chore(deps): update dependency aws-cdk-lib [security]

[cu-infra-svc-git]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aws-cdk-lib (source)	^2.95.1 -> ^2.178.1
aws-cdk-lib (source)	2.95.1 -> 2.177.0

GitHub Vulnerability Alerts

CVE-2025-23206

Impact

Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34.

However, the current tls.connect method will always set rejectUnauthorized: false which is a potential security concern. CDK should follow the best practice and set rejectUnauthorized: true. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag.

Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack.

As a best practice, CDK should still fix this issue under a feature flag to avoid regression.

packages/@​aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
❯❱ problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS
verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized
to false bypasses verification against the list of trusted CAs, which also leads to insecure
transport.

Patches

The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22).
Once upgraded, please make sure the feature flag '@​aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in cdk.context.json or cdk.json. More details on feature flag setting is here.

Workarounds

N/A

References

https://github.com/aws/aws-cdk/issues/32920

---

Release Notes

aws/aws-cdk (aws-cdk-lib)

v2.178.1

Compare Source

Bug Fixes

• cli: sdk logging is always present even when not turned on (#​33324) (29a9a6d), closes #​33320
• custom-resource: provider framework lambda missing GetFunction permission (#​33315)

---

Alpha modules (2.178.1-alpha.0)

v2.178.0

Compare Source

Features

• apigateway: throw ValidationError instead of untyped errors (#​33075) (04efe6c), closes #​32569
• applicationautoscaling: throw ValidationError instead of untyped errors (#​33172) (abd4a3e), closes #​32569
• appmesh: throw ValidationError istead of untyped Errors (#​33245) (ba2f5c8), closes #​32569
• appsync: add L2 constructs for AWS AppSync Events (#​32505) (9ae1d34), closes #​32004
• appsync: throw ValidationError instead of untyped errors (#​33206) (ab9dd0a), closes #​32569
• bedrock: support Luma AI's Ray2 visual AI model (#​33163) (01abd83)
• cloudfront: add origin group selection criteria to L2 Distribution and L2 OriginGroup (#​32740) (1b35c4e)
• cognito: support password history size (#​33164) (988043e), closes #​33106
• cognito: throw ValidationError instead of untyped errors (#​33170) (ecbe1bf)
• custom-resource: update default node runtime to node20 for China and Gov regions (#​33112) (8c13cf2)
• dynamodb: add pointintimerecoveryspecification and deprecate old (#​33059) (aec64f0), closes #​32786
• ecs: ExternalService support daemon scheduling strategy (#​32630) (361c7d3), closes #​32538
• ecs: add tls property to a ServiceConnectService (#​32605) (d32baf6), closes #​32583
• ecs: support availability zone rebalancing (#​32263) (a8e2622), closes #​32226
• ecs: support container version consistency (#​32225) (37df0d2), closes #​32202
• ecs-patterns: add containerCpu and containerMemoryLimitMiB property to ApplicationLoadBalancedFargateService (#​30920) (4dd97bc), closes #​20638 #​20638
• elasticloadbalancingv2: support AdvertiseTrustStoreCaNames for mTLS (#​32678) (6a77e4f)
• kinesisfirehose: graduate to stable 🚀 (#​33296) (7aaac12)
• enable additional metadata collection (under feature flag) (#​33232) (6b9e47a), closes /github.com/aws/aws-cdk/pull/33232/files#diff-81f821b1205e7040fc3103bf7c0114060a6d5c43ebd2994aa4ed5906e42c9c5fR33
• metadata collection for construct methods (#​33292) (bc96ee1)
• throw ValidationError instead of untyped errors in L1s (#​33032) (1b666db), closes #​32569
• update L1 CloudFormation resource definitions (#​33191) (1beaf83)
• update L1 CloudFormation resource definitions (#​33272) (80073c8)
• lambda: latest versions for ADOT Lambda Layers (v0.115.0) (#​32783) (39e5578)
• rds: support Aurora PostgreSQL Limitless Database PostgreSQL 16.6 (#​33162) (111ffc2), closes /docs.aws.amazon.com/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/limitless-updates.html#16
• sns: support high throughput mode for FIFO topics (#​33056) (bfa0f15)
• stepfunctions: add support JSONata and variables (#​32343) (0bb3d6f), closes #​32262 #​32262 /github.com/aws/aws-cdk/pull/32343#issuecomment-2524096740

Bug Fixes

• apigatewayv2: incorrect arn function causing unwanted behavior (#​33100) (ffe9863), closes #​33218
• batch: support cfn parameters for managed compute environment properties minvcpus, maxvcpus, and spotbidpercentage (#​32954) (5fef9e0), closes #​32905
• cli: array arguments in cdk.json are ignored (#​33107) (2eff2bd), closes #​32814
• custom-resources: incorrect IAM prefix generated for CloudWatch actions (#​33078) (c76f668), closes #​32968
• sns: topic policy is not created even if enforceSSL enabled (#​31569) (b3975c5), closes #​31558

---

Alpha modules (2.178.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• ec2-alpha: operatingRegion property under IPAM class is now renamed to operatingRegions.

Features

• ec2-alpha: ec2-alpha module is now in Developer Preview (#​33230) (a06f91a)
• ec2-alpha: add Transit Gateway L2 (#​32956) (af44791)
• eks-v2: new eks v2 alpha module (#​33215) (ccc9f5e)
• msk: support ServerlessCluster (#​32780) (86ce155), closes #​28709

Bug Fixes

• ec2-alpha: readme updates, new unit tests, logic update (#​33086) (bcb7f9b), closes #​30762

v2.177.0

Compare Source

Features

• apigatewayv2: throw ValidationError instead of untyped errors (#​33072) (8b472fc), closes #​32569
• apigatewayv2: throw ValidationError instead of untyped errors (#​33082) (5377586), closes #​32569
• apigatewayv2-authorizers: throw ValidationError instead of untyped errors (#​33076) (dd34d2e), closes #​32569
• bedrock: deprecate Claude 2, 2.1, Instant (#​33058) (c0ed449)
• cli: add --untrust option to bootstrap (#​33091) (4713bdd)
• cli: show all information from waiter errors (#​33035) (b512a72)
• cli: throw typed errors (#​33005) (bf81b3c), closes #​32548
• cloudfront-origins: list access level for 404 response (#​32059) (2b2443d), closes #​13983 #​31689
• cognito: managed login (#​33097) (188f52d)
• elbv2: throw ValidationError intsead of untyped errors (#​33111) (cc1988a), closes #​32569
• lambda: throw ValidationError instead of untyped errors (#​33033) (a928748), closes #​32569
• rds: throw ValidationError instead of untyped errors (#​33042) (0b2db62), closes #​32569
• route53: throw ValidationError instead of untyped errors (#​33110) (5e0f16d), closes #​32569
• s3: replicating objects (#​30966) (9d8a7e2), closes #​1680 /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrulefilter.html#cfn-s3 /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3 /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3
• s3: throw ValidationError instead of untyped errors (#​33031) (61e876b), closes #​32569
• s3: throw ValidationError instead of untyped errors (#​33109) (aea8f3b), closes #​32569
• sns: throw ValidationError instead of untyped errors (#​33045) (7452462), closes #​32569
• sqs: throw ValidationError instead of untyped errors (#​33046) (6469412), closes #​32569
• ssm: throw ValidationError instead of untyped errors (#​33067) (6677b33), closes #​32569
• synthetics: cleanup provisioned lambda and layers for canary (#​32738) (bdb4a59)
• synthetics: node playwright 1.0 and python selenium 4.1 runtime (#​32245) (d68020b), closes /docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html#CloudWatch_Synthetics_runtimeversion-syn-python-selenium-4
• synthetics: throw ValidationError instead of untyped errors (#​33079) (e4703c1), closes #​32569
• VpcV2: add BYOIP IPv6 to VPCv2 (#​32927) (93c95fc)
• update L1 CloudFormation resource definitions (#​33019) (e31924a), closes /docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseRoute53 /docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parseRoute53

Bug Fixes

• bundling: enclosing metafile & tsconfig paths with quotes (#​32725) (5410e10)
• cli: disallow import of internal cli libraries (#​33021) (e5ac918)
• cli: trace output (-vv) is useless when files are uploaded (#​33104) (d95add3)
• cloudfront: add validations on ResponseHeadersCorsBehavior.accessControlAllowMethods (#​32769) (4c42800)
• cx-api: cannot detect CloudAssembly across different libraries (#​32998) (94ba772), closes aws/aws-cdk#31041
• rds: does not print all failed validations for DatabaseCluster props (#​32841) (344d916), closes #​32840 #​32840 /github.com/aws/aws-cdk/pull/32151/files#diff-49b4a9e1bf0b7db3ab71f4f08580da0cb2191d84605dc82a70c324bd122d5cf7R805-R828 /github.com/aws/aws-cdk/pull/32841/files#diff-5d08d37e744e173239879212c59fd45cb9a279349f3dfb1c66923cb015ed3a3 /github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-ec2/lib/volume.ts#L672-L743 /github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/eventbridge-scheduler/create-schedule.ts#L324-L362 /github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-fsx/lib/lustre-file-system.ts#L360-L380
• sqs: does not print all failed validations for Queue props (#​33070) (b77e937), closes #​33098 #​33098
• update fetchOpenPullRequests method to pass organisation in github action workflow for prioritization (#​33073) (066cd4f)

---

Alpha modules (2.177.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• glue-alpha: Developers must refactor their existing Job
  instantiation method calls to choose the right job type and language,
  and use the new constants static values to define the associated Job
  configuration settings. See the RFC and/or new README for examples.

Description of how you validated changes

Increased unit test coverage to > 90%, consulted with Glue service team
on best practices and sane defaults, updated integration tests.

Features

• amplify-alpha: throw ValidationError instead of untyped errors (#​33141) (a7cd9eb), closes #​32569

Bug Fixes

• custom-resource-handlers: do not allow unauthorized connection for iam OIDC connection (under feature flag) (#​32921) (3e4f377), closes #​32920

Code Refactoring

• glue-alpha: Refactored glue-alpha L2 CDK construct RFC 0497 (#​32521) (1a18dc9)

v2.176.0

Compare Source

Features

• apigatewayv2-integrations: WebSocketMockIntegration props (#​30622) (a5a0168), closes #​29661
• codebuild: add new BuildImages (#​32525) (a734841)
• ecs: enable Enhanced Observability for Container Insights (#​32622) (79ab137), closes #​32618
• update L1 CloudFormation resource definitions (#​32847) (9317203)
• appconfig: environment deletion protection (#​32737) (393e5c0)

Bug Fixes

• cli: "no stack found in the main cloud assembly" (#​32839) (3c0acce), closes aws/aws-cdk#32636 #​32836 #​32836
• core: use correct formatting for aggregate errors in aws-cdk (#​32817) (97af31b), closes #​32237
• elasticloadbalancingv2: open, dual-stack-without-public-ipv4 ALB does not allow IPv6 inbound traffic (under feature flag) (#​32765) (aff160b), closes #​32197
• rds: clusterScailabilityType is spelled wrong and should be clusterScalabilityType (#​32825) (d39e835), closes #​32415 #​32415
• rds: incorrect version definition of MySQL 8.4.3 (#​32934) (3fbc785), closes #​32933

Reverts

• prlint: fail prlinter on codecov failures, with exemption label (#​32867) (928d3bb), closes aws/aws-cdk#32674

---

Alpha modules (2.176.0-alpha.0)

Features

• scheduler-targets: add support for universal target (#​32341) (021e6d6), closes #​32328

Bug Fixes

• msk: clusterName validation in Cluster class is incorrect (#​32792) (41ddd46), closes /github.com/aws/aws-cdk/pull/32505#discussion_r1891027876

v2.175.1

Compare Source

Bug Fixes

• cli: "no stack found in the main cloud assembly" (#​32839) (7b68908), closes aws/aws-cdk#32636 #​32836 #​32836

---

Alpha modules (2.175.1-alpha.0)

v2.175.0

Compare Source

Features

• ecs: enable fault injection flag (#​32598) (ed366ce)
• ecs: warning when creating a service with the default minHealthyPercent (#​31738) (3606deb), closes #​31705
• update L1 CloudFormation resource definitions (#​32768) (107eed3)
• cli: warn of non-existent stacks in cdk destroy (#​32636) (c199378), closes #​32545 #​27179 40aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L190 aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L286-L291
• eks: update nodegroup gpu check (#​32715) (693afea), closes #​31347
• update L1 CloudFormation resource definitions (#​32755) (8f97112)
• kms: add sign and verify related grant methods (#​32681) (86d2853), closes #​23185

Bug Fixes

• cli: cannot set environment variable CI=false (#​32749) (26b361d)
• cli: requiresRefresh function does not respect null (#​32666) (2abc23c), closes #​32653 /github.com/smithy-lang/smithy-typescript/blob/main/packages/property-provider/src/memoize.ts#L27
• cloudwatch: render region and accountId when directly set on metrics (#​32325) (c393481), closes #​28731
• ecs: outdated linux commands for canContainersAccessInstanceRole=false and also deprecate property (#​32763) (bbdd42c), closes #​28518

---

Alpha modules (2.175.0-alpha.0)

Features

• s3objectlambda: open s3 access point arn (#​32661) (0486b9c), closes #​31950

Bug Fixes

• apprunner: the Service class does not implement IService (#​32771) (3d56efa), closes #​32745
• integ-runner: ENOENT no such file or directory 'recommended-feature-flags.json' (#​32750) (f809b94)

v2.174.1

Compare Source

Features

• update L1 CloudFormation resource definitions (#​32755) (0bc32c9)
• update L1 CloudFormation resource definitions (#​32768) (20070a4)

---

Alpha modules (2.174.1-alpha.0)

v2.174.0

Compare Source

Features

• codebuild: add new environment types (#​32729) (a10c369), closes #​32728
• custom-resource: add serviceTimeout property for custom resources (#​30911) (d599900), closes #​30517
• update L1 CloudFormation resource definitions (#​32685) (fe3af93)
• update L1 CloudFormation resource definitions (#​32712) (3170e1c)
• update L1 CloudFormation resource definitions (#​32726) (de04742)
• autoscaling: add availabilityZoneDistribution property to an AutoScalingGroup (#​32100) (ecfce7c)
• bedrock: additional foundation models (#​32684) (fcf4ecd)
• cli: support CloudFormation simplified resource import (#​32676) (ca33f0a), closes #​28060
• cli-plugin-contract: introduce a public contract between CLI and plugins (#​32111) (fbaab1d)
• rds: support 11.22-rds.20241121 for RDS PostgreSQL (#​32508) (491475a)
• rds: supports minors 11.4.4, 10.11.10, 10.6.20, 10.5.27 for RDS for MariaDB (#​32632) (b8e79b6)
• update L1 CloudFormation resource definitions (#​32582) (ff57cc3)
• update L1 CloudFormation resource definitions (#​32645) (a0525f5)
• appconfig: add atDeploymentTick extension action point to L2 Constructs (#​32490) (225d261)
• cloudfront: distribution ARN property (#​32531) (b7e6141), closes #​32530
• codebuild: support auto retry limit for Project (#​32507) (2c109cf), closes #​32446
• ecs: machineImageType support AL2023 (#​32509) (4b696bc), closes #​32496 #​32469
• update L1 CloudFormation resource definitions (#​32540) (2e3b2ac)

Bug Fixes

• cli: notices don't work behind a proxy (#​32590) (3377c3b)
• cli: outdated dependency on @aws-cdk/cloud-assembly-schema (#​32704) (3b162fc)
• cli: unhandled nextToken returned by listImagesCommand in garbage collector for ECR (#​32679) (d9346bc), closes #​32498
• opensearch: add I4I and R7GD to list of OpenSearch nodes not requiring EBS volumes (#​32592) (e364d2b), closes #​32070 #​32138
• bump jsii 5.5 to 5.6 (#​32588) (57bba19)
• cdk: changed retry mechanism for hotswapping AppSync.function (#​32179) (d14d784)
• cli: allow credential plugins to return null for expiration (#​32554) (d4f6946)
• cli: cdk deploy -R does not disable rollback (#​32514) (2e75924), closes #​31850
• cli: doesn't support plugins that return initially empty credentials (#​32552) (38116b0)
• cli: getting credentials via SSO fails when the region is set in the profile (#​32520) (bf026bd)
• lambda: add @​deprecated tag to python3.8 (#​32162) (27619cc)
• route53-targets: deprecated method for dns name is used in userpool domain target (under feature flag) (#​31403) (5e73dd0)

Reverts

• ecs: machineImageType support AL2023 (#​32550) (e8d8237), closes aws/aws-cdk#32509

---

Alpha modules (2.174.0-alpha.0)

Features

• glue: support AWS Glue 5.0 (#​32467) (ca01a25)
• ec2: add c8g and m8g instance classes (#​32528) (a81eec6), closes #​32522
• msk-alpha: new KafkaVersions 3_7_X and 3_7_X_KRAFT (#​32515) (cbacf4d)

Bug Fixes

• ec2-alpha: do not use string comparison in rangesOverlap (#​32269) (87e21d6), closes #​32145
• redshift-alpha: extract tableName from custom resource functions (#​32452) (283edd6), closes PR#24308
• redshift-alpha: use same role for database-query singleton function (#​32363) (db950b3), closes #​32089

v2.173.4

Compare Source

Bug Fixes

• cli: cli still fails for some plugins returning expiration: null (#​32668) (4da2f65), closes #​32111

---

Alpha modules (2.173.4-alpha.0)

v2.173.3

Compare Source

Bug Fixes

• aspects: "localAspects is not iterable" error (#​32647) (8948ecb), closes #​32470

---

Alpha modules (2.173.3-alpha.0)

v2.173.2

Compare Source

Bug Fixes

• cli: allow credential plugins to return null for expiration (#​32554) (e59b1db)
• cli: doesn't support plugins that return initially empty credentials (#​32552) (7ee9b90)

---

Alpha modules (2.173.2-alpha.0)

v2.173.1

Compare Source

Bug Fixes

• cli: getting credentials via SSO fails when the region is set in the profile (#​32520) (01fec04)

---

Alpha modules (2.173.1-alpha.0)

v2.173.0

Compare Source

Features

• cognito: user pool feature plans (#​32367) (39c22de), closes #​32369
• dynamodb: add precision timestamp for kinesis stream (#​31863) (625c431), closes #​31761
• dynamodb: add warm-throughput to L2 constructs (#​32390) (496bc78), closes #​32127
• route53: added EvaluateTargetHealth to Route53 Alias targets (#​9481) (#​30664) (c23be8c), closes #​30739
• route53: added L2 construct for Route53's health checks (#​30739) (7fdd974), closes #​9481 #​30664
• stepfunctions-tasks: support dynamic values for Glue Job Worker Type (#​32453) (7df954c)
• update L1 CloudFormation resource definitions (#​32446) (093c540)

Bug Fixes

• autoscaling: AutoScalingGroup requireImdsv2 with launchTemplate or mixedInstancesPolicy throws unclear error (#​32220) (06cdaac), closes #​27586 #​27586
• cli: assuming a role from the INI file fails in non-commercial regions (#​32456) (7028242)
• cloudformation-include: string arrays inside unknown properties cannot be parsed (#​32461) (0c2f98b)
• cloudwatch: period of each metric in usingMetrics for MathExpression is ignored (#​30986) (59e96a3), closes /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudwatch/lib/metric.ts#L606-L608 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudwatch/lib/metric.ts#L566
• elasticloadbalancingv2: cannot create UDP listener for dual-stack NLB (#​32184) (e9c6e23), closes /github.com/aws/aws-cdk/pull/32184#issuecomment-2510536270
• lambda: improve validation errors for lambda functions (#​32323) (2607eb3), closes #​32324
• rds: serverlessV2MaxCapacity can be set to 0.5, which is invalid (#​32232) ([3fe229

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (9e4afd5) to head (a3a9bf3).

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #25   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            2         2           
  Lines          132       132           
  Branches        10         7    -3     
=========================================
  Hits           132       132           

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9e4afd5...a3a9bf3. Read the comment docs.

[cu-infra-svc-git]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.