chore(deps): update dependency aws-cdk-lib to v2.177.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aws-cdk-lib (source)	2.152.0 -> 2.177.0

GitHub Vulnerability Alerts

CVE-2025-23206

Impact

Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34.

However, the current tls.connect method will always set rejectUnauthorized: false which is a potential security concern. CDK should follow the best practice and set rejectUnauthorized: true. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag.

Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack.

As a best practice, CDK should still fix this issue under a feature flag to avoid regression.

packages/@​aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
❯❱ problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS
verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized
to false bypasses verification against the list of trusted CAs, which also leads to insecure
transport.

Patches

The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22).
Once upgraded, please make sure the feature flag '@​aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in cdk.context.json or cdk.json. More details on feature flag setting is here.

Workarounds

N/A

References

https://github.com/aws/aws-cdk/issues/32920

---

Release Notes

aws/aws-cdk (aws-cdk-lib)

v2.177.0

Compare Source

Features

• apigatewayv2: throw ValidationError instead of untyped errors (#​33072) (8b472fc), closes #​32569
• apigatewayv2: throw ValidationError instead of untyped errors (#​33082) (5377586), closes #​32569
• apigatewayv2-authorizers: throw ValidationError instead of untyped errors (#​33076) (dd34d2e), closes #​32569
• bedrock: deprecate Claude 2, 2.1, Instant (#​33058) (c0ed449)
• cli: add --untrust option to bootstrap (#​33091) (4713bdd)
• cli: show all information from waiter errors (#​33035) (b512a72)
• cli: throw typed errors (#​33005) (bf81b3c), closes #​32548
• cloudfront-origins: list access level for 404 response (#​32059) (2b2443d), closes #​13983 #​31689
• cognito: managed login (#​33097) (188f52d)
• elbv2: throw ValidationError intsead of untyped errors (#​33111) (cc1988a), closes #​32569
• lambda: throw ValidationError instead of untyped errors (#​33033) (a928748), closes #​32569
• rds: throw ValidationError instead of untyped errors (#​33042) (0b2db62), closes #​32569
• route53: throw ValidationError instead of untyped errors (#​33110) (5e0f16d), closes #​32569
• s3: replicating objects (#​30966) (9d8a7e2), closes #​1680 /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrulefilter.html#cfn-s3 /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3 /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3
• s3: throw ValidationError instead of untyped errors (#​33031) (61e876b), closes #​32569
• s3: throw ValidationError instead of untyped errors (#​33109) (aea8f3b), closes #​32569
• sns: throw ValidationError instead of untyped errors (#​33045) (7452462), closes #​32569
• sqs: throw ValidationError instead of untyped errors (#​33046) (6469412), closes #​32569
• ssm: throw ValidationError instead of untyped errors (#​33067) (6677b33), closes #​32569
• synthetics: cleanup provisioned lambda and layers for canary (#​32738) (bdb4a59)
• synthetics: node playwright 1.0 and python selenium 4.1 runtime (#​32245) (d68020b), closes /docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html#CloudWatch_Synthetics_runtimeversion-syn-python-selenium-4
• synthetics: throw ValidationError instead of untyped errors (#​33079) (e4703c1), closes #​32569
• VpcV2: add BYOIP IPv6 to VPCv2 (#​32927) (93c95fc)
• update L1 CloudFormation resource definitions (#​33019) (e31924a), closes /docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseRoute53 /docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parseRoute53

Bug Fixes

• bundling: enclosing metafile & tsconfig paths with quotes (#​32725) (5410e10)
• cli: disallow import of internal cli libraries (#​33021) (e5ac918)
• cli: trace output (-vv) is useless when files are uploaded (#​33104) (d95add3)
• cloudfront: add validations on ResponseHeadersCorsBehavior.accessControlAllowMethods (#​32769) (4c42800)
• cx-api: cannot detect CloudAssembly across different libraries (#​32998) (94ba772), closes aws/aws-cdk#31041
• rds: does not print all failed validations for DatabaseCluster props (#​32841) (344d916), closes #​32840 #​32840 /github.com/aws/aws-cdk/pull/32151/files#diff-49b4a9e1bf0b7db3ab71f4f08580da0cb2191d84605dc82a70c324bd122d5cf7R805-R828 /github.com/aws/aws-cdk/pull/32841/files#diff-5d08d37e744e173239879212c59fd45cb9a279349f3dfb1c66923cb015ed3a3 /github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-ec2/lib/volume.ts#L672-L743 /github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/eventbridge-scheduler/create-schedule.ts#L324-L362 /github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-fsx/lib/lustre-file-system.ts#L360-L380
• sqs: does not print all failed validations for Queue props (#​33070) (b77e937), closes #​33098 #​33098
• update fetchOpenPullRequests method to pass organisation in github action workflow for prioritization (#​33073) (066cd4f)

---

Alpha modules (2.177.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• glue-alpha: Developers must refactor their existing Job
  instantiation method calls to choose the right job type and language,
  and use the new constants static values to define the associated Job
  configuration settings. See the RFC and/or new README for examples.

Description of how you validated changes

Increased unit test coverage to > 90%, consulted with Glue service team
on best practices and sane defaults, updated integration tests.

Features

• amplify-alpha: throw ValidationError instead of untyped errors (#​33141) (a7cd9eb), closes #​32569

Bug Fixes

• custom-resource-handlers: do not allow unauthorized connection for iam OIDC connection (under feature flag) (#​32921) (3e4f377), closes #​32920

Code Refactoring

• glue-alpha: Refactored glue-alpha L2 CDK construct RFC 0497 (#​32521) (1a18dc9)

v2.176.0

Compare Source

Features

• apigatewayv2-integrations: WebSocketMockIntegration props (#​30622) (a5a0168), closes #​29661
• codebuild: add new BuildImages (#​32525) (a734841)
• ecs: enable Enhanced Observability for Container Insights (#​32622) (79ab137), closes #​32618
• update L1 CloudFormation resource definitions (#​32847) (9317203)
• appconfig: environment deletion protection (#​32737) (393e5c0)

Bug Fixes

• cli: "no stack found in the main cloud assembly" (#​32839) (3c0acce), closes aws/aws-cdk#32636 #​32836 #​32836
• core: use correct formatting for aggregate errors in aws-cdk (#​32817) (97af31b), closes #​32237
• elasticloadbalancingv2: open, dual-stack-without-public-ipv4 ALB does not allow IPv6 inbound traffic (under feature flag) (#​32765) (aff160b), closes #​32197
• rds: clusterScailabilityType is spelled wrong and should be clusterScalabilityType (#​32825) (d39e835), closes #​32415 #​32415
• rds: incorrect version definition of MySQL 8.4.3 (#​32934) (3fbc785), closes #​32933

Reverts

• prlint: fail prlinter on codecov failures, with exemption label (#​32867) (928d3bb), closes aws/aws-cdk#32674

---

Alpha modules (2.176.0-alpha.0)

Features

• scheduler-targets: add support for universal target (#​32341) (021e6d6), closes #​32328

Bug Fixes

• msk: clusterName validation in Cluster class is incorrect (#​32792) (41ddd46), closes /github.com/aws/aws-cdk/pull/32505#discussion_r1891027876

v2.175.1

Compare Source

Bug Fixes

• cli: "no stack found in the main cloud assembly" (#​32839) (7b68908), closes aws/aws-cdk#32636 #​32836 #​32836

---

Alpha modules (2.175.1-alpha.0)

v2.175.0

Compare Source

Features

• ecs: enable fault injection flag (#​32598) (ed366ce)
• ecs: warning when creating a service with the default minHealthyPercent (#​31738) (3606deb), closes #​31705
• update L1 CloudFormation resource definitions (#​32768) (107eed3)
• cli: warn of non-existent stacks in cdk destroy (#​32636) (c199378), closes #​32545 #​27179 40aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L190 aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L286-L291
• eks: update nodegroup gpu check (#​32715) (693afea), closes #​31347
• update L1 CloudFormation resource definitions (#​32755) (8f97112)
• kms: add sign and verify related grant methods (#​32681) (86d2853), closes #​23185

Bug Fixes

• cli: cannot set environment variable CI=false (#​32749) (26b361d)
• cli: requiresRefresh function does not respect null (#​32666) (2abc23c), closes #​32653 /github.com/smithy-lang/smithy-typescript/blob/main/packages/property-provider/src/memoize.ts#L27
• cloudwatch: render region and accountId when directly set on metrics (#​32325) (c393481), closes #​28731
• ecs: outdated linux commands for canContainersAccessInstanceRole=false and also deprecate property (#​32763) (bbdd42c), closes #​28518

---

Alpha modules (2.175.0-alpha.0)

Features

• s3objectlambda: open s3 access point arn (#​32661) (0486b9c), closes #​31950

Bug Fixes

• apprunner: the Service class does not implement IService (#​32771) (3d56efa), closes #​32745
• integ-runner: ENOENT no such file or directory 'recommended-feature-flags.json' (#​32750) (f809b94)

v2.174.1

Compare Source

Features

• update L1 CloudFormation resource definitions (#​32755) (0bc32c9)
• update L1 CloudFormation resource definitions (#​32768) (20070a4)

---

Alpha modules (2.174.1-alpha.0)

v2.174.0

Compare Source

Features

• codebuild: add new environment types (#​32729) (a10c369), closes #​32728
• custom-resource: add serviceTimeout property for custom resources (#​30911) (d599900), closes #​30517
• update L1 CloudFormation resource definitions (#​32685) (fe3af93), closes /docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#create-s3 /docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#create-s3
• update L1 CloudFormation resource definitions (#​32712) (3170e1c)
• update L1 CloudFormation resource definitions (#​32726) (de04742)
• autoscaling: add availabilityZoneDistribution property to an AutoScalingGroup (#​32100) (ecfce7c)
• bedrock: additional foundation models (#​32684) (fcf4ecd)
• cli: support CloudFormation simplified resource import (#​32676) (ca33f0a), closes #​28060
• cli-plugin-contract: introduce a public contract between CLI and plugins (#​32111) (fbaab1d)
• rds: support 11.22-rds.20241121 for RDS PostgreSQL (#​32508) (491475a)
• rds: supports minors 11.4.4, 10.11.10, 10.6.20, 10.5.27 for RDS for MariaDB (#​32632) (b8e79b6)
• update L1 CloudFormation resource definitions (#​32582) (ff57cc3)
• update L1 CloudFormation resource definitions (#​32645) (a0525f5)
• update L1 CloudFormation resource definitions (#​32685) (fe3af93), closes /docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#create-s3 /docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#create-s3
• appconfig: add atDeploymentTick extension action point to L2 Constructs (#​32490) (225d261)
• cloudfront: distribution ARN property (#​32531) (b7e6141), closes #​32530
• codebuild: support auto retry limit for Project (#​32507) (2c109cf), closes #​32446
• ecs: machineImageType support AL2023 (#​32509) (4b696bc), closes #​32496 #​32469
• update L1 CloudFormation resource definitions (#​32540) (2e3b2ac)

Bug Fixes

• cli: notices don't work behind a proxy (#​32590) (3377c3b)
• cli: outdated dependency on @aws-cdk/cloud-assembly-schema (#​32704) (3b162fc)
• cli: unhandled nextToken returned by listImagesCommand in garbage collector for ECR (#​32679) (d9346bc), closes #​32498 /github.com/aws/aws-cdk/blob/v2.173.4/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts#L621
• elasticloadbalancingv2: open, dual-stack-without-public-ipv4 ALB allows IPv6 inbound traffic (#​32203) (0731095), closes #​32197
• opensearch: add I4I and R7GD to list of OpenSearch nodes not requiring EBS volumes (#​32592) (e364d2b), closes #​32070 #​32138
• bump jsii 5.5 to 5.6 (#​32588) (57bba19)
• cdk: changed retry mechanism for hotswapping AppSync.function (#​32179) (d14d784)
• cli: allow credential plugins to return null for expiration (#​32554) (d4f6946)
• cli: cdk deploy -R does not disable rollback (#​32514) (2e75924), closes #​31850
• cli: doesn't support plugins that return initially empty credentials (#​32552) (38116b0)
• cli: getting credentials via SSO fails when the region is set in the profile (#​32520) (bf026bd)
• lambda: add @​deprecated tag to python3.8 (#​32162) (27619cc)
• route53-targets: deprecated method for dns name is used in userpool domain target (under feature flag) (#​31403) (5e73dd0)

Reverts

• "fix(elasticloadbalancingv2): open, dual-stack-without-public-ipv4 ALB allows IPv6 inbound traffic" (#​32690) (6c790fd), closes aws/aws-cdk#32203
• ecs: machineImageType support AL2023 (#​32550) (e8d8237), closes aws/aws-cdk#32509

---

Alpha modules (2.174.0-alpha.0)

Features

• glue: support AWS Glue 5.0 (#​32467) (ca01a25)
• ec2: add c8g and m8g instance classes (#​32528) (a81eec6), closes #​32522
• msk-alpha: new KafkaVersions 3_7_X and 3_7_X_KRAFT (#​32515) (cbacf4d)

Bug Fixes

• ec2-alpha: do not use string comparison in rangesOverlap (#​32269) (87e21d6), closes #​32145 #​32145
• redshift-alpha: extract tableName from custom resource functions (#​32452) (283edd6), closes PR#24308
• redshift-alpha: use same role for database-query singleton function (#​32363) (db950b3), closes #​32089

v2.173.4

Compare Source

Bug Fixes

• cli: cli still fails for some plugins returning expiration: null (#​32668) (4da2f65), closes #​32111

---

Alpha modules (2.173.4-alpha.0)

v2.173.3

Compare Source

Bug Fixes

• aspects: "localAspects is not iterable" error (#​32647) (8948ecb), closes #​32470

---

Alpha modules (2.173.3-alpha.0)

v2.173.2

Compare Source

Bug Fixes

• cli: allow credential plugins to return null for expiration (#​32554) (e59b1db)
• cli: doesn't support plugins that return initially empty credentials (#​32552) (7ee9b90)

---

Alpha modules (2.173.2-alpha.0)

v2.173.1

Compare Source

Bug Fixes

• cli: getting credentials via SSO fails when the region is set in the profile (#​32520) (01fec04)

---

Alpha modules (2.173.1-alpha.0)

v2.173.0

Compare Source

Features

• cognito: user pool feature plans (#​32367) (39c22de), closes #​32369
• dynamodb: add precision timestamp for kinesis stream (#​31863) (625c431), closes #​31761
• dynamodb: add warm-throughput to L2 constructs (#​32390) (496bc78), closes #​32127
• route53: added EvaluateTargetHealth to Route53 Alias targets (#​9481) (#​30664) (c23be8c), closes #​30739
• route53: added L2 construct for Route53's health checks (#​30739) (7fdd974), closes #​9481 #​30664
• stepfunctions-tasks: support dynamic values for Glue Job Worker Type (#​32453) (7df954c)
• update L1 CloudFormation resource definitions (#​32446) (093c540)

Bug Fixes

• autoscaling: AutoScalingGroup requireImdsv2 with launchTemplate or mixedInstancesPolicy throws unclear error (#​32220) (06cdaac), closes #​27586 #​27586
• cli: assuming a role from the INI file fails in non-commercial regions (#​32456) (7028242)
• cloudformation-include: string arrays inside unknown properties cannot be parsed (#​32461) (0c2f98b)
• cloudwatch: period of each metric in usingMetrics for MathExpression is ignored (#​30986) (59e96a3), closes /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudwatch/lib/metric.ts#L606-L608 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudwatch/lib/metric.ts#L566
• elasticloadbalancingv2: cannot create UDP listener for dual-stack NLB (#​32184) (e9c6e23), closes /github.com/aws/aws-cdk/pull/32184#issuecomment-2510536270
• lambda: improve validation errors for lambda functions (#​32323) (2607eb3), closes #​32324
• rds: serverlessV2MaxCapacity can be set to 0.5, which is invalid (#​32232) (3fe229d), closes /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-serverlessv2scalingconfiguration.html#cfn-rds-dbcluster-serverlessv2
• stepfunctions-task: elasticloadbalancingv2 service policy (#​32419) (2677fce), closes #​32417 /github.com/aws/aws-cdk/blame/2607eb3a905f735b96713dda4f32d28d10d686fd/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts#L93-L97
• synthetics: canary name can be up to 255 characters (#​32385) (231e1bf), closes #​32376

---

Alpha modules (2.173.0-alpha.0)

Features

• redshift-alpha: add support for RA3.large node type (#​31637) (ce0e09f), closes #​31634

v2.172.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• apigateway: We will be removing deprecated APIGatewayV2 constructs from aws-apigateway module.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Features

• aspects: priority-ordered aspect invocation (#​32097) (8ccdff4), closes #​21341 /github.com/aws/aws-cdk/blob/8b495f9ec157c0b00674715f62b1bbcabf2096ac/packages/aws-cdk-lib/core/lib/private/synthesis.ts#L217
• cognito: new cloudFrontEndpoint method for user pool domain without custom resource (#​31402) (deeb2ad), closes #​31342 /github.com/go-to-k/aws-cdk/blob/fcbdc769e681f1f915cdc8cd7aa3a565d807884d/packages/aws-cdk-lib/aws-route53-targets/lib/userpool-domain.ts#L14
• cognito: support for ALLOW_USER_AUTH explicit auth flow (#​32273) (c5bcfdc)
• elasticloadbalancingv2: ip address type for both network and application target group (#​32189) (7cc5f30)
• events: add filter rules for prefixEqualsIgnoreCase, suffixEqualsIgnoreCase, wildcard, and anythingBut* matches (#​32063) (0ce71fc), closes #​28462
• lambda-nodejs: add bun support (#​31770) (aed8ad1), closes #​31753 #​31753
• rds: limitless database cluster (#​32151) (f4c19c7)
• ses: add support to disable account-level suppression list (#​32168) (bb50c1a), closes #​32149
• update L1 CloudFormation resource definitions (#​32272) (421d327)
• update L1 CloudFormation resource definitions (#​32356) (9e6bb24)
• route53-targets: add AppSync route53 target (#​31976) (dc7574a), closes #​26109

Bug Fixes

• apigateway: remove deprecated apigatewayv2 from aws-apigateway module (#​32297) (4db9565)
• appsync: appsync.HttpDataSourceProps erroneously extends BaseDataSourceProps (#​32065) (4e7f5c4), closes #​29689
• cli: assume role calls are skipping the proxy (#​32291) (6c0f74e)
• cli: lambda hotswap fails if lambda:GetFunctionConfiguration action is not allowed (#​32301) (be000a2), closes /github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdatedV2.ts#L10 /github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdated.ts#L13
• cli: mfa code is not requested when $AWS_PROFILE is used (#​32313) (6458439), closes #​32312
• cli: remove source maps (#​32317) (512cf95), closes #​19930 #​19930
• cli: short-lived credentials are not refreshed (#​32354) (058a0bf)
• cli: warns about missing --no-rollback flag that is present (#​32309) (559d676), closes #​32295
• cloudformation-include: drops unknown policy attributes (#​32321) (20edc7f)
• cloudfront: propagate originAccessControlId CloudFront Origin property to CloudFormation templates (#​32020) (f9708a6), closes #​32018
• iam: Role.addManagedPolicy() does not work for imported roles IRole #​8307 (#​31212) (c78ef1b), closes /github.com/aws/aws-cdk/blob/823ff6e03899f790a4cb1c43f92a02cc906ac356/packages/aws-cdk-lib/aws-iam/lib/identity-base.ts#L17-L21

---

Alpha modules (2.172.0-alpha.0)

Features

• ec2: default BastionHostLinux to use Amazon Linux 2023 (under feature flag) (#​31996) (bf77e51), closes #​29493 #​29493
• ec2: instance support passing IAM instance profile (#​32073) (cf89d0f), closes #​8348
• neptune: auto minor version upgrade for an instance (#​31988) (d95db49)
• pipes: add LogDestination implementation

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.