Bump the npm group across 2 directories with 3 updates

[dependabot]

Bumps the npm group with 3 updates in the / directory: @types/node, aws-cdk-lib and aws-cdk.
Bumps the npm group with 3 updates in the /test directory: @types/node, aws-cdk-lib and aws-cdk.

Updates @types/node from 24.12.4 to 25.9.1

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.254.0 to 2.255.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.255.0

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37843) (ea33967)
• bedrockagentcore: graduate to stable 🚀 (#37876) (00cf601)
• core: builtin PropertyMergeStrategys are now compatible with deferred Box values (#37844) (ca4b722)
• core: persist asset fingerprinting cache (#37822) (605a776)
• ec2: add C8A instance type support (#36736) (0d088ca), closes #36722

Bug Fixes

• core: cached Lazys use the Box API internally (#37889) (464fa3d)
• core: default stack trace size adds unnecessary overhead (#37827) (0b1fb2b)
• core: share a single IAM role across cross-account Fn::GetStackOutput consumers (#37871) (fee8b90)
• dynamodb: remove deprecated scope for stream grants (#36680) (570d552), closes #36289
• iam: validate PolicyStatement SID is alphanumeric for identity policies (#36150) (a7edd72), closes #34819 #34828 #34819

---

Alpha modules (2.255.0-alpha.0)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.257.0-alpha.0 (2026-05-21)

2.256.1-alpha.0 (2026-05-20)

2.256.0-alpha.0 (2026-05-19)

2.255.0-alpha.0 (2026-05-18)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

2.254.0-alpha.0 (2026-05-13)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

2.253.1-alpha.0 (2026-05-08)

2.253.0-alpha.0 (2026-05-06)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197

2.252.0-alpha.0 (2026-04-29)

2.251.0-alpha.0 (2026-04-24)

... (truncated)

Commits

• 45b8157 chore: revert "feat(aws-cdk-lib): emits performance counters if synthesis is ...
• beb0bf0 chore: update analytics metadata blueprints
• 00cf601 feat(bedrockagentcore): graduate to stable 🚀 (#37876)
• 0d088ca feat(ec2): add C8A instance type support (#36736)
• 464fa3d fix(core): cached Lazys use the Box API internally (#37889)
• ea33967 feat(aws-cdk-lib): emits performance counters if synthesis is slow (#37843)
• 65a36c5 docs(ec2): remove developer preview mention (#37846)
• fee8b90 fix(core): share a single IAM role across cross-account Fn::GetStackOutput co...
• 0ca0835 docs: document new understanding of failing resource deletes (#37886)
• ea769d4 Merge branch 'main' into merge-back/2.254.0
• Additional commits viewable in compare view

Updates aws-cdk from 2.1122.0 to 2.1123.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1123.0

2.1123.0 (2026-05-19)

Features

• cli: add --region as a global CLI option (#1506) (ae2349b), closes #928
• cli: warn on unrecognized CLI options (#1514) (abd4f4c)

Bug Fixes

• cloud-assembly-api: widen jsonschema range to fix npm ci on npm 11 (#1529) (de82699), closes #61 #37721 #61

Commits

• de82699 fix(cloud-assembly-api): widen jsonschema range to fix npm ci on npm 11 (#1529)
• abd4f4c feat(cli): warn on unrecognized CLI options (#1514)
• 319e3a8 chore(deps): bump @​aws-sdk/client-appsync from 3.1041.0 to 3.1045.0 (#1520)
• 9165482 chore(deps): upgrade dependencies (#1518)
• ae2349b feat(cli): add --region as a global CLI option (#1506)
• See full diff in compare view

Updates @types/node from 24.12.4 to 25.9.1

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.254.0 to 2.255.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.255.0

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37843) (ea33967)
• bedrockagentcore: graduate to stable 🚀 (#37876) (00cf601)
• core: builtin PropertyMergeStrategys are now compatible with deferred Box values (#37844) (ca4b722)
• core: persist asset fingerprinting cache (#37822) (605a776)
• ec2: add C8A instance type support (#36736) (0d088ca), closes #36722

Bug Fixes

• core: cached Lazys use the Box API internally (#37889) (464fa3d)
• core: default stack trace size adds unnecessary overhead (#37827) (0b1fb2b)
• core: share a single IAM role across cross-account Fn::GetStackOutput consumers (#37871) (fee8b90)
• dynamodb: remove deprecated scope for stream grants (#36680) (570d552), closes #36289
• iam: validate PolicyStatement SID is alphanumeric for identity policies (#36150) (a7edd72), closes #34819 #34828 #34819

---

Alpha modules (2.255.0-alpha.0)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.257.0-alpha.0 (2026-05-21)

2.256.1-alpha.0 (2026-05-20)

2.256.0-alpha.0 (2026-05-19)

2.255.0-alpha.0 (2026-05-18)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

2.254.0-alpha.0 (2026-05-13)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

2.253.1-alpha.0 (2026-05-08)

2.253.0-alpha.0 (2026-05-06)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197

2.252.0-alpha.0 (2026-04-29)

2.251.0-alpha.0 (2026-04-24)

... (truncated)

Commits

• 45b8157 chore: revert "feat(aws-cdk-lib): emits performance counters if synthesis is ...
• beb0bf0 chore: update analytics metadata blueprints
• 00cf601 feat(bedrockagentcore): graduate to stable 🚀 (#37876)
• 0d088ca feat(ec2): add C8A instance type support (#36736)
• 464fa3d fix(core): cached Lazys use the Box API internally (#37889)
• ea33967 feat(aws-cdk-lib): emits performance counters if synthesis is slow (#37843)
• 65a36c5 docs(ec2): remove developer preview mention (#37846)
• fee8b90 fix(core): share a single IAM role across cross-account Fn::GetStackOutput co...
• 0ca0835 docs: document new understanding of failing resource deletes (#37886)
• ea769d4 Merge branch 'main' into merge-back/2.254.0
• Additional commits viewable in compare view

Updates aws-cdk from 2.1122.0 to 2.1123.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1123.0

2.1123.0 (2026-05-19)

Features

• cli: add --region as a global CLI option (#1506) (ae2349b), closes #928
• cli: warn on unrecognized CLI options (#1514) (abd4f4c)

Bug Fixes

• cloud-assembly-api: widen jsonschema range to fix npm ci on npm 11 (#1529) (de82699), closes #61 #37721 #61

Commits

• de82699 fix(cloud-assembly-api): widen jsonschema range to fix npm ci on npm 11 (#1529)
• abd4f4c feat(cli): warn on unrecognized CLI options (#1514)
• 319e3a8 chore(deps): bump @​aws-sdk/client-appsync from 3.1041.0 to 3.1045.0 (#1520)
• 9165482 chore(deps): upgrade dependencies (#1518)
• ae2349b feat(cli): add --region as a global CLI option (#1506)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

test/package.json

Package	Version	License	Issue Type
aws-cdk-lib	^2.255.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/@types/node	^25.9.1	Unknown	Unknown
npm/@aws-cdk/cloud-assembly-schema	53.27.0	Unknown	Unknown
npm/aws-cdk	2.1123.0	Unknown	Unknown
npm/aws-cdk-lib	2.255.0	🟢 5.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST 🟢 9 SAST tool detected but not run on all commits Binary-Artifacts ⚠️ 0 binaries present in source code Fuzzing 🟢 10 project is fuzzed
npm/@types/node	^25.9.1	Unknown	Unknown
npm/aws-cdk	^2.1123.0	Unknown	Unknown
npm/aws-cdk-lib	^2.255.0	Unknown	Unknown

Scanned Files

• package.json
• pnpm-lock.yaml
• test/package.json