Bump the npm group across 2 directories with 3 updates

[dependabot]

Bumps the npm group with 3 updates in the / directory: @aws-sdk/client-cloudformation, @types/node and aws-cdk-lib.
Bumps the npm group with 2 updates in the /test directory: @types/node and aws-cdk-lib.

Updates @aws-sdk/client-cloudformation from 3.1036.0 to 3.1037.0

Release notes

Sourced from @​aws-sdk/client-cloudformation's releases.

v3.1037.0

3.1037.0(2026-04-24)

New Features

• clients: update client endpoints as of 2026-04-24 (ca3df2be)
• client-evs: EVS now supports i7i.metal-24xl EC2 bare metal instance type, delivering high random IOPS performance with real-time latency, ideal for IO intensive and latency-sensitive workloads such as transactional databases, real-time analytics, and AI ML pre-processing. (fd92ee48)
• client-cloudwatch-logs: Adding nextToken and maxItems to the GetQueryResults API. (1a5ef619)
• client-transfer: AWS Transfer Family now support configurable IP address types for Web Apps of type VPC, enabling customers to select IPv4-only or dual-stack (IPv4 and IPv6) configurations based on their network requirements. (f2a72a85)
• client-bedrock-agentcore-control: Added support for configuring identity providers and inbound authorizers within a private VPC for AWS Bedrock AgentCore, enabling secure network connection without public internet access (a0bf24cd)
• client-connect: Amazon Connect is expanding attachment capabilities to give customers greater flexibility and control. Currently limited to predefined file types, the new feature will allow contact center administrators to customize which file extensions and sizes are supported across chat, email, tasks, and cases. (7e987e88)
• client-connecthealth: Corrected CreateWebAppConfiguration documentation. Adding slash as an allowed character for the Ambient documentation agent to allow pronoun specifications. (c21882c4)

Bug Fixes

• client-kinesis: tolerance for flaky H2 session ordering assertion in E2E test (#7959) (58734960)

---

For list of updated packages, view updated-packages.md in assets-3.1037.0.zip

Changelog

Sourced from @​aws-sdk/client-cloudformation's changelog.

3.1037.0 (2026-04-24)

Note: Version bump only for package @​aws-sdk/client-cloudformation

Commits

• 7babd8b Publish v3.1037.0
• See full diff in compare view

Updates @types/node from 24.12.2 to 25.6.0

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.250.0 to 2.251.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.251.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-elasticloadbalancing: AWS::ElasticLoadBalancing::LoadBalancer: SourceSecurityGroup attribute removed. aws-elasticloadbalancing: AWS::ElasticLoadBalancing::LoadBalancer: PolicyItem type removed. aws-elasticloadbalancing: AWS::ElasticLoadBalancing::LoadBalancer: SourceSecurityGroup type removed.

Features

• update L1 CloudFormation resource definitions (#37684) (9e6c2ef)
• lambda: add ruby 4.0 runtime (#37650) (04d4337)
• update L1 CloudFormation resource definitions (#37644) (e64f943)
• core: Validations class is the new way to add validation plugins to CDK Apps (#37611) (95696b4), closes #37613
• core: graduate policyValidationBeta1 interfaces to policyValidation (#37613) (8c613cf)
• ecs: support for service connect access log configuration (#36067) (5ad1c06)
• route53: accelerated recovery for public hosted zone (#36358) (f1b7b03)
• synthetics: support canary group (#35689) (20ccd31), closes #34043

Bug Fixes

• core: Stage.policyValidationBeta1 is mutable (#37612) (3c1faf1)
• core: construct creation stack traces are implicit (#37643) (5635c20)
• core: synth output is not valid YAML when using policy validation (#37597) (927dd60), closes #25331
• core: token stack traces expensively clutter --debug mode (#37642) (498c546)
• core: tree metadata does not contain logical ID (#37630) (284ab23)
• ec2: fixing vpc endpoint for eu-isoe-west-1 region (#37596) (555c930), closes #31690
• events-targets: make LogGroupTargetInput extend RuleTargetInput for JSII compatibility (#37451) (46dbc7a), closes #36733
• lambda: add Token.isUnresolved checks to provisioned poller config validation (#37197) (667ed30)
• stepfunctions-tasks: warn when CallAwsServiceCrossRegion endpoint is resolved from state input (#37646) (9fdf590)

---

Alpha modules (2.251.0-alpha.0)

Features

• bedrock-agentcore-alpha: add L2 constructs for policy and policy engine (#37238) (1e89e7e)
• bedrock-agentcore-alpha: add observability configuration for Runtime (#36689) (34b43aa), closes #36596
• bedrock-agentcore-alpha: support No Authorization for AgentCore Gateway (#36610) (f20bd8e)
• dsql-alpha: initial L2 construct (#34599) (be1a458), closes #34593

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.251.0-alpha.0 (2026-04-24)

Features

• bedrock-agentcore-alpha: add L2 constructs for policy and policy engine (#37238) (1e89e7e)
• bedrock-agentcore-alpha: add observability configuration for Runtime (#36689) (34b43aa), closes #36596
• bedrock-agentcore-alpha: support No Authorization for AgentCore Gateway (#36610) (f20bd8e)
• dsql-alpha: initial L2 construct (#34599) (be1a458), closes #34593

2.250.0-alpha.0 (2026-04-14)

2.249.0-alpha.0 (2026-04-10)

2.248.0-alpha.0 (2026-04-02)

2.247.0-alpha.0 (2026-04-02)

Features

• mediapackagev2-alpha: new L2 construct (#37279) (7debfb9)

2.246.0-alpha.0 (2026-03-31)

2.245.0-alpha.0 (2026-03-27)

Features

• s3tables-alpha: add support for partition spec, sort order, and table properties (#36811) (2696cd1)
• s3tables-alpha: add metrics configuration support for TableBucket (#37275) (e8786f5)
• s3tables-alpha: implement ITaggableV2 on TableBucket and Table L2 constructs (#37277) (69c8944), closes #33054

2.244.0-alpha.0 (2026-03-19)

Bug Fixes

• kinesisanalytics-flink-alpha: mark deprecated flink runtimes as deprecated (#37155) (0a89447)

2.243.0-alpha.0 (2026-03-11)

2.242.0-alpha.0 (2026-03-10)

... (truncated)

Commits

• 9e6c2ef feat: update L1 CloudFormation resource definitions (#37684)
• 9fdf590 fix(stepfunctions-tasks): warn when CallAwsServiceCrossRegion endpoint is res...
• 04d4337 feat(lambda): add ruby 4.0 runtime (#37650)
• 9fba04d chore: upgrade cloud-assembly-schema packages to fix build (#37677)
• e64f943 feat: update L1 CloudFormation resource definitions (#37644)
• 78fbcb3 chore(ec2): remove obsolete tslint directive from vpc.ts (#37532)
• 56656e8 chore(rds): add PostgreSQL 16.13 engine version (#37654)
• 20ccd31 feat(synthetics): support canary group (#35689)
• 95696b4 feat(core): Validations class is the new way to add validation plugins to C...
• 5635c20 fix(core): construct creation stack traces are implicit (#37643)
• Additional commits viewable in compare view

Updates @types/node from 24.12.2 to 25.6.0

Commits

• See full diff in compare view

Updates aws-cdk-lib from 2.250.0 to 2.251.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.251.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-elasticloadbalancing: AWS::ElasticLoadBalancing::LoadBalancer: SourceSecurityGroup attribute removed. aws-elasticloadbalancing: AWS::ElasticLoadBalancing::LoadBalancer: PolicyItem type removed. aws-elasticloadbalancing: AWS::ElasticLoadBalancing::LoadBalancer: SourceSecurityGroup type removed.

Features

• update L1 CloudFormation resource definitions (#37684) (9e6c2ef)
• lambda: add ruby 4.0 runtime (#37650) (04d4337)
• update L1 CloudFormation resource definitions (#37644) (e64f943)
• core: Validations class is the new way to add validation plugins to CDK Apps (#37611) (95696b4), closes #37613
• core: graduate policyValidationBeta1 interfaces to policyValidation (#37613) (8c613cf)
• ecs: support for service connect access log configuration (#36067) (5ad1c06)
• route53: accelerated recovery for public hosted zone (#36358) (f1b7b03)
• synthetics: support canary group (#35689) (20ccd31), closes #34043

Bug Fixes

• core: Stage.policyValidationBeta1 is mutable (#37612) (3c1faf1)
• core: construct creation stack traces are implicit (#37643) (5635c20)
• core: synth output is not valid YAML when using policy validation (#37597) (927dd60), closes #25331
• core: token stack traces expensively clutter --debug mode (#37642) (498c546)
• core: tree metadata does not contain logical ID (#37630) (284ab23)
• ec2: fixing vpc endpoint for eu-isoe-west-1 region (#37596) (555c930), closes #31690
• events-targets: make LogGroupTargetInput extend RuleTargetInput for JSII compatibility (#37451) (46dbc7a), closes #36733
• lambda: add Token.isUnresolved checks to provisioned poller config validation (#37197) (667ed30)
• stepfunctions-tasks: warn when CallAwsServiceCrossRegion endpoint is resolved from state input (#37646) (9fdf590)

---

Alpha modules (2.251.0-alpha.0)

Features

• bedrock-agentcore-alpha: add L2 constructs for policy and policy engine (#37238) (1e89e7e)
• bedrock-agentcore-alpha: add observability configuration for Runtime (#36689) (34b43aa), closes #36596
• bedrock-agentcore-alpha: support No Authorization for AgentCore Gateway (#36610) (f20bd8e)
• dsql-alpha: initial L2 construct (#34599) (be1a458), closes #34593

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.251.0-alpha.0 (2026-04-24)

Features

• bedrock-agentcore-alpha: add L2 constructs for policy and policy engine (#37238) (1e89e7e)
• bedrock-agentcore-alpha: add observability configuration for Runtime (#36689) (34b43aa), closes #36596
• bedrock-agentcore-alpha: support No Authorization for AgentCore Gateway (#36610) (f20bd8e)
• dsql-alpha: initial L2 construct (#34599) (be1a458), closes #34593

2.250.0-alpha.0 (2026-04-14)

2.249.0-alpha.0 (2026-04-10)

2.248.0-alpha.0 (2026-04-02)

2.247.0-alpha.0 (2026-04-02)

Features

• mediapackagev2-alpha: new L2 construct (#37279) (7debfb9)

2.246.0-alpha.0 (2026-03-31)

2.245.0-alpha.0 (2026-03-27)

Features

• s3tables-alpha: add support for partition spec, sort order, and table properties (#36811) (2696cd1)
• s3tables-alpha: add metrics configuration support for TableBucket (#37275) (e8786f5)
• s3tables-alpha: implement ITaggableV2 on TableBucket and Table L2 constructs (#37277) (69c8944), closes #33054

2.244.0-alpha.0 (2026-03-19)

Bug Fixes

• kinesisanalytics-flink-alpha: mark deprecated flink runtimes as deprecated (#37155) (0a89447)

2.243.0-alpha.0 (2026-03-11)

2.242.0-alpha.0 (2026-03-10)

... (truncated)

Commits

• 9e6c2ef feat: update L1 CloudFormation resource definitions (#37684)
• 9fdf590 fix(stepfunctions-tasks): warn when CallAwsServiceCrossRegion endpoint is res...
• 04d4337 feat(lambda): add ruby 4.0 runtime (#37650)
• 9fba04d chore: upgrade cloud-assembly-schema packages to fix build (#37677)
• e64f943 feat: update L1 CloudFormation resource definitions (#37644)
• 78fbcb3 chore(ec2): remove obsolete tslint directive from vpc.ts (#37532)
• 56656e8 chore(rds): add PostgreSQL 16.13 engine version (#37654)
• 20ccd31 feat(synthetics): support canary group (#35689)
• 95696b4 feat(core): Validations class is the new way to add validation plugins to C...
• 5635c20 fix(core): construct creation stack traces are implicit (#37643)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

test/package.json

Package	Version	License	Issue Type
aws-cdk-lib	^2.251.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/@types/node	^25.6.0	Unknown	Unknown
npm/@aws-sdk/client-cloudformation	3.1037.0	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 2 Found 6/30 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/aws-cdk-lib	2.251.0	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ -1 internal error: internal error: invalid Dockerfile Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. Binary-Artifacts ⚠️ 0 binaries present in source code SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed
npm/@types/node	^25.6.0	Unknown	Unknown
npm/aws-cdk-lib	^2.251.0	Unknown	Unknown

Scanned Files

• package.json
• pnpm-lock.yaml
• test/package.json