Skip to content

chore(release): 2.215.0#35489

Closed
aws-cdk-automation wants to merge 53 commits intov2-releasefrom
bump/2.215.0
Closed

chore(release): 2.215.0#35489
aws-cdk-automation wants to merge 53 commits intov2-releasefrom
bump/2.215.0

Conversation

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation commented Sep 15, 2025

No description provided.

claypack and others added 30 commits September 2, 2025 10:45
@claypack
feat(stepfunctions-tasks): add Node.js 22 support to EvaluateExpressi…
640821d 
…on (#35370)

### Issue # (if applicable)

Closes #35353.

### Reason for this change

Currently you are unable to specify the NodeJS 22 Runtime directly in the EvaluateExpression construct. When users try to use `Runtime.NODEJS_22_X`, they receive an error that this runtime is not supported. 

### Description of changes

- Added Node.js 22 runtime mapping to the `nodeJsGuids` object in `evaluate-expression.ts` with UUID `'b64e1fb8-9c89-4f7d-8a34-2e2a1c5f6d7e'`
- Added unit test coverage for Node.js 22 runtime in `evaluate-expression.test.ts`

The changes follow the exact same pattern as existing Node.js runtime support (Node.js 20, 18, etc.). No alternatives were considered as this is a straightforward addition to the existing runtime mapping system. The UUID was generated to ensure uniqueness for the singleton Lambda function pattern used by EvaluateExpression.

### Describe any new or updated permissions being added

No new or updated IAM permissions are required. This change only adds support for an additional Lambda runtime version.

### Description of how you validated changes

- Added unit test that verifies EvaluateExpression creates a Lambda function with `nodejs22.x` runtime
- All existing tests continue to pass (5/5 tests passing)
- Manually tested by creating a CDK app, synthesizing CloudFormation template, and deploying to AWS
- Verified the deployed Lambda function uses Node.js 22 runtime and executes successfully and returns 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@phuhung273
chore(ec2): add m8i, m8i-flex, r8i, r8i-flex instance class (#35364)
01524d1 
### Issue # (if applicable)
None

### Reason for this change
https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-ec2-m8i-and-m8i-flex-instances-generally-available/
https://aws.amazon.com/about-aws/whats-new/2025/08/memory-optimized-amazon-ec2-r8i-r8i-flex-instances/

### Description of changes
Add m8i, m8i-flex, r8i, r8i-flex instance class

### Description of how you validated changes
```console
$ aws ec2 describe-instance-types | grep -e m8i -e r8i
            "InstanceType": "r8i.48xlarge",
            "InstanceType": "r8i-flex.8xlarge",
            "InstanceType": "m8i.16xlarge",
            "InstanceType": "m8i-flex.2xlarge",
```

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@matoom-nomu
chore(neptune): add engine version 1.4.5.1 (#35362)
dd1fccc 
### Issue # (if applicable)

None

### Reason for this change

Neptune had released engine version 1.4.5.1.

- Docs
  - https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.4.5.1.html
- Version confirmed via CLI
  - `aws neptune describe-db-engine-versions --engine neptune --engine-version 1.4.5.1 --region us-east-1
{
    "DBEngineVersions": [
        {
            "Engine": "neptune",
            "EngineVersion": "1.4.5.1",
            "DBParameterGroupFamily": "neptune1.4",
            "DBEngineDescription": "neptune",
            "DBEngineVersionDescription": "Neptune 1.4.5.1.R1",
            "ValidUpgradeTarget": [],
            "ExportableLogTypes": [
                "audit",
                "slowquery"
            ],
            "SupportsLogExportsToCloudwatchLogs": true,
            "SupportsReadReplica": false,
            "SupportsGlobalDatabases": true
        }
    ]
}`

### Description of changes

Added `V1_4_5_1` to EngineVersion class


### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@otaviomacedo
chore: fix assets bundling integ test (#35228)
382ff54 
In this test, the platform specified to bundle the asset is `linux/amd64`. But the image used doesn't specify any platform. This is causing the `integ.assets.bundling.docker-opts.ts` to fail with the message:

>Unable to find image 'cdk-66687611b68d3de0f92ed971e4c457e4828f2e0c877c8b1f5fab42ac3d2772ec:latest' locally
>docker: Error response from daemon: pull access denied for cdk-66687611b68d3de0f92ed971e4c457e4828f2e0c877c8b1f5fab42ac3d2772ec, repository does not exist or may require 'docker login'
>
>Run 'docker run --help' for more information

Add the platform to the build parameters of the Docker image.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mergify
Merge branch 'main' into merge-back/2.214.0
9676968
@badmintoncryer
chore(iot): cannot set a value greater than 3650 days for deviceCerti…
6d64bda 
…ficateAgeCheckDuration (#35365)

### Issue # (if applicable)

None

### Reason for this change

`deviceCertificateAgeCheckDuration` has a upper bound value (3652 days) but we cannot deploy `AccountAuditConfiguration` construct when this duration is set 3651-3652 days.

```console
10:51:08 PM | UPDATE_FAILED        | AWS::IoT::AccountAuditConfiguration | AuditConfiguration8C793652
Resource handler returned message: "Certificate age threshold is greater than the maximum supported threshold of 3650 days. (Service: Iot, Status Code: 400, Request ID: 20cddf20-
f5a5-4f4b-8fee-140be1305778) (SDK Attempt Count: 1)" (RequestToken: 931fdbeb-f895-c970-b0a5-5e7a2f9a86be, HandlerErrorCode: InvalidRequest)
```

[AWS docs](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-certificate-age-check.html) states that upper bound value is 3652 days but I think this statement is wrong.

### Description of changes

- set update upper bound value to 3650 days from 3652 days

### Describe any new or updated permissions being added

None

### Description of how you validated changes

update unit test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mergify
Merge branch 'main' into merge-back/2.214.0
fab100e
@alvazjor
chore(iot-actions-alpha): add missing rosetta dependency (#35400)
fead876 
### Issue # (if applicable)


### Reason for this change

PR builds are failing with `Error: @aws-cdk.aws-iot-alpha-README-L146.ts:9:26 - error TS2307: Cannot find module '@aws-cdk/aws-iot-actions-alpha' or its corresponding type declarations.` lately. This change should fix that issue.

### Description of changes

Added missing `@aws-cdk/aws-iot-actions-alpha` dependency

### Describe any new or updated permissions being added

NA


### Description of how you validated changes
Followed PRs that solved similar issues

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@alvazjor
Merge branch 'main' into merge-back/2.214.0
0006613
@mergify
chore(merge-back): 2.214.0 (#35397)
0c98552 
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.214.0/CHANGELOG.md)
@rix0rrr
chore: improve reliability of lazify tests (#35398)
04eae8c 
Test suites execute in parallel, and two different test suites write the same file to disk in the same location, thereby racing.

Make them write different files.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@pahud
fix(s3): scope BucketNotificationsHandler IAM permissions to specific…
c0300d2 
… bucket ARNs (#35334)

### Issue # (if applicable)

Closes #35331 #5925

### Reason for this change

The S3 BucketNotificationsHandler Lambda function created by CDK for S3 bucket notifications receives overly broad IAM permissions with `"Resource": "*"` instead of being scoped to specific bucket ARNs. This violates the principle of least privilege and creates a security risk where the handler could potentially modify notifications for any S3 bucket in the account, preventing security teams from approving deployments.

### Description of changes

Implemented scoped IAM permissions for the S3 `BucketNotificationsHandler` by leveraging the existing `grantBucketNotifications()` method and the `@aws-cdk/aws-iam:minimizePolicies` feature flag:

- **Simplified approach**: Removed complex Aspect-based implementation in favor of using existing CDK mechanisms
- **Feature flag utilization**: The `@aws-cdk/aws-iam:minimizePolicies` feature flag automatically consolidates IAM policies with specific bucket ARNs
- **Grant-based permissions**: Uses the existing `grantBucketNotifications()` method which already provides scoped permissions to specific bucket ARNs
- **Automatic consolidation**: When multiple buckets use the same handler, policies are automatically consolidated into a single statement with all bucket ARNs
- **Backward compatibility**: Maintains singleton pattern and all existing functionality - no breaking changes

**Before**: IAM policy contained `"Resource": "*"` (wildcard permissions)
**After**: IAM policy contains `"Resource": [{"Fn::GetAtt": ["BucketName", "Arn"]}, ...]` (scoped permissions)

### Describe any new or updated permissions being added

**Security improvement**: This change reduces permissions rather than adding new ones. The handler now receives more restrictive IAM permissions scoped only to the specific S3 buckets it needs to manage, implementing the principle of least privilege. No new permissions are required.

### Description of how you validated changes

- **Unit tests**: All existing 22 notification tests pass successfully (100% success rate). Tests already expect scoped permissions due to the existing grant method implementation
- **Integration tests**: Existing integration test snapshots show the correct IAM policy structure with specific bucket ARNs instead of wildcards. All integration tests pass
- **CloudFormation validation**: Verified that generated templates contain specific bucket ARNs instead of wildcards and deploy successfully
- **Regression testing**: Confirmed all existing S3 bucket notification functionality works unchanged, including EventBridge notifications, filter rules, and both managed and unmanaged bucket scenarios

### Potential Concerns

1. **Simplified Implementation**: The current approach leverages existing CDK mechanisms (`grantBucketNotifications()` method and `@aws-cdk/aws-iam:minimizePolicies` feature flag) rather than implementing custom Aspect logic. This is actually a strength as it reduces complexity and maintenance burden while achieving the same security outcome.

2. **Feature Flag Dependency**: The solution relies on the `@aws-cdk/aws-iam:minimizePolicies` feature flag for policy consolidation. This flag is already widely adopted and is part of CDK's recommended feature flags, making this a low-risk dependency.

3. **Potential for Regressions**: The PR fixes a security vulnerability that has been present for a while. The existing comprehensive test suite provides good coverage, and the integration tests serve as the best defense against future regressions.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@vishaalmehrishi
chore: auto-unlock reopened PRs and issues (#35401)
e1e21db 
### Issue # (if applicable)

Closes #34890.

### Reason for this change

Reopened issues/PRs should be unlocked automatically so discussion can continue.

### Description of changes

Added an unlock workflow similar to the existing lock workflow: https://github.com/aws/aws-cdk/blob/6d64bdadf8ede3d85a311c3981d899b7787ddd07/.github/workflows/lock-issue-pr-with-message.yml

Reference for issue unlocking: https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28#unlock-an-issue

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes

Validated that the YAML syntax is valid.

For actual validation I will create a dummy issue, then close and reopen to ensure it works; however, this will happen post-merge.

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
chore(iam): add new enum values for iam (#35386)
3edead1 
This PR updates the enum values for iam.
@github-actions
chore(batch): add new enum values for batch (#35383)
5695289 
This PR updates the enum values for batch.
@otaviomacedo
feat: new resource interfaces shared by both L1s and L2s (#35032)
5e8c0d5 
This PR introduces a new set of minimal L1 interfaces to address resources in the CDK APIs.

# New interfaces

They are named like `IBucketRef` (and `IInstanceRef`, `IKeyRef`, etc), which is an interface similar to `IBucket` but lives at the L1 level instead of the L2 level.  It allows "pointing to a bucket" in a typed way. The L1 `CfnBucket` implements `IBucketRef`, and the L2 `IBucket` extends `IBucketRef`. `IBucketRef` doesn't have any of the additional handwritten conveniences afforded by `IBucket`, but because it doesn't involve any handwritten code this it to be implemented by the L1 `CfnBucket`.

We've then gone through all APIs where an `IBucket` was expected, and if that call site didn't use any of the facilities exposed by `IBucket` we've replaced the type with `IBucketRef`.

The result is that in those APIs, it is now possible to transparently pass both L1 and L2 resources, instead of only L2 resources. This gives you the freedom of picking between L1s and L2s as your need dictate.

# If you are implementing IBucket yourself

If you are writing classes that implement `IBucket`, you now have an additional implementation burden:

```ts
interface IBucketRef {
  /** This property is new */
  public readonly bucketRef: BucketReference;
}
```

You should copy this value from elsewhere, for example from `CfnBucket` or a `Bucket` you wrap:

```ts
export MyBucketClass implements IBucket {
  
  /** Add a getter for it */
  public get bucketRef(): BucketReference {
    return this.wrappedBucket.bucketRef;
  }
}
```

# Future work

This work is the first step in a series of changes that will make it easier for L1 and L2 classes to interoperate, and to progressively add enhancements to L1s in a way that doesn't require implementing full L2s. The goal is to make CDK more expressive with less upfront work.

# Experimental

This work is considered experimental, and it may change; we may still add `{ account; region }` to to the `BucketReference` struct (which is why you should copy it an underlying object, and not try to construct one yourself).

We may also roll back this change entirely and remove the interfaces we introduced here, so don't start referencing `IBucketRef` in your own code just yet.

To limit the impact, these are introduced currently only for the following services: IAM, S3, EC2, KMS, CloudFront. 

# Feedback

If you have opinions on this change, don't hesitate to let us know via the issue tracker or via a Direct Message [on Slack](https://cdk.dev/).

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@abidhasan-aws
chore: add docker pull common error in the integ framework readme (#3…
9fb35bb 
…5399)

Updating readme with the step for a common error: docker pull public.ecr failed with 403.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
chore: npm-check-updates && yarn upgrade (#35406)
1c4d349 
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
@github-actions
chore(lambda): add new enum values for lambda (#35387)
d8d7798 
This PR updates the enum values for lambda.
@AdnaneKhan
chore(ci): add coverage for Actions to CodeQL scans. (#35314)
45e336c 
### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change

Add coverage for Github Actions to codeql scans.

### Description of changes



Add `actions` to the language for the CodeQL advanced setup workflow.

### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@abidhasan-aws
feat(custom-resource): upgrade to python runtime 3.13 for custom reso…
3db140e 
…urces (#35342)

### Reason for this change
- Current custom resource handlers are using Python 3.9 and 3.11 runtimes
- Python 3.9 reaches EOL in October 2025
- Need to upgrade to Python 3.13 for better stability and continued support
- Affects multiple custom resource handlers including aws-ecs/drain-hook-provider, aws-eks/kubectl-provider, and others



### Description of changes
- Updated Python runtime from 3.9/3.11 to 3.13 in config.ts for generated bundle functions
- Modified runtime settings in:
  - notifications-resource-handler.ts
  - instance-drain-hook.ts
- Updated aws-eks-v2-alpha custom resource handler runtime
- Updated integration tests and snapshots



### Validation
- Deployed integration tests across multiple regions to verify functionality
- Verified Lambda Python 3.13 availability across required regions




### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@phuhung273
chore(rds): postgres add 17.6,16.10,15.14,14.19,13.22, oracle add 21.…
c126e35 
…0.0.0.ru-2025-07.rur-2025-07.r1,19.0.0.0.ru-2025-07.rur-2025-07.r1, mariadb 11.8.3 (#35345)

### Issue # (if applicable)
None

### Reason for this change
https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-rds-postgresql-supports-new-minor-versions/
https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-rds-oracle-supports-july-2025-release-update-ru/
https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-rds-mariadb-11-8-vector-support/

### Description of changes
Postgres add versions: 17.6, 16.10, 15.14, 14.19, 13.22
Oracle add versions: 21.0.0.0.ru-2025-07.rur-2025-07.r1, 19.0.0.0.ru-2025-07.rur-2025-07.r1

### Description of how you validated changes
```console
$ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}'
------------------------------------
|     DescribeDBEngineVersions     |
+-----------+----------------------+
|  Engine   |    EngineVersion     |
+-----------+----------------------+
...
|  postgres |  13.22               |
...
|  postgres |  14.19               |
...
|  postgres |  15.14               |
...
|  postgres |  16.10               |
...
|  postgres |  17.6                |

$ aws rds describe-db-engine-versions --engine oracle-ee-cdb --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}'
---------------------------------------------------------
|               DescribeDBEngineVersions                |
+----------------+--------------------------------------+
|     Engine     |            EngineVersion             |
+----------------+--------------------------------------+
...
|  oracle-ee-cdb |  19.0.0.0.ru-2025-07.rur-2025-07.r1  |
...
|  oracle-ee-cdb |  21.0.0.0.ru-2025-07.rur-2025-07.r1  |
```

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@Kasra-G
fix(stepfunctions): incorrect/missing permissions to run/redrive Dist…
bbebb79 
…ributedMap in state machine (#34760)

### Issue # (if applicable)

Closes #35390.

### Reason for this change


When using the `DistributedMap` state, the state machine cannot be redriven without additional configuration from the user. These additional steps seem to sometimes lead users into circular dependency issues (see [example](#28820 (comment))). 

Additionally, the `DistributedMap` assigns incorrect permissions for the `states:StopExecution` and `states:DescribeExecution` as these need to be applied to the execution arn, not the state machine arn ([AWS Docs](https://docs.aws.amazon.com/step-functions/latest/dg/iam-policies-eg-dist-map.html) vs [code reference](https://github.com/aws/aws-cdk/blob/aea1372ab7bc68c489cea5ee5e499233755910e8/packages/aws-cdk-lib/aws-stepfunctions/lib/state-graph.ts#L178-L180).

This PR also fixes an inconsistency for the recently added `grantRedriveExecution` function as it does not work for state machines that have DistributedMaps. 
The root cause is that when adding a DistributedMap to a state machine, additional permissions need to be added to the state machine's execution role to permit redriving a map run. Otherwise, when the state machine is redriven, the map run will fail to redrive. The docs provide a minimum permissions example https://docs.aws.amazon.com/step-functions/latest/dg/iam-policies-eg-dist-map.html#iam-policy-redrive-dist-map
The key permission is `states:RedriveExecution` on the following arn:
`arn:aws:states:us-east-2:123456789012:execution:myStateMachineName/myMapRunLabel:*`

However, when creating a state machine manually in the AWS Console, if there are any unlabeled distributed maps, the following policy is generated for the generated state machine role:
`arn:aws:states:us-east-2:123456789012:execution:myStateMachineName/*:*`

This change mirrors that logic in CDK.

### Description of changes

Minor: fix `map-with-catch` integ test failing because it was not emptying the bucket before attempting to delete it

- Updated the permissions granted in the `bind` method for DistributedMaps to include correct redrive permissions
- Fixed incorrect resource on the `states:StopExecution` and `states:DescribeExecution` permissions
- ~~Fix missing DistributedMap policy statements when the DistributedMap state was in a child `StateGraph` such as a `Parallel.branch`~~ This will be handled in a separate PR.

These changes fix the root cause of `grantRedriveExecution` not working for state machines with DistributedMaps

### Describe any new or updated permissions being added

when there is any unlabeled distributed map run state
```diff
  action: ["states:DescribeExecution", "states:StopExecution"]
- resource: "arn:aws:states:us-east-2:account-id:stateMachine:myStateMachine:*"
+ resource: "arn:aws:states:us-east-2:account-id:execution:myStateMachine:*"
//...
+ action: "states:RedriveExecution"
+ resource: "arn:aws:states:us-east-2:account-id:execution:myStateMachine/*:*"
```
when there are only labeled distributed map runs
```diff
  action: ["states:DescribeExecution", "states:StopExecution"]
- resource: "arn:aws:states:us-east-2:account-id:stateMachine:myStateMachine:*"
+ resource: "arn:aws:states:us-east-2:account-id:execution:myStateMachine:*"
//...
+ action: "states:RedriveExecution"
+ resource: [
+   "arn:aws:states:us-east-2:account-id:execution:myStateMachine/myLabel1:*", 
+   "arn:aws:states:us-east-2:account-id:execution:myStateMachine/myLabel2:*"
+ ]
```

### Description of how you validated changes

Unit & Integration tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@dependabot
chore(deps): bump the pip group across 7 directories with 2 updates (#…
50456b6 
…34882)

Bumps the pip group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-sourceKMSKeyArn.js.snapshot/asset.cab53c59addd4362c71a39b96e04505d5f53fa854b2ff7cbc6cd5925f5afca9d directory: [requests](https://github.com/psf/requests).
Bumps the pip group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/python-lambda-handler directory: [requests](https://github.com/psf/requests).
Bumps the pip group with 2 updates in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler directory: [requests](https://github.com/psf/requests) and [urllib3](https://github.com/urllib3/urllib3).
Bumps the pip group with 2 updates in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-custom-build directory: [requests](https://github.com/psf/requests) and [urllib3](https://github.com/urllib3/urllib3).
Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-dockercopy directory: [requests](https://github.com/psf/requests).
Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-pipenv directory: [requests](https://github.com/psf/requests).
Bumps the pip group with 2 updates in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-project/lambda directory: [requests](https://github.com/psf/requests) and [urllib3](https://github.com/urllib3/urllib3).

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>2.32.0 (2024-05-20)</h2>
<p><strong>Security</strong></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/psf/requests/commit/021dc729f0b71a3030cefdbec7fb57a0e80a6cfd"><code>021dc72</code></a> Polish up release tooling for last manual release</li>
<li><a href="https://github.com/psf/requests/commit/821770e822a20a21b207b3907ea83878bda1d396"><code>821770e</code></a> Bump version and add release notes for v2.32.4</li>
<li><a href="https://github.com/psf/requests/commit/59f8aa2adf1d3d06bcbf7ce6b13743a1639a5401"><code>59f8aa2</code></a> Add netrc file search information to authentication documentation (<a href="https://redirect.github.com/psf/requests/issues/6876">#6876</a>)</li>
<li><a href="https://github.com/psf/requests/commit/5b4b64c3467fd7a3c03f91ee641aaa348b6bed3b"><code>5b4b64c</code></a> Add more tests to prevent regression of CVE 2024 47081</li>
<li><a href="https://github.com/psf/requests/commit/7bc45877a86192af77645e156eb3744f95b47dae"><code>7bc4587</code></a> Add new test to check netrc auth leak (<a href="https://redirect.github.com/psf/requests/issues/6962">#6962</a>)</li>
<li><a href="https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef"><code>96ba401</code></a> Only use hostname to do netrc lookup instead of netloc</li>
<li><a href="https://github.com/psf/requests/commit/7341690e842a23cf18ded0abd9229765fa88c4e2"><code>7341690</code></a> Merge pull request <a href="https://redirect.github.com/psf/requests/issues/6951">#6951</a> from tswast/patch-1</li>
<li><a href="https://github.com/psf/requests/commit/6716d7c9f29df636643fa2489f98890216525cb0"><code>6716d7c</code></a> remove links</li>
<li><a href="https://github.com/psf/requests/commit/a7e1c745dc23c18e836febd672416ed0c5d8d8ae"><code>a7e1c74</code></a> Update docs/conf.py</li>
<li><a href="https://github.com/psf/requests/commit/c799b8167a13416833ad3b4f3298261a477e826f"><code>c799b81</code></a> docs: fix dead links to kenreitz.org</li>
<li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.31.0...v2.32.4">compare view</a></li>
</ul>
</details>
<br />

Updates `requests` from 2.31.0 to 2.32.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p>
<blockquote>
<h2>v2.32.4</h2>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file. (<a href="https://redirect.github.com/psf/requests/issues/6965">#6965</a>)</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
<li>Dropped support for pypy 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/6926">#6926</a>)</li>
</ul>
<h2>v2.32.3</h2>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>v2.32.2</h2>
<h2>2.32.2 (2024-05-21)</h2>
<p><strong>Deprecations</strong></p>
<ul>
<li>
<p>To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed <code>_get_connection</code> to
a new public API, <code>get_connection_with_tls_context</code>. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
<code>get_connection</code> is considered deprecated in all versions of Requests&gt;=2.32.0.</p>
<p>A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (<a href="https://redirect.github.com/psf/requests/issues/6710">#6710</a>)</p>
</li>
</ul>
<h2>v2.32.1</h2>
<h2>2.32.1 (2024-05-20)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Add missing test certs to the sdist distributed on PyPI.</li>
</ul>
<h2>v2.32.0</h2>
<p>2.32.0 (2024-05-20)</p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p>
<blockquote>
<h2>2.32.4 (2025-06-10)</h2>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Numerous documentation improvements</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Added support for pypy 3.11 for Linux and macOS.</li>
<li>Dropped support for pypy 3.9 following its end of support.</li>
</ul>
<h2>2.32.3 (2024-05-29)</h2>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (<a href="https://redirect.github.com/psf/requests/issues/6716">#6716</a>)</li>
<li>Fixed issue where Requests started failing to run on Python versions compiled
without the <code>ssl</code> module. (<a href="https://redirect.github.com/psf/requests/issues/6724">#6724</a>)</li>
</ul>
<h2>2.32.2 (20...

_Description has been truncated_
@phuhung273
feat(rds): add DatabaseProxyEndpoint L2 construct (#35064)
04d8a95 
### Issue # (if applicable)

Closes #14186

### Reason for this change
Add DatabaseProxyEndpoint L2 construct

### Description of changes
- Add `DatabaseProxyEndpoint` L2 construct
- `DatabaseProxy` support method `addEndpoint`

### Describe any new or updated permissions being added

### Description of how you validated changes
Unit + Integ

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@badmintoncryer
feat(batch): ecs execute command (#35341)
30722f2 
### Issue # (if applicable)

None

### Reason for this change

AWS Batch now supports for ECS execute command(ECS exec) to access to the job container.
https://aws.amazon.com/about-aws/whats-new/2025/04/aws-batch-amazon-elastic-container-service-exec-firelens-log-router/?nc1=h_ls

### Description of changes

- Add `enableExecuteCommand` prop ro  `EcsContainerDefinitionProps`
- handle batch job role to add ecs exec policies 

### Describe any new or updated permissions being added

- Add some permissions to the job role
  - "ssmmessages:CreateControlChannel",
  - "ssmmessages:CreateDataChannel",
  - "ssmmessages:OpenControlChannel",
  - "ssmmessages:OpenDataChannel"


### Description of how you validated changes

Add both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@badmintoncryer
chore(synthetics): playwright 3.0 and puppeteer 10.0/11.0 runtime (#3…
9666259 
…5415)

### Issue # (if applicable)

None

### Reason for this change

AWS Synthetics Canary now supports for new runtime.
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_nodejs_playwright.html
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_nodejs_puppeteer.html

### Description of changes

Add new runtimes
- Puppeteer 10.0
- Puppeteer 11.0
- Playwright 3.0

### Describe any new or updated permissions being added

None


### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
chore(enum-updater): update enum static mapping (#35407)
1937ace 
This PR updates the CDK enum mapping file.
@badmintoncryer
feat(synthetics): browser type for canary (#35423)
fe0708b 
### Issue # (if applicable)

None

### Reason for this change

AWS Synthetics now supports for specifying browser type for canary not only Google Chrome but also Mozzila Firefox.

https://aws.amazon.com/jp/about-aws/whats-new/2025/09/amazon-cloudwatch-synthetics-adds-multi-browser-support/

### Description of changes

- add `BrowserType` enum
- add `BrowserConfigs` prop to `CanaryProps`

### Describe any new or updated permissions being added

None

### Description of how you validated changes

Add both unit and integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@djglaser
docs: update ECS service and Fargate documentation for new AZ rebalan…
b86f633 
…cing default values (#35354)

Updates documentation to reflect ECS change in default behavior for the `AvailabilityZoneRebalancing` property:

- For create service requests, when no value is specified for `AvailabilityZoneRebalancing`, Amazon ECS defaults to `ENABLED` if the ECS service is compatible with AvailabilityZoneRebalancing. If the ECS service is not compatible with AvailabilityZoneRebalancing, Amazon ECS backend defaults to `DISABLED`.
- For update service requests, when no value is specified for `AvailabilityZoneRebalancing`, Amazon ECS defaults to the existing service’s AvailabilityZoneRebalancing value. If the service never had an `AvailabilityZoneRebalancing` value set, Amazon ECS backend treats this as `DISABLED`.


### Issue # (if applicable)

Reintroduces #35156 (was reverted by #35233 due to regression)

### Reason for this change



### Description of changes



### Describe any new or updated permissions being added




### Description of how you validated changes



### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
alvazjor and others added 22 commits September 5, 2025 17:40
@alvazjor
chore: updating aws-iso-b partition to use node18x (#35412)
f701442 
### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change
NodeJs22.x version is not yet available in all regions for aws-iso-b partition. Until it is, we need to keep NodeJs18.x as the latest version.

### Description of changes

Modified LATEST_NODE_RUNTIME_MAP in fact-table to map aws-iso-b partition to NodeJs18.x version. And updates all required unit and integration tests.

### Describe any new or updated permissions being added
NA


### Description of how you validated changes
Integ and unit tests

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@phuhung273
chore(rds): postgres 16.9-limitless, sqlserver 16.00.4210.1.v1,15.00.…
640d88d 
…4440.1.v1,14.00.3500.1.v1,13.00.6465.1.v1 (#35430)

### Issue # (if applicable)
None

### Reason for this change
https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-aurora-postgresql-limitless-database-postgresql-16-9/
https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-rds-latest-gdr-updates-microsoft-sql-server/

### Describe any new or updated permissions being added




### Description of how you validated changes
```console
$ aws rds describe-db-engine-versions --engine aurora-postgresql --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}'
-----------------------------------------
|       DescribeDBEngineVersions        |
+--------------------+------------------+
|       Engine       |  EngineVersion   |
+--------------------+------------------+
...
|  aurora-postgresql |  16.8-limitless  |
|  aurora-postgresql |  16.9            |
|  aurora-postgresql |  16.9-limitless  |
```

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@leonmk-aws
chore(ci): get pr number and sha from github context (#35405)
422e864 
### Issue # (if applicable)

Related to #35268 as the previous fix didn't fully work


### Reason for this change

The Pr linter workflow does not reach the code of the linter itself because it stop on error when being triggered at the end of a build, see the [following run](https://github.com/aws/aws-cdk/actions/runs/17435099055/job/49502649374) for example.

### Description of changes
Continue if `'Download workflow_run artifact'` to get the PR number and the pr sha from the Github context.


### Description of how you validated changes

Ran on my fork of the repo (canceling the build workflow retriggers this one), see the following run for example: https://github.com/leonmk-aws/aws-cdk/actions/runs/17435786087/job/49505111010

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@pahud
chore(ecs): add documentation to clarify that ECS clusters and their …
6cc426e 
…capacity providers (#35218)

Document ECS cross-stack capacity provider limitation

### Issue # (if applicable)

Closes #35210.

### Reason for this change

Users encounter circular dependency errors when trying to add ECS capacity providers from different stacks. The AWS CDK framework automatically creates bidirectional dependencies in cross-stack scenarios:

1. **Forward Dependency**: `ClusterStack` → `CapacityStack` (cluster needs capacity provider reference)
2. **Reverse Dependency**: `CapacityStack` → `ClusterStack` (capacity provider instances need cluster configuration)

This creates a circular dependency that CloudFormation cannot resolve. The current documentation does not clearly communicate this limitation, leading to user confusion.

### Description of changes

Added clear documentation notes in the ECS README to communicate that cross-stack ECS capacity provider registration is not supported by the CDK framework:

- Added a note in the main Capacity Providers section referencing the limitation
- Added a detailed note in the Auto Scaling Group Capacity Providers section explaining the constraint
- Provides clear guidance to deploy clusters and capacity providers in the same stack

This is a documentation-only change that clarifies existing behavior rather than introducing new functionality or breaking changes.

### Describe any new or updated permissions being added

No new or updated IAM permissions are needed - this is a documentation-only change.

### Description of how you validated changes

- Verified the documentation renders correctly in markdown
- Confirmed no code changes were made that could affect functionality
- Existing tests continue to pass unchanged

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@pahud
fix(ecr-assets): TarballImageAsset respects CDK_DOCKER environment …
8bf6b00 
…variable (#35344)

### Issue # (if applicable)

Closes #35336.

### Reason for this change

The `TarballImageAsset` class hardcoded the `docker` command in its executable array instead of respecting the `CDK_DOCKER` environment variable. This caused failures when users tried to use alternative container runtimes like Finch, breaking existing workflows that rely on `CDK_DOCKER` for container runtime selection.

### Description of changes

- Modified `TarballImageAsset` to use `${process.env.CDK_DOCKER ?? 'docker'}` pattern instead of hardcoded 'docker' command
- Added comprehensive unit test to verify CDK_DOCKER environment variable is respected
- Updated README.md to document CDK_DOCKER support for TarballImageAsset

The fix makes `TarballImageAsset` consistent with other CDK components that already respect the `CDK_DOCKER` environment variable, using the exact same pattern used throughout the CDK codebase.

### Describe any new or updated permissions being added

N/A - No IAM permissions or resource access changes. This is a build-time bug fix affecting asset preparation only.

### Description of how you validated changes

- **Unit tests**: Added new test case "respects CDK_DOCKER environment variable" that sets `CDK_DOCKER=custom-docker` and verifies the executable array contains the custom command. All existing tests continue to pass (35/35 tests in aws-ecr-assets module).
- **Integration tests**: Existing integration test passes with unchanged snapshot, confirming no CloudFormation template changes.
- **Manual validation**: Tested with `CDK_DOCKER=finch` to verify alternative container runtime support works correctly.
- **Regression testing**: Full test suite shows 15,874/15,883 tests passing (6 unrelated Docker daemon failures).

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@dependabot
chore(deps): bump actions/github-script from 7 to 8 (#35436)
72f81f6 
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/actions/github-script/releases">actions/github-script's releases</a>.</em></p>
<blockquote>
<h2>v8.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Update Node.js version support to 24.x by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/637">actions/github-script#637</a></li>
<li>README for updating actions/github-script from v7 to v8 by <a href="https://github.com/sneha-krip"><code>@​sneha-krip</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/653">actions/github-script#653</a></li>
</ul>
<h2>⚠️ Minimum Compatible Runner Version</h2>
<p><strong>v2.327.1</strong><br />
<a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p>
<p>Make sure your runner is updated to this version or newer to use this release.</p>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/637">actions/github-script#637</a></li>
<li><a href="https://github.com/sneha-krip"><code>@​sneha-krip</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/653">actions/github-script#653</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/actions/github-script/compare/v7.1.0...v8.0.0">https://github.com/actions/github-script/compare/v7.1.0...v8.0.0</a></p>
<h2>v7.1.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgrade husky to v9 by <a href="https://github.com/benelan"><code>@​benelan</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/482">actions/github-script#482</a></li>
<li>Add workflow file for publishing releases to immutable action package by <a href="https://github.com/Jcambass"><code>@​Jcambass</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/485">actions/github-script#485</a></li>
<li>Upgrade IA Publish by <a href="https://github.com/Jcambass"><code>@​Jcambass</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/486">actions/github-script#486</a></li>
<li>Fix workflow status badges by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/497">actions/github-script#497</a></li>
<li>Update usage of <code>actions/upload-artifact</code> by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/512">actions/github-script#512</a></li>
<li>Clear up package name confusion by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/514">actions/github-script#514</a></li>
<li>Update dependencies with <code>npm audit fix</code> by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/515">actions/github-script#515</a></li>
<li>Specify that the used script is JavaScript by <a href="https://github.com/timotk"><code>@​timotk</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/478">actions/github-script#478</a></li>
<li>chore: Add Dependabot for NPM and Actions by <a href="https://github.com/nschonni"><code>@​nschonni</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/472">actions/github-script#472</a></li>
<li>Define <code>permissions</code> in workflows and update actions by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/531">actions/github-script#531</a></li>
<li>chore: Add Dependabot for .github/actions/install-dependencies by <a href="https://github.com/nschonni"><code>@​nschonni</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/532">actions/github-script#532</a></li>
<li>chore: Remove .vscode settings by <a href="https://github.com/nschonni"><code>@​nschonni</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/533">actions/github-script#533</a></li>
<li>ci: Use github/setup-licensed by <a href="https://github.com/nschonni"><code>@​nschonni</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/473">actions/github-script#473</a></li>
<li>make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by <a href="https://github.com/iamstarkov"><code>@​iamstarkov</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/508">actions/github-script#508</a></li>
<li>Remove <code>octokit</code> README updates for v7 by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/557">actions/github-script#557</a></li>
<li>docs: add &quot;exec&quot; usage examples by <a href="https://github.com/neilime"><code>@​neilime</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/546">actions/github-script#546</a></li>
<li>Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/github-script/pull/563">actions/github-script#563</a></li>
<li>Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/github-script/pull/575">actions/github-script#575</a></li>
<li>Clearly document passing inputs to the <code>script</code> by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/603">actions/github-script#603</a></li>
<li>Update README.md by <a href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/610">actions/github-script#610</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/benelan"><code>@​benelan</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/482">actions/github-script#482</a></li>
<li><a href="https://github.com/Jcambass"><code>@​Jcambass</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/485">actions/github-script#485</a></li>
<li><a href="https://github.com/timotk"><code>@​timotk</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/478">actions/github-script#478</a></li>
<li><a href="https://github.com/iamstarkov"><code>@​iamstarkov</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/508">actions/github-script#508</a></li>
<li><a href="https://github.com/neilime"><code>@​neilime</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/546">actions/github-script#546</a></li>
<li><a href="https://github.com/nebuk89"><code>@​nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/610">actions/github-script#610</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/actions/github-script/compare/v7...v7.1.0">https://github.com/actions/github-script/compare/v7...v7.1.0</a></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/actions/github-script/commit/ed597411d8f924073f98dfc5c65a23a2325f34cd"><code>ed59741</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/653">#653</a> from actions/sneha-krip/readme-for-v8</li>
<li><a href="https://github.com/actions/github-script/commit/2dc352e4baefd91bec0d06f6ae2f1045d1687ca3"><code>2dc352e</code></a> Bold minimum Actions Runner version in README</li>
<li><a href="https://github.com/actions/github-script/commit/01e118c8d0d22115597e46514b5794e7bc3d56f1"><code>01e118c</code></a> Update README for Node 24 runtime requirements</li>
<li><a href="https://github.com/actions/github-script/commit/8b222ac82eda86dcad7795c9d49b839f7bf5b18b"><code>8b222ac</code></a> Apply suggestion from <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a></li>
<li><a href="https://github.com/actions/github-script/commit/adc0eeac992408a7b276994ca87edde1c8ce4d25"><code>adc0eea</code></a> README for updating actions/github-script from v7 to v8</li>
<li><a href="https://github.com/actions/github-script/commit/20fe497b3fe0c7be8aae5c9df711ac716dc9c425"><code>20fe497</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/637">#637</a> from actions/node24</li>
<li><a href="https://github.com/actions/github-script/commit/e7b7f222b11a03e8b695c4c7afba89a02ea20164"><code>e7b7f22</code></a> update licenses</li>
<li><a href="https://github.com/actions/github-script/commit/2c81ba05f308415d095291e6eeffe983d822345b"><code>2c81ba0</code></a> Update Node.js version support to 24.x</li>
<li>See full diff in <a href="https://github.com/actions/github-script/compare/v7...v8">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/github-script&package-manager=github_actions&previous-version=7&new-version=8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
@dependabot
chore(deps): bump actions/setup-node from 4 to 5 (#35437)
220952d 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p>
<blockquote>
<h2>v5.0.0</h2>
<h2>What's Changed</h2>
<h3>Breaking Changes</h3>
<ul>
<li>Enhance caching in setup-node with automatic package manager detection by <a href="https://github.com/priya-kinthali"><code>@​priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li>
</ul>
<p>This update, introduces automatic caching when a valid <code>packageManager</code> field is present in your <code>package.json</code>. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set <code>package-manager-cache: false</code></p>
<pre lang="yaml"><code>steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false
</code></pre>
<ul>
<li>Upgrade action to use node24 by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li>
</ul>
<p>Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">See Release Notes</a></p>
<h3>Dependency Upgrades</h3>
<ul>
<li>Upgrade <code>@​octokit/request-error</code> and <code>@​actions/github</code> by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1227">actions/setup-node#1227</a></li>
<li>Upgrade uuid from 9.0.1 to 11.1.0 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1273">actions/setup-node#1273</a></li>
<li>Upgrade undici from 5.28.5 to 5.29.0 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1295">actions/setup-node#1295</a></li>
<li>Upgrade form-data to bring in fix for critical vulnerability by <a href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1332">actions/setup-node#1332</a></li>
<li>Upgrade actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1345">actions/setup-node#1345</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/priya-kinthali"><code>@​priya-kinthali</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li>
<li><a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v5.0.0">https://github.com/actions/setup-node/compare/v4...v5.0.0</a></p>
<h2>v4.4.0</h2>
<h2>What's Changed</h2>
<h3>Bug fixes:</h3>
<ul>
<li>Make eslint-compact matcher compatible with Stylelint by <a href="https://github.com/FloEdelmann"><code>@​FloEdelmann</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li>
<li>Add support for indented eslint output by <a href="https://github.com/fregante"><code>@​fregante</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li>
</ul>
<h3>Enhancement:</h3>
<ul>
<li>Support private mirrors by <a href="https://github.com/marco-ippolito"><code>@​marco-ippolito</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li>
</ul>
<h3>Dependency update:</h3>
<ul>
<li>Upgrade <code>@​action/cache</code> from 4.0.2 to 4.0.3 by <a href="https://github.com/aparnajyothi-y"><code>@​aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1262">actions/setup-node#1262</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/FloEdelmann"><code>@​FloEdelmann</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li>
<li><a href="https://github.com/fregante"><code>@​fregante</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li>
<li><a href="https://github.com/marco-ippolito"><code>@​marco-ippolito</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.4.0">https://github.com/actions/setup-node/compare/v4...v4.4.0</a></p>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/actions/setup-node/commit/a0853c24544627f65ddf259abe73b1d18a591444"><code>a0853c2</code></a> Bump actions/checkout from 4 to 5 (<a href="https://redirect.github.com/actions/setup-node/issues/1345">#1345</a>)</li>
<li><a href="https://github.com/actions/setup-node/commit/b7234cc9fe124f0f4932554b4e5284543083ae7b"><code>b7234cc</code></a> Upgrade action to use node24 (<a href="https://redirect.github.com/actions/setup-node/issues/1325">#1325</a>)</li>
<li><a href="https://github.com/actions/setup-node/commit/d7a11313b581b306c961b506cfc8971208bb03f6"><code>d7a1131</code></a> Enhance caching in setup-node with automatic package manager detection (<a href="https://redirect.github.com/actions/setup-node/issues/1348">#1348</a>)</li>
<li><a href="https://github.com/actions/setup-node/commit/5e2628c959b9ade56971c0afcebbe5332d44b398"><code>5e2628c</code></a> Bumps form-data (<a href="https://redirect.github.com/actions/setup-node/issues/1332">#1332</a>)</li>
<li><a href="https://github.com/actions/setup-node/commit/65beceff8e91358525397bdce9103d999507ab03"><code>65becef</code></a> Bump undici from 5.28.5 to 5.29.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1295">#1295</a>)</li>
<li><a href="https://github.com/actions/setup-node/commit/7e24a656e1c7a0d6f3eaef8d8e84ae379a5b035b"><code>7e24a65</code></a> Bump uuid from 9.0.1 to 11.1.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1273">#1273</a>)</li>
<li><a href="https://github.com/actions/setup-node/commit/08f58d1471bff7f3a07d167b4ad7df25d5fcfcb6"><code>08f58d1</code></a> Bump <code>@​octokit/request-error</code> and <code>@​actions/github</code> (<a href="https://redirect.github.com/actions/setup-node/issues/1227">#1227</a>)</li>
<li>See full diff in <a href="https://github.com/actions/setup-node/compare/v4...v5">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
@aws-cdk-automation
feat: update L1 CloudFormation resource definitions (#35435)
d7f211f 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-batch
│ └ resources
│    └[~]  resource AWS::Batch::ComputeEnvironment
│       ├ properties
│       │  └ EksConfiguration: (documentation changed)
│       └ types
│          └[~] type Ec2ConfigurationObject
│            └ properties
│               └ ImageType: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│    ├[+]  resource AWS::Bedrock::AutomatedReasoningPolicy
│    │  ├      name: AutomatedReasoningPolicy
│    │  │      cloudFormationType: AWS::Bedrock::AutomatedReasoningPolicy
│    │  │      documentation: Creates an Automated Reasoning policy for Amazon Bedrock Guardrails. Automated Reasoning policies use mathematical techniques to detect hallucinations, suggest corrections, and highlight unstated assumptions in the responses of your GenAI application.
│    │  │      To create a policy, you upload a source document that describes the rules that you're encoding. Automated Reasoning extracts important concepts from the source document that will become variables in the policy and infers policy rules.
│    │  │      To learn more about creating Automated Reasoning policies, see [Minimize AI hallucinations and deliver up to 99% verification accuracy with Automated Reasoning checks: Now available](https://docs.aws.amazon.com/aws/minimize-ai-hallucinations-and-deliver-up-to-99-verification-accuracy-with-automated-reasoning-checks-now-available/) in the *AWS News Blog* .
│    │  │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │  ├ properties
│    │  │  ├ Name: string (required)
│    │  │  ├ Description: string
│    │  │  ├ PolicyDefinition: PolicyDefinition
│    │  │  └ Tags: Array<tag>
│    │  ├ attributes
│    │  │  ├ Version: string
│    │  │  ├ PolicyId: string
│    │  │  ├ PolicyArn: string
│    │  │  ├ DefinitionHash: string
│    │  │  ├ CreatedAt: string
│    │  │  └ UpdatedAt: string
│    │  └ types
│    │     ├ type PolicyDefinition
│    │     │ ├      documentation: The complete policy definition containing rules, variables, and types.
│    │     │ │      name: PolicyDefinition
│    │     │ └ properties
│    │     │    ├ Version: string
│    │     │    ├ Types: Array<PolicyDefinitionType>
│    │     │    ├ Rules: Array<PolicyDefinitionRule>
│    │     │    └ Variables: Array<PolicyDefinitionVariable>
│    │     ├ type PolicyDefinitionRule
│    │     │ ├      documentation: A rule within the policy definition that defines logical constraints.
│    │     │ │      name: PolicyDefinitionRule
│    │     │ └ properties
│    │     │    ├ Id: string (required)
│    │     │    ├ Expression: string (required)
│    │     │    └ AlternateExpression: string
│    │     ├ type PolicyDefinitionType
│    │     │ ├      documentation: A custom type definition within the policy.
│    │     │ │      name: PolicyDefinitionType
│    │     │ └ properties
│    │     │    ├ Name: string (required)
│    │     │    ├ Description: string
│    │     │    └ Values: Array<PolicyDefinitionTypeValue> (required)
│    │     ├ type PolicyDefinitionTypeValue
│    │     │ ├      documentation: A value associated with a custom type in the policy definition.
│    │     │ │      name: PolicyDefinitionTypeValue
│    │     │ └ properties
│    │     │    ├ Value: string (required)
│    │     │    └ Description: string
│    │     └ type PolicyDefinitionVariable
│    │       ├      documentation: A variable defined within the policy that can be used in rules.
│    │       │      name: PolicyDefinitionVariable
│    │       └ properties
│    │          ├ Name: string (required)
│    │          ├ Type: string (required)
│    │          └ Description: string (required)
│    └[+]  resource AWS::Bedrock::AutomatedReasoningPolicyVersion
│       ├      name: AutomatedReasoningPolicyVersion
│       │      cloudFormationType: AWS::Bedrock::AutomatedReasoningPolicyVersion
│       │      documentation: Creates a new version of an existing Automated Reasoning policy. This allows you to iterate on your policy rules while maintaining previous versions for rollback or comparison purposes.
│       │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       ├ properties
│       │  ├ PolicyArn: string (required, immutable)
│       │  ├ LastUpdatedDefinitionHash: string (immutable)
│       │  └ Tags: Array<tag> (immutable)
│       └ attributes
│          ├ Version: string
│          ├ Name: string
│          ├ Description: string
│          ├ CreatedAt: string
│          ├ UpdatedAt: string
│          ├ PolicyId: string
│          └ DefinitionHash: string
├[~] service aws-cloudfront
│ └ resources
│    └[~]  resource AWS::CloudFront::Distribution
│       └ types
│          └[~] type CustomOriginConfig
│            └ properties
│               └ IpAddressType: (documentation changed)
├[~] service aws-datazone
│ └ resources
│    └[~]  resource AWS::DataZone::PolicyGrant
│       └ types
│          └[~] type PolicyGrantDetail
│            └ properties
│               └ CreateGlossary: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~]  resource AWS::EC2::ClientVpnEndpoint
│    │  └ properties
│    │     └ ClientCidrBlock: - string (required, immutable)
│    │                        + string (immutable)
│    ├[~]  resource AWS::EC2::EC2Fleet
│    │  └ types
│    │     ├[~] type BlockDeviceMapping
│    │     │ └ properties
│    │     │    └ DeviceName: (documentation changed)
│    │     └[~] type Placement
│    │       └ properties
│    │          ├ AvailabilityZone: (documentation changed)
│    │          ├ GroupName: (documentation changed)
│    │          └ HostResourceGroupArn: (documentation changed)
│    ├[~]  resource AWS::EC2::Instance
│    │  └ types
│    │     └[~] type BlockDeviceMapping
│    │       └ properties
│    │          └ DeviceName: (documentation changed)
│    ├[~]  resource AWS::EC2::SpotFleet
│    │  └ types
│    │     └[~] type BlockDeviceMapping
│    │       └ properties
│    │          └ DeviceName: (documentation changed)
│    └[~]  resource AWS::EC2::VPCBlockPublicAccessOptions
│       └ attributes
│          └[+] ExclusionsAllowed: string
├[~] service aws-ecs
│ └ resources
│    └[~]  resource AWS::ECS::Service
│       ├ properties
│       │  └ AvailabilityZoneRebalancing: - string (default="DISABLED")
│       │                                 + string (default="ENABLED")
│       └ types
│          └[~] type ForceNewDeployment
│            ├      - documentation: undefined
│            │      + documentation: Determines whether to force a new deployment of the service. By default, deployments aren't forced. You can use this option to start a new deployment with no service definition changes. For example, you can update a service's tasks to use a newer Docker image with the same image/tag combination ( `my_image:latest` ) or to roll Fargate tasks onto a newer platform version.
│            └ properties
│               ├ EnableForceNewDeployment: (documentation changed)
│               └ ForceNewDeploymentNonce: (documentation changed)
├[~] service aws-gameliftstreams
│ └ resources
│    └[~]  resource AWS::GameLiftStreams::StreamGroup
│       ├      - documentation: The `AWS::GameLiftStreams::StreamGroup` resource defines a group of compute resources that will be running and streaming your game. When you create a stream group, you specify the hardware configuration (CPU, GPU, RAM) that will run your game (known as the *stream class* ), the geographical locations where your game can run, and the number of streams that can run simultaneously in each location (known as *stream capacity* ). Stream groups manage how Amazon GameLift Streams allocates resources and handles concurrent streams, allowing you to effectively manage capacity and costs.
│       │      There are two types of stream capacity: always-on and on-demand.
│       │      - *Always-on* : The streaming capacity that is allocated and ready to handle stream requests without delay. You pay for this capacity whether it's in use or not. Best for quickest time from streaming request to streaming session. Default is 1 when creating a stream group or adding a location.
│       │      - *On-demand* : The streaming capacity that Amazon GameLift Streams can allocate in response to stream requests, and then de-allocate when the session has terminated. This offers a cost control measure at the expense of a greater startup time (typically under 5 minutes). Default is 0 when creating a stream group or adding a location.
│       │      > Application association is not currently supported in AWS CloudFormation . To link additional applications to a stream group, use the Amazon GameLift Streams console or the AWS CLI .
│       │      + documentation: The `AWS::GameLiftStreams::StreamGroup` resource defines a group of compute resources that will be running and streaming your game. When you create a stream group, you specify the hardware configuration (CPU, GPU, RAM) that will run your game (known as the *stream class* ), the geographical locations where your game can run, and the number of streams that can run simultaneously in each location (known as *stream capacity* ). Stream groups manage how Amazon GameLift Streams allocates resources and handles concurrent streams, allowing you to effectively manage capacity and costs.
│       │      There are two types of stream capacity: always-on and on-demand.
│       │      - *Always-on* : The streaming capacity that is allocated and ready to handle stream requests without delay. You pay for this capacity whether it's in use or not. Best for quickest time from streaming request to streaming session. Default is 1 (2 for high stream classes) when creating a stream group or adding a location.
│       │      - *On-demand* : The streaming capacity that Amazon GameLift Streams can allocate in response to stream requests, and then de-allocate when the session has terminated. This offers a cost control measure at the expense of a greater startup time (typically under 5 minutes). Default is 0 when creating a stream group or adding a location.
│       │      Values for capacity must be whole number multiples of the tenancy value of the stream group's stream class.
│       │      > Application association is not currently supported in AWS CloudFormation . To link additional applications to a stream group, use the Amazon GameLift Streams console or the AWS CLI .
│       └ types
│          └[~] type LocationConfiguration
│            └ properties
│               └ AlwaysOnCapacity: (documentation changed)
├[~] service aws-iotsitewise
│ └ resources
│    └[~]  resource AWS::IoTSiteWise::AccessPolicy
│       └      - documentation: Creates an access policy that grants the specified identity (IAM Identity Center user, IAM Identity Center group, or IAM user) access to the specified AWS IoT SiteWise Monitor portal or project resource.
│              + documentation: Creates an access policy that grants the specified identity (IAM Identity Center user, IAM Identity Center group, or IAM user) access to the specified AWS IoT SiteWise Monitor portal or project resource.
│              > Support for access policies that use an SSO Group as the identity is not supported at this time.
├[~] service aws-ivs
│ └ resources
│    └[~]  resource AWS::IVS::Stage
│       └ types
│          └[~] type ParticipantThumbnailConfiguration
│            └ properties
│               └ RecordingMode: - string (default="INTERVAL")
│                                + string (default="DISABLED")
├[~] service aws-lex
│ └ resources
│    └[~]  resource AWS::Lex::Bot
│       ├ properties
│       │  └[+] ErrorLogSettings: ErrorLogSettings
│       └ types
│          └[+]  type ErrorLogSettings
│             ├      name: ErrorLogSettings
│             └ properties
│                └ Enabled: boolean (required)
├[~] service aws-notifications
│ └ resources
│    └[+]  resource AWS::Notifications::OrganizationalUnitAssociation
│       ├      name: OrganizationalUnitAssociation
│       │      cloudFormationType: AWS::Notifications::OrganizationalUnitAssociation
│       │      documentation: Resource Type definition for AWS::Notifications::OrganizationalUnitAssociation
│       └ properties
│          ├ NotificationConfigurationArn: string (required, immutable)
│          └ OrganizationalUnitId: string (required, immutable)
├[~] service aws-omics
│ └ resources
│    └[~]  resource AWS::Omics::Workflow
│       └      - documentation: Creates a private workflow. Before you create a private workflow, you must create and configure these required resources:
│              - *Workflow definition files* : Define your workflow in one or more workflow definition files, written in WDL, Nextflow, or CWL. The workflow definition specifies the inputs and outputs for runs that use the workflow. It also includes specifications for the runs and run tasks for your workflow, including compute and memory requirements. The workflow definition file must be in .zip format.
│              - (Optional) *Parameter template* : You can create a parameter template file that defines the run parameters, or AWS HealthOmics can generate the parameter template for you.
│              - *ECR container images* : Create one or more container images for the workflow. Store the images in a private ECR repository.
│              - (Optional) *Sentieon licenses* : Request a Sentieon license if using the Sentieon software in a private workflow.
│              For more information, see [Creating or updating a private workflow in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/creating-private-workflows.html) in the *AWS HealthOmics User Guide* .
│              + documentation: Creates a private workflow. Before you create a private workflow, you must create and configure these required resources:
│              - *Workflow definition files* : Define your workflow in one or more workflow definition files, written in WDL, Nextflow, or CWL. The workflow definition specifies the inputs and outputs for runs that use the workflow. It also includes specifications for the runs and run tasks for your workflow, including compute and memory requirements. The workflow definition file must be in .zip format.
│              - (Optional) *Parameter template* : You can create a parameter template file that defines the run parameters, or AWS HealthOmics can generate the parameter template for you.
│              - *ECR container images* : Create container images for the workflow in a private ECR repository, or synchronize images from a supported upstream registry with your Amazon ECR private repository.
│              - (Optional) *Sentieon licenses* : Request a Sentieon license if using the Sentieon software in a private workflow.
│              For more information, see [Creating or updating a private workflow in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/creating-private-workflows.html) in the *AWS HealthOmics User Guide* .
├[~] service aws-pcs
│ └ resources
│    ├[~]  resource AWS::PCS::Cluster
│    │  ├      - documentation: The `AWS::PCS::Cluster` resource creates an AWS PCS cluster.
│    │  │      + documentation: Creates an AWS PCS cluster resource. For more information, see [Creating a cluster in AWS Parallel Computing Service](https://docs.aws.amazon.com/pcs/latest/userguide/working-with_clusters_create.html) in the *AWS PCS User Guide* .
│    │  ├ properties
│    │  │  └ Size: (documentation changed)
│    │  ├ attributes
│    │  │  └ Status: (documentation changed)
│    │  └ types
│    │     ├[~] type Accounting
│    │     │ ├      - documentation: The accounting configuration includes configurable settings for Slurm accounting. It's a property of the `ClusterSlurmConfiguration` object.
│    │     │ │      + documentation: The accounting configuration includes configurable settings for Slurm accounting.
│    │     │ └ properties
│    │     │    └ DefaultPurgeTimeInDays: (documentation changed)
│    │     ├[~] type AuthKey
│    │     │ └ properties
│    │     │    └ SecretArn: (documentation changed)
│    │     ├[~] type Endpoint
│    │     │ └ properties
│    │     │    ├ Port: (documentation changed)
│    │     │    └ PublicIpAddress: (documentation changed)
│    │     ├[~] type ErrorInfo
│    │     │ └      - documentation: An error that occurred during resource provisioning.
│    │     │        + documentation: An error that occurred during resource creation.
│    │     ├[~] type Networking
│    │     │ └ properties
│    │     │    ├ SecurityGroupIds: (documentation changed)
│    │     │    └ SubnetIds: (documentation changed)
│    │     ├[~] type Scheduler
│    │     │ └ properties
│    │     │    └ Version: (documentation changed)
│    │     ├[~] type SlurmConfiguration
│    │     │ └ properties
│    │     │    ├ AuthKey: (documentation changed)
│    │     │    └ ScaleDownIdleTimeInSeconds: (documentation changed)
│    │     └[~] type SlurmCustomSetting
│    │       └ properties
│    │          └ ParameterName: (documentation changed)
│    ├[~]  resource AWS::PCS::ComputeNodeGroup
│    │  ├      - documentation: The `AWS::PCS::ComputeNodeGroup` resource creates an AWS PCS compute node group.
│    │  │      + documentation: Creates an AWS PCS compute node group resource. For more information, see [Creating a compute node group in AWS PCS](https://docs.aws.amazon.com/pcs/latest/userguide/working-with_cng_create.html) in the *AWS PCS User Guide* .
│    │  ├ properties
│    │  │  ├ IamInstanceProfileArn: (documentation changed)
│    │  │  ├ InstanceConfigs: (documentation changed)
│    │  │  ├ PurchaseOption: (documentation changed)
│    │  │  └ SpotOptions: (documentation changed)
│    │  ├ attributes
│    │  │  └ Status: (documentation changed)
│    │  └ types
│    │     ├[~] type ErrorInfo
│    │     │ └      - documentation: The list of errors that occurred during compute node group provisioning.
│    │     │        + documentation: An error that occurred during resource creation.
│    │     ├[~] type SlurmCustomSetting
│    │     │ └ properties
│    │     │    └ ParameterName: (documentation changed)
│    │     └[~] type SpotOptions
│    │       ├      - documentation: Additional configuration when you specify `SPOT` as the `purchaseOption` .
│    │       │      + documentation: Additional configuration when you specify `SPOT` as the `purchaseOption` for the `CreateComputeNodeGroup` API action.
│    │       └ properties
│    │          └ AllocationStrategy: (documentation changed)
│    └[~]  resource AWS::PCS::Queue
│       ├      - documentation: The `AWS::PCS::Queue` resource creates an AWS PCS queue.
│       │      + documentation: Creates an AWS PCS queue resource. For more information, see [Creating a queue in AWS PCS](https://docs.aws.amazon.com/pcs/latest/userguide/working-with_queues_create.html) in the *AWS PCS User Guide* .
│       ├ attributes
│       │  └ Status: (documentation changed)
│       └ types
│          └[~] type ErrorInfo
│            └      - documentation: An error that occurred during resource provisioning.
│                   + documentation: An error that occurred during resource creation.
├[~] service aws-s3tables
│ └ resources
│    ├[~]  resource AWS::S3Tables::Namespace
│    │  ├      - documentation: Creates a namespace. A namespace is a logical grouping of tables within your table bucket, which you can use to organize tables. For more information, see [Create a namespace](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-namespace-create.html) in the *Amazon Simple Storage Service User Guide* .
│    │  │      - **Permissions** - You must have the `s3tables:CreateNamespace` permission to use this operation.
│    │  │      + documentation: Creates a namespace. A namespace is a logical grouping of tables within your table bucket, which you can use to organize tables. For more information, see [Create a namespace](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-namespace-create.html) in the *Amazon Simple Storage Service User Guide* .
│    │  │      - **Permissions** - You must have the `s3tables:CreateNamespace` permission to use this operation.
│    │  │      - **Cloud Development Kit** - To use S3 Tables AWS CDK constructs, add the `@aws-cdk/aws-s3tables-alpha` dependency with one of the following options:
│    │  │      - NPM: `npm i @aws-cdk/aws-s3tables-alpha`
│    │  │      - Yarn: `yarn add @aws-cdk/aws-s3tables-alpha`
│    │  └ properties
│    │     └ TableBucketARN: (documentation changed)
│    ├[~]  resource AWS::S3Tables::Table
│    │  ├      - documentation: Creates a new table associated with the given namespace in a table bucket. For more information, see [Creating an Amazon S3 table](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-create.html) in the *Amazon Simple Storage Service User Guide* .
│    │  │      - **Permissions** - - You must have the `s3tables:CreateTable` permission to use this operation.
│    │  │      - If you use this operation with the optional `metadata` request parameter you must have the `s3tables:PutTableData` permission.
│    │  │      - If you use this operation with the optional `encryptionConfiguration` request parameter you must have the `s3tables:PutTableEncryption` permission.
│    │  │      > Additionally, If you choose SSE-KMS encryption you must grant the S3 Tables maintenance principal access to your KMS key. For more information, see [Permissions requirements for S3 Tables SSE-KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html) .
│    │  │      + documentation: Creates a new table associated with the given namespace in a table bucket. For more information, see [Creating an Amazon S3 table](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-create.html) in the *Amazon Simple Storage Service User Guide* .
│    │  │      - **Permissions** - - You must have the `s3tables:CreateTable` permission to use this operation.
│    │  │      - If you use this operation with the optional `metadata` request parameter you must have the `s3tables:PutTableData` permission.
│    │  │      - If you use this operation with the optional `encryptionConfiguration` request parameter you must have the `s3tables:PutTableEncryption` permission.
│    │  │      > Additionally, If you choose SSE-KMS encryption you must grant the S3 Tables maintenance principal access to your KMS key. For more information, see [Permissions requirements for S3 Tables SSE-KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html) .
│    │  │      - **Cloud Development Kit** - To use S3 Tables AWS CDK constructs, add the `@aws-cdk/aws-s3tables-alpha` dependency with one of the following options:
│    │  │      - NPM: `npm i @aws-cdk/aws-s3tables-alpha`
│    │  │      - Yarn: `yarn add @aws-cdk/aws-s3tables-alpha`
│    │  ├ properties
│    │  │  ├ Compaction: (documentation changed)
│    │  │  ├ OpenTableFormat: (documentation changed)
│    │  │  ├ SnapshotManagement: (documentation changed)
│    │  │  ├ TableBucketARN: (documentation changed)
│    │  │  └ WithoutMetadata: (documentation changed)
│    │  ├ attributes
│    │  │  └ VersionToken: (documentation changed)
│    │  └ types
│    │     ├[~] type Compaction
│    │     │ ├      - documentation: Settings governing the Compaction maintenance action. Contains details about the compaction settings for an Iceberg table.
│    │     │ │      + documentation: Contains details about the compaction settings for an Iceberg table.
│    │     │ └ properties
│    │     │    └ Status: (documentation changed)
│    │     ├[~] type IcebergMetadata
│    │     │ └ properties
│    │     │    └ IcebergSchema: (documentation changed)
│    │     ├[~] type IcebergSchema
│    │     │ └ properties
│    │     │    └ SchemaFieldList: (documentation changed)
│    │     └[~] type SnapshotManagement
│    │       ├      - documentation: Contains details about the snapshot management settings for an Iceberg table. A snapshot is expired when it exceeds MinSnapshotsToKeep and MaxSnapshotAgeHours.
│    │       │      + documentation: Contains details about the snapshot management settings for an Iceberg table. The oldest snapshot expires when its age exceeds the `maxSnapshotAgeHours` and the total number of snapshots exceeds the value for the minimum number of snapshots to keep `minSnapshotsToKeep` .
│    │       └ properties
│    │          └ Status: (documentation changed)
│    ├[~]  resource AWS::S3Tables::TableBucket
│    │  └      - documentation: Creates a table bucket. For more information, see [Creating a table bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets-create.html) in the *Amazon Simple Storage Service User Guide* .
│    │         - **Permissions** - - You must have the `s3tables:CreateTableBucket` permission to use this operation.
│    │         - If you use this operation with the optional `encryptionConfiguration` parameter you must have the `s3tables:PutTableBucketEncryption` permission.
│    │         + documentation: Creates a table bucket. For more information, see [Creating a table bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets-create.html) in the *Amazon Simple Storage Service User Guide* .
│    │         - **Permissions** - - You must have the `s3tables:CreateTableBucket` permission to use this operation.
│    │         - If you use this operation with the optional `encryptionConfiguration` parameter you must have the `s3tables:PutTableBucketEncryption` permission.
│    │         - **Cloud Development Kit** - To use S3 Tables AWS CDK constructs, add the `@aws-cdk/aws-s3tables-alpha` dependency with one of the following options:
│    │         - NPM: `npm i @aws-cdk/aws-s3tables-alpha`
│    │         - Yarn: `yarn add @aws-cdk/aws-s3tables-alpha`
│    ├[~]  resource AWS::S3Tables::TableBucketPolicy
│    │  └      - documentation: Creates a new table bucket policy or replaces an existing table bucket policy for a table bucket. For more information, see [Adding a table bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-bucket-policy.html#table-bucket-policy-add) in the *Amazon Simple Storage Service User Guide* .
│    │         - **Permissions** - You must have the `s3tables:PutTableBucketPolicy` permission to use this operation.
│    │         + documentation: Creates a new maintenance configuration or replaces an existing table bucket policy for a table bucket. For more information, see [Adding a table bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-bucket-policy.html#table-bucket-policy-add) in the *Amazon Simple Storage Service User Guide* .
│    │         - **Permissions** - You must have the `s3tables:PutTableBucketPolicy` permission to use this operation.
│    │         - **Cloud Development Kit** - To use S3 Tables AWS CDK constructs, add the `@aws-cdk/aws-s3tables-alpha` dependency with one of the following options:
│    │         - NPM: `npm i @aws-cdk/aws-s3tables-alpha`
│    │         - Yarn: `yarn add @aws-cdk/aws-s3tables-alpha`
│    └[~]  resource AWS::S3Tables::TablePolicy
│       ├      - documentation: Creates a new table policy or replaces an existing table policy for a table. For more information, see [Adding a table policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-table-policy.html#table-policy-add) in the *Amazon Simple Storage Service User Guide* .
│       │      - **Permissions** - You must have the `s3tables:PutTablePolicy` permission to use this operation.
│       │      + documentation: Creates a new maintenance configuration or replaces an existing table policy for a table. For more information, see [Adding a table policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-table-policy.html#table-policy-add) in the *Amazon Simple Storage Service User Guide* .
│       │      - **Permissions** - You must have the `s3tables:PutTablePolicy` permission to use this operation.
│       │      - **Cloud Development Kit** - To use S3 Tables AWS CDK constructs, add the `@aws-cdk/aws-s3tables-alpha` dependency with one of the following options:
│       │      - NPM: `npm i @aws-cdk/aws-s3tables-alpha`
│       │      - Yarn: `yarn add @aws-cdk/aws-s3tables-alpha`
│       ├ properties
│       │  ├ ResourcePolicy: (documentation changed)
│       │  └ TableARN: (documentation changed)
│       └ attributes
│          ├ Namespace: (documentation changed)
│          ├ TableBucketARN: (documentation changed)
│          └ TableName: (documentation changed)
├[~] service aws-secretsmanager
│ └ resources
│    └[~]  resource AWS::SecretsManager::RotationSchedule
│       └ types
│          └[~] type HostedRotationLambda
│            └ properties
│               └ Runtime: (documentation changed)
├[~] service aws-ses
│ └ resources
│    ├[~]  resource AWS::SES::ConfigurationSet
│    │  └ types
│    │     ├[~] type DeliveryOptions
│    │     │ └ properties
│    │     │    └ MaxDeliverySeconds: (documentation changed)
│    │     └[~] type TrackingOptions
│    │       └ properties
│    │          └ HttpsPolicy: (documentation changed)
│    ├[~]  resource AWS::SES::MailManagerAddonSubscription
│    │  └ properties
│    │     └ AddonName: (documentation changed)
│    ├[~]  resource AWS::SES::MailManagerAddressList
│    │  ├      - documentation: Definition of AWS::SES::MailManagerAddressList Resource Type
│    │  │      + documentation: The structure representing the address lists and address list attribute that will be used in evaluation of boolean expression.
│    │  ├ properties
│    │  │  ├ AddressListName: (documentation changed)
│    │  │  └ Tags: (documentation changed)
│    │  └ attributes
│    │     ├ AddressListArn: (documentation changed)
│    │     └ AddressListId: (documentation changed)
│    ├[~]  resource AWS::SES::MailManagerTrafficPolicy
│    │  └ types
│    │     ├[~] type IngressBooleanToEvaluate
│    │     │ └ properties
│    │     │    └ IsInAddressList: (documentation changed)
│    │     ├[~] type IngressIpv6Expression
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: The union type representing the allowed types for the left hand side of an IPv6 condition.
│    │     │ └ properties
│    │     │    ├ Evaluate: (documentation changed)
│    │     │    ├ Operator: (documentation changed)
│    │     │    └ Values: (documentation changed)
│    │     ├[~] type IngressIpv6ToEvaluate
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: The structure for an IPv6 based condition matching on the incoming mail.
│    │     │ └ properties
│    │     │    └ Attribute: (documentation changed)
│    │     ├[~] type IngressIsInAddressList
│    │     │ ├      - documentation: undefined
│    │     │ │      + documentation: The address lists and the address list attribute value that is evaluated in a policy statement's conditional expression to either deny or block the incoming email.
│    │     │ └ properties
│    │     │    ├ AddressLists: (documentation changed)
│    │     │    └ Attribute: (documentation changed)
│    │     ├[~] type IngressStringToEvaluate
│    │     │ └ properties
│    │     │    └ Analysis: (documentation changed)
│    │     └[~] type PolicyCondition
│    │       └ properties
│    │          └ Ipv6Expression: (documentation changed)
│    └[~]  resource AWS::SES::ReceiptRule
│       └ types
│          └[~] type Action
│            └ properties
│               └ ConnectAction: (documentation changed)
├[~] service aws-synthetics
│ └ resources
│    └[~]  resource AWS::Synthetics::Canary
│       ├ properties
│       │  ├ BrowserConfigs: (documentation changed)
│       │  ├ VisualReference: (documentation changed)
│       │  └ VisualReferences: (documentation changed)
│       └ types
│          └[~] type BrowserConfig
│            ├      - documentation: undefined
│            │      + documentation: A structure that specifies the browser type to use for a canary run.
│            └ properties
│               └ BrowserType: (documentation changed)
└[~] service aws-wisdom
  └ resources
     └[~]  resource AWS::Wisdom::AIPrompt
        └ properties
           └ ModelId: - string (required, immutable)
                      + string (required)
```
### CHANGES TO L1 RESOURCES:
* L1 resources are automatically generated from public CloudFormation Resource Schemas. They are build to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

* **aws-ec2:** AWS::EC2::ClientVpnEndpoint: ClientCidrBlock property is now optional.
* **aws-ecs:** AWS::ECS::Service: AvailabilityZoneRebalancing default value changed from "DISABLED" to "ENABLED".
* **aws-ivs:** AWS::IVS::Stage: RecordingMode default value in ParticipantThumbnailConfiguration changed from "INTERVAL" to "DISABLED".
* **aws-wisdom:** AWS::Wisdom::AIPrompt: ModelId property is now mutable.
@github-actions
chore(cloudfront): add new enum values for cloudfront (#35440)
3721c2b 
This PR updates the enum values for cloudfront.
@github-actions
chore(rds): add new enum values for rds (#35444)
40644c6 
This PR updates the enum values for rds.
@Kasra-G
fix(stepfunctions): unable to run distributed map when only defined i…
036b413 
…n nested StateGraphs (#35417)

### Issue \#

Closes #35391.

### Reason for this change

When the only instances of DistributedMap states were inside nested StateGraphs (most commonly reported as Parallel branches, see #28820), `StateGraph.bind` would fail to find these DistributedMaps and thus fail to add the necessary DistributedMap policies to the state machine's execution role. This means the state machine execution would fail as soon as it got to the nested DistributedMap state.

This was originally included in #34760, but aligned that it should go into its own PR #34760 (comment)

### Description of changes

This change allows DistributedMap states in any level of nested StateGraphs to be discovered and considered for the DistributedMap policy additions.

Changes:
- Does a BFS of all nested StateGraphs when calling the root StateGraph's `bind()` method to find DistributedMap states
- DistributedMap states inside Parallel branches now add distributed map policies to the state machine as expected

The idea of recursing through state graphs can be attributed to #29913, but to avoid the recursion, I just converted the logic to use a loop.

### Describe any new or updated permissions being added

State machines with a DistributedMap state inside a Parallel branch will now receive the proper policy for execution (Documented here: https://docs.aws.amazon.com/step-functions/latest/dg/iam-policies-eg-dist-map.html#iam-policy-run-dist-map)

### Description of how you validated changes

Unit & new Integ test that deploys and runs a StateMachine with a DistributedMap inside a Parallel state.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@zvoicu000
fix: correct typo 'notfication' to 'notification' in Stack docstring (#…
bfb54b0 
…35455)

### Issue # (if applicable)

Closes #35433.

### Reason for this change

Corrects a typo in the Javadoc for `StackProps.notificationArns` where "notfication" was misspelled.

### Description of changes

Fixed the spelling of "notification" in the Javadoc comment for `StackProps.notificationArns` in `core/lib/stack.ts`.  
No functional code changes; documentation only.

### Describe any new or updated permissions being added

No new or updated IAM permissions are required.

### Description of how you validated changes

Verified the documentation change by inspecting the updated comment.  
No code or tests affected.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@alvazjor
fix(bedrock-alpha): added missing validation when prompt uses default…
cbd271e 
… variant (#35366)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change
When using Prompts and PromptVariants in bedrock, you can define the default variant your prompt will use, but if you dont add it to the variants array too, it will fail at deployment time.

### Description of changes
Added a validation that checks the correct conditions at synth time, so you don't waste time and leave a stack with a bad deployment

### Describe any new or updated permissions being added
NA


### Description of how you validated changes

Unit tests. We don't create integ tests for validations (synth time) as they wont add any additional value

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@alvazjor
chore(region-info): adding missing iso-f regions (#35448)
5661abb 
### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change

IsoF partition was registered but the regions and additional region information were still missing in the `aws-entities` file 

### Description of changes
Added missing information, updated snapshots and unit tests

### Describe any new or updated permissions being added
NA

### Description of how you validated changes
Updated snapshots and unit tests

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@phuhung273
feat(codebuild): support remote Docker server (#34976)
eb8e74b 
### Issue # (if applicable)

Closes #34494

### Reason for this change
https://aws.amazon.com/blogs/aws/accelerate-ci-cd-pipelines-with-the-new-aws-codebuild-docker-server-capability/

### Description of changes
- Support remote Docker server
- Add `DockerServerComputeType` enum. This is different from `ComputeType`

### Describe any new or updated permissions being added




### Description of how you validated changes
Unit + Integ

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@rix0rrr
docs: do not disclaim custom synthesis (#35457)
0565b4f 
Custom synthesis is a valid (and the only) way for construct libraries to emit artifacts during synthesis, like feature flag reports.

Don't disclaim it.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@alvazjor
chore: change PYTHON_LATEST from static versioning to a function (#35461
cecbabf 
)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change
Having a static readonly variable to manage the latest runtime version has proven to be challenging on NodeJS side, and a dynamic approach is preferred. 

### Description of changes
Changing the recently introduced `PYTHON_LATEST` static runtime to be a function. For now it will still deliver the latest python version available, but it will be changed into a dynamic approach later, similar to `determineLatestNodeRuntime`

### Describe any new or updated permissions being added

NA


### Description of how you validated changes

Updated existing unit tests

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@pahud
chore(lambda): handle Runtime.ALL correctly in LayerVersion compatibl…
01da2c9 
…eRuntimes (#35351)

### Issue # (if applicable)

Closes #35348.

### Reason for this change

`Runtime.ALL` contains 43+ runtime entries (including deprecated ones), but AWS Lambda limits `compatibleRuntimes` to maximum 15 entries and only accepts currently supported runtimes. When users specify `compatibleRuntimes: Runtime.ALL` for Lambda layers, deployment fails with CloudFormation validation errors:
- "Member must have length less than or equal to 15"
- "Member must satisfy enum value set" for supported runtimes only

This breaks existing user code that relies on the documented `Runtime.ALL` constant for Lambda layers.

### Description of changes

Modified the LayerVersion constructor to detect when `compatibleRuntimes` is set to `Runtime.ALL` and treat it as `undefined`, allowing AWS to use its default "all supported runtimes" behavior:

- Added conditional logic in `CfnLayerVersion` resource creation to check for `Runtime.ALL` via reference equality
- When `Runtime.ALL` is detected, `compatibleRuntimes` is set to `undefined` in the CloudFormation template
- When `undefined`, AWS Lambda defaults to supporting all currently supported runtimes (the intended behavior)
- All other behavior remains unchanged - specific runtime arrays and `undefined` work as before
- Updated documentation to clarify that `Runtime.ALL` is equivalent to `undefined`

**Technical Implementation**:
```typescript
compatibleRuntimes: (props.compatibleRuntimes === Runtime.ALL)
  ? undefined
  : props.compatibleRuntimes?.map(r => r.name),
```

### Describe any new or updated permissions being added

N/A - No IAM permissions or resource access changes.

### Description of how you validated changes

- **Unit tests**: Added comprehensive test cases using `test.each` to verify that both `Runtime.ALL` and `undefined` result in omitting `CompatibleRuntimes` from the CloudFormation template. This eliminates code duplication and follows Jest best practices. All existing layer tests continue to pass (7/7).
- **Integration tests**: No additional integration tests required as this change leverages existing AWS Lambda service behavior when `CompatibleRuntimes` is omitted from the CloudFormation template. The AWS service automatically applies compatibility with all currently supported runtimes, which is the intended behavior for `Runtime.ALL`.

**Test Coverage**:
- ✅ `Runtime.ALL` produces `undefined` in CloudFormation template
- ✅ `undefined` compatibleRuntimes produces `undefined` in CloudFormation template  
- ✅ Specific runtime arrays work unchanged
- ✅ Empty runtime array validation still throws error
- ✅ All existing layer functionality preserved
- ✅ Refactored tests using `test.each` to eliminate duplication

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@phuhung273
chore(ec2): add i8ge instance class (#35431)
c5c6b8b 
### Issue # (if applicable)
None

### Reason for this change
https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-ec2-i8ge-instances-generally-available/

### Description of how you validated changes
```console
$ aws ec2 describe-instance-types | grep -e i8ge
"InstanceType": "i8ge.12xlarge",
"InstanceType": "i8ge.24xlarge",
"InstanceType": "i8ge.18xlarge",
"InstanceType": "i8ge.48xlarge",
"InstanceType": "i8ge.3xlarge",
"InstanceType": "i8ge.metal-24xl",
"InstanceType": "i8ge.xlarge",
"InstanceType": "i8ge.metal-48xl",
"InstanceType": "i8ge.6xlarge",
"InstanceType": "i8ge.large",
"InstanceType": "i8ge.2xlarge",
```

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@iRoachie
feat(33270): support new bun lock file (#34873)
0a55ed1 
### Issue # (if applicable)

Closes #33270

### Reason for this change

NodejsFunction construct does not support bun with its new lock file name.

### Description of changes

Addition of bun.lock to supported lock files while still maintaining lock.b usage.

### Describe any new or updated permissions being added

n/a

### Description of how you validated changes

Added unit tests for presence of bun.lock

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@puretension
docs: correct spelling of "separate" in comments (#35484)
3384724 
### **Issue # (if applicable)**
Closes #35483.


### **Reason for this change**
Fixed spelling errors in code comments where "seperate" was used instead of the correct spelling "separate".


### **Description of changes**
Corrected two instances of misspelled "separate" in documentation comments:

- Fixed "seperated" → "separated" in `core/lib/arn.ts:46`
- Fixed "seperate" → "separate" in `aws-globalaccelerator/lib/listener.ts:50`

These are simple spelling corrections that improve documentation quality without any functional changes.


### **Describe any new or updated permissions being added**
None. This change only affects documentation comments.


### **Description of how you validated changes**
- Verified spelling corrections are accurate
- Confirmed no functional code changes
- Build passes successfully


### **Checklist**
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
chore(release): 2.215.0
97b2f62
@github-actions github-actions bot added the p2 label Sep 15, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team September 15, 2025 09:31
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 15, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 15, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 15, 2025
@abidhasan-aws abidhasan-aws deleted the bump/2.215.0 branch September 15, 2025 09:46
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.