (#1478)
• 19f694d chore(cli): feature flags in alphabetical order in cdk.json when using `cdk...
• 36cbfd3 feat(deps): upgrade aws-cdk-lib (#1493)
• 844ef2f chore(deps): bump @​aws-sdk/client-lambda from 3.1036.0 to 3.1041.0 (#1498)
• fe2b51f chore(deps): bump @​aws-sdk/client-s3 from 3.1036.0 to 3.1041.0 (#1497)
• dd9588f chore(deps): bump @​aws-sdk/client-secrets-manager from 3.1036.0 to 3.1041.0 (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

test/package.json

Package	Version	License	Issue Type
aws-cdk-lib	^2.254.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@types/node	^25.8.0	Unknown	Unknown
npm/@aws-cdk/asset-node-proxy-agent-v6	2.1.2	Unknown	Unknown
npm/@aws-cdk/cloud-assembly-schema	53.24.0	Unknown	Unknown
npm/@aws-sdk/client-cloudformation	3.1048.0	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/core	3.974.11	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-env	3.972.37	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-http	3.972.39	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-ini	3.972.41	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-login	3.972.41	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-node	3.972.42	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-process	3.972.37	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-sso	3.972.41	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/credential-provider-web-identity	3.972.41	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/nested-clients	3.997.9	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/signature-v4-multi-region	3.996.27	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/token-providers	3.1048.0	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@aws-sdk/xml-builder	3.972.24	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/@eslint/config-helpers	0.6.0	Unknown	Unknown
npm/@oxc-project/types	0.130.0	Unknown	Unknown
npm/@rolldown/binding-android-arm64	1.0.1	Unknown	Unknown
npm/@rolldown/binding-darwin-arm64	1.0.1	Unknown	Unknown
npm/@rolldown/binding-darwin-x64	1.0.1	Unknown	Unknown
npm/@rolldown/binding-freebsd-x64	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-arm-gnueabihf	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-arm64-gnu	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-arm64-musl	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-ppc64-gnu	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-s390x-gnu	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-x64-gnu	1.0.1	Unknown	Unknown
npm/@rolldown/binding-linux-x64-musl	1.0.1	Unknown	Unknown
npm/@rolldown/binding-openharmony-arm64	1.0.1	Unknown	Unknown
npm/@rolldown/binding-wasm32-wasi	1.0.1	Unknown	Unknown
npm/@rolldown/binding-win32-arm64-msvc	1.0.1	Unknown	Unknown
npm/@rolldown/binding-win32-x64-msvc	1.0.1	Unknown	Unknown
npm/@rolldown/pluginutils	1.0.1	Unknown	Unknown
npm/@smithy/core	3.24.3	Unknown	Unknown
npm/@smithy/credential-provider-imds	4.3.3	Unknown	Unknown
npm/@smithy/fetch-http-handler	5.4.3	Unknown	Unknown
npm/@smithy/node-http-handler	4.7.3	Unknown	Unknown
npm/@smithy/signature-v4	5.4.3	Unknown	Unknown
npm/@smithy/types	4.14.2	Unknown	Unknown
npm/aws-cdk	2.1122.0	Unknown	Unknown
npm/aws-cdk-lib	2.254.0	🟢 5.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Security-Policy 🟢 10 security policy file detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed
npm/brace-expansion	5.0.6	🟢 6.3	Details Check Score Reason Code-Review ⚠️ 2 Found 7/24 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 16 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/eslint	10.4.0	🟢 6.4	Details Check Score Reason Code-Review 🟢 7 Found 17/22 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits
npm/fast-xml-parser	5.7.3	🟢 5.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 28 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
npm/rolldown	1.0.1	Unknown	Unknown
npm/vite	8.0.13	🟢 6.7	Details Check Score Reason Code-Review 🟢 8 Found 20/25 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 5 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 5 binaries present in source code Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 4 SAST tool is not run on all commits -- score normalized to 4
npm/@types/node	^25.8.0	Unknown	Unknown
npm/aws-cdk	^2.1122.0	Unknown	Unknown
npm/aws-cdk-lib	^2.254.0	Unknown	Unknown

Scanned Files

• package.json
• pnpm-lock.yaml
• test/package.json