Bump the cdk group across 1 directory with 3 updates

[dependabot]

Bumps the cdk group with 3 updates in the / directory: @guardian/cdk, aws-cdk-lib and aws-cdk.

Updates @guardian/cdk from 62.6.1 to 63.3.1

Release notes

Sourced from @​guardian/cdk's releases.

v63.3.1

Patch Changes

• b656328: Correct Riff-Raff project tag key to match the one previously introduced in guardian/riff-raff#1374: gu:riff-raff:project.

v63.3.0

Minor Changes

• a7726ad: Add a comment to generated riff-raff.yaml files for additional clarity.

v63.2.1

Patch Changes

• d2f2a3a: Update @aws-sdk/* dependencies.

v63.2.0

Minor Changes

• ac2348e: Fix warnings around childProcess.spawn and shell: true.

Patch Changes

• bc0f9b8: Bump the Cognito auth lambda runtime from PROVIDED_AL2 (deprecated) to PROVIDED_AL2023 in the GuEc2App pattern. No client changes needed.

v63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

v63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in cloudformation metadata to allow us to track the usage of that switch in order to study how often this is needed.

v63.0.0

Major Changes

• c6e30e1: Support generating multiple riff-raff.yaml files. To do this, set the riffRaffProjectName property of a GuStack.

... (truncated)

Changelog

Sourced from @​guardian/cdk's changelog.

63.3.1

Patch Changes

• b656328: Correct Riff-Raff project tag key to match the one previously introduced in guardian/riff-raff#1374: gu:riff-raff:project.

63.3.0

Minor Changes

• a7726ad: Add a comment to generated riff-raff.yaml files for additional clarity.

63.2.1

Patch Changes

• d2f2a3a: Update @aws-sdk/* dependencies.

63.2.0

Minor Changes

• ac2348e: Fix warnings around childProcess.spawn and shell: true.

Patch Changes

• bc0f9b8: Bump the Cognito auth lambda runtime from PROVIDED_AL2 (deprecated) to PROVIDED_AL2023 in the GuEc2App pattern. No client changes needed.

63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in cloudformation metadata to allow us to track the usage of that switch in order to study how often this is

... (truncated)

Commits

• 50ceac8 Merge pull request #2907 from guardian/changeset-release/main
• 5da8ba0 Bump package version
• a4c0940 Merge pull request #2906 from guardian/aa/riff-raff-tag
• b656328 fix: Correct Riff-Raff project tag key
• 16d1afc Merge pull request #2902 from guardian/dependabot/npm_and_yarn/fast-xml-build...
• 4a8ab46 chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0
• a6c0652 Merge pull request #2901 from guardian/add-devx-reliability-owners-1777543115
• 1cd16b4 Add .github/CODEOWNERS file for devx-reliability-and-ops team
• bcf8aa4 Merge pull request #2899 from guardian/changeset-release/main
• 3d3d4f4 Bump package version
• Additional commits viewable in compare view

Updates aws-cdk-lib from 2.246.0 to 2.257.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.257.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

  • aws-neptunegraph: AWS::NeptuneGraph::GraphSnapshot: GraphIdentifier property is now required.

Features

• update L1 CloudFormation resource definitions (#37955) (211b06c)
• core: failSynthOnValidationErrors context key to suppress console output and exit code (#37909) (deb968f), closes aws/aws-cdk-cli#1515

---

Alpha modules (2.257.0-alpha.0)

v2.256.1

Bug Fixes

• invalid lock file (#37943) (73ae91d), closes #37726 #37929 #37870

---

Alpha modules (2.256.1-alpha.0)

v2.256.0

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37919) (caa0f4c), closes #37843
• core: validations report is always written to cloud assembly (#37867) (dddc6e0)
• ec2: replace any return types with specific interfaces in IPeer methods (#36637) (626e44d), closes #36636
• s3: support bucketNamePrefix and bucketNamespace properties (#37386) (997b003), closes #37760

Bug Fixes

• core: handle token-wrapped Boxes in property merge strategies (#37902) (18435e3)
• core: prevent stack overflow on large construct trees (#37901) (10163cb), closes #37903

---

Alpha modules (2.256.0-alpha.0)

v2.255.0

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37843) (ea33967)
• bedrockagentcore: graduate to stable 🚀 (#37876) (00cf601)
• core: builtin PropertyMergeStrategys are now compatible with deferred Box values (#37844) (ca4b722)
• core: persist asset fingerprinting cache (#37822) (605a776)
• ec2: add C8A instance type support (#36736) (0d088ca), closes #36722

Bug Fixes

• core: cached Lazys use the Box API internally (#37889) (464fa3d)

... (truncated)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.257.0-alpha.0 (2026-05-21)

2.256.1-alpha.0 (2026-05-20)

2.256.0-alpha.0 (2026-05-19)

2.255.0-alpha.0 (2026-05-18)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

2.254.0-alpha.0 (2026-05-13)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

2.253.1-alpha.0 (2026-05-08)

2.253.0-alpha.0 (2026-05-06)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197

2.252.0-alpha.0 (2026-04-29)

2.251.0-alpha.0 (2026-04-24)

... (truncated)

Commits

• 211b06c feat: update L1 CloudFormation resource definitions (#37955)
• c0fe7ee chore(bundling): check if docker image is cached before building (#37951)
• 95284c5 fix: invalid lock file (#37943)
• b7090dd refactor: replace Lazy.uncachedString with Box API where context is not neede...
• deb968f feat(core): failSynthOnValidationErrors context key to suppress console outpu...
• 68c62d7 chore: update analytics metadata blueprints
• 30c7a2b chore: upgrade cloud-assembly packages to fix npm ci (#37932)
• 3c5e5f8 fix(merge-back): move dispose-polyfill to lib/private where perf.ts expects it
• 1f4c823 Merge remote-tracking branch 'origin/main' into merge-back/2.255.0
• 626e44d feat(ec2): replace any return types with specific interfaces in IPeer met...
• Additional commits viewable in compare view

Updates aws-cdk from 2.1115.1 to 2.1124.1

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1124.1

2.1124.1 (2026-05-20)

Bug Fixes

• cli: resolve command aliases in unknown options check (#1536) (791408c)

aws-cdk@v2.1124.0

2.1124.0 (2026-05-20)

Features

• deps: upgrade aws-cdk-lib (#1532) (0920b78)

aws-cdk@v2.1123.0

2.1123.0 (2026-05-19)

Features

• cli: add --region as a global CLI option (#1506) (ae2349b), closes #928
• cli: warn on unrecognized CLI options (#1514) (abd4f4c)

Bug Fixes

• cloud-assembly-api: widen jsonschema range to fix npm ci on npm 11 (#1529) (de82699), closes #61 #37721 #61

aws-cdk@v2.1122.0

2.1122.0 (2026-05-14)

Features

• CLI send in performance profile if emitted by app (#1478) (1ea1ae7)
• deps: upgrade aws-cdk-lib (#1481) (d007567)
• deps: upgrade aws-cdk-lib (#1493) (36cbfd3)
• deps: upgrade aws-cdk-lib (#1509) (bf04a33)

Bug Fixes

• remove uuid dependency in favor of node:crypto (#1511) (85751e5)

... (truncated)

Commits

• 791408c fix(cli): resolve command aliases in unknown options check (#1536)
• 0920b78 feat(deps): upgrade aws-cdk-lib (#1532)
• de82699 fix(cloud-assembly-api): widen jsonschema range to fix npm ci on npm 11 (#1529)
• abd4f4c feat(cli): warn on unrecognized CLI options (#1514)
• 319e3a8 chore(deps): bump @​aws-sdk/client-appsync from 3.1041.0 to 3.1045.0 (#1520)
• 9165482 chore(deps): upgrade dependencies (#1518)
• ae2349b feat(cli): add --region as a global CLI option (#1506)
• c8f270c chore(deps): fix release workflow and upgrade dependencies (#1513)
• 85751e5 fix: remove uuid dependency in favor of node:crypto (#1511)
• d5f6022 refactor(toolkit-lib): use stack/changeset ARNs for CloudFormation API calls ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Hello 👋! When you're ready to run Chromatic, please apply the run_chromatic label to this PR.

You will need to reapply the label each time you want to run Chromatic.

Click here to see the Chromatic project.

[github-actions]

Deploy build 27333 of dotcom:rendering-all to CODE

All deployment options

• Deploy build 27333 of dotcom:rendering-all to CODE
• Deploy parts of build 27333 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[arelra]

Waiting to rebase following merge of: #15940