chore: npm-check-updates && yarn upgrade

package.json

@@ -20,20 +20,20 @@
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
     "aws-sdk-js-codemod": "^0.28.2",
-    "cdk-generate-synthetic-examples": "^0.2.1",
+    "cdk-generate-synthetic-examples": "^0.2.7",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.11",
     "jest-junit": "^13.2.0",
-    "jsii-diff": "1.98.0",
-    "jsii-pacmak": "1.98.0",
-    "jsii-reflect": "1.98.0",
-    "lerna": "^8.1.2",
-    "nx": "^18.3.4",
+    "jsii-diff": "1.99.0",
+    "jsii-pacmak": "1.99.0",
+    "jsii-reflect": "1.99.0",
+    "lerna": "^8.1.3",
+    "nx": "^18.3.5",
     "patch-package": "^6.5.1",
-    "semver": "^7.6.0",
+    "semver": "^7.6.2",
     "standard-version": "^9.5.0",
-    "ts-jest": "^29.1.2",
+    "ts-jest": "^29.1.4",
     "ts-node": "^10.9.2",
     "typescript": "~5.4.5"
   },

packages/@aws-cdk-testing/cli-integ/package.json

@@ -39,18 +39,18 @@
   },
   "dependencies": {
     "@octokit/rest": "^18.12.0",
-    "aws-sdk": "^2.1610.0",
-    "axios": "^1.6.8",
+    "aws-sdk": "^2.1636.0",
+    "axios": "^1.7.2",
     "fs-extra": "^9.1.0",
     "glob": "^7.2.3",
     "jest": "^29.7.0",
     "jest-junit": "^14.0.1",
     "make-runnable": "^1.4.1",
     "npm": "^8.19.4",
     "p-queue": "^6.6.2",
-    "semver": "^7.6.0",
+    "semver": "^7.6.2",
     "sinon": "^9.2.4",
-    "ts-mock-imports": "^1.3.8",
+    "ts-mock-imports": "^1.3.16",
     "yaml": "1.10.2",
     "yargs": "^17.7.2"
   },

packages/@aws-cdk-testing/framework-integ/package.json

@@ -40,13 +40,13 @@
   "dependencies": {
     "@aws-cdk/integ-tests-alpha": "0.0.0",
     "@aws-cdk/lambda-layer-kubectl-v24": "^2.0.242",
-    "@aws-cdk/lambda-layer-kubectl-v29": "^2.0.0",
+    "@aws-cdk/lambda-layer-kubectl-v29": "^2.1.0",
     "@aws-cdk/lambda-layer-kubectl-v30": "^2.0.0",
     "aws-cdk-lib": "0.0.0",
-    "aws-sdk": "^2.1610.0",
+    "aws-sdk": "^2.1636.0",
     "aws-sdk-mock": "5.6.0",
-    "cdk8s": "2.68.65",
-    "cdk8s-plus-27": "2.9.1",
+    "cdk8s": "2.68.76",
+    "cdk8s-plus-27": "2.9.5",
     "constructs": "^10.0.0"
   },
   "repository": {

packages/@aws-cdk/cloud-assembly-schema/package.json

@@ -110,7 +110,7 @@
   "stability": "stable",
   "dependencies": {
     "jsonschema": "^1.4.1",
-    "semver": "^7.6.0"
+    "semver": "^7.6.2"
   },
   "awscdkio": {
     "announce": false

packages/@aws-cdk/cloudformation-diff/package.json

@@ -37,9 +37,9 @@
     "@aws-sdk/client-cloudformation": "^3.529.1",
     "@types/jest": "^29.5.12",
     "@types/string-width": "^4.0.1",
-    "fast-check": "^3.18.0",
+    "fast-check": "^3.19.0",
     "jest": "^29.7.0",
-    "ts-jest": "^29.1.2"
+    "ts-jest": "^29.1.4"
   },
   "repository": {
     "url": "https://github.com/aws/aws-cdk.git",

packages/@aws-cdk/custom-resource-handlers/package.json

@@ -55,8 +55,8 @@
     "sinon": "^9.2.4",
     "nock": "^13.5.4",
     "fs-extra": "^11.2.0",
-    "esbuild": "^0.20.2",
-    "aws-sdk": "^2.1610.0"
+    "esbuild": "^0.21.4",
+    "aws-sdk": "^2.1636.0"
   },
   "dependencies": {
     "@aws-cdk/asset-node-proxy-agent-v6": "^2.0.3",

packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

@@ -68,7 +68,10 @@ Flags come in three types:
 | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | (default) |
 | [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | (fix) |
 | [@aws-cdk/aws-eks:nodegroupNameAttribute](#aws-cdkaws-eksnodegroupnameattribute) | When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix. | 2.139.0 | (fix) |
-| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | V2NEXT | (default) |
+| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | 2.140.0 | (default) |
+| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) |
+| [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) |
+| [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -128,7 +131,9 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
     "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
     "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
-    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false
   }
 }
 ```
@@ -171,6 +176,7 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do
 | [@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId](#aws-cdkaws-apigatewayusageplankeyorderinsensitiveid) | Allow adding/removing multiple UsagePlanKeys independently | (fix) | 1.98.0 | `false` | `true` |
 | [@aws-cdk/aws-lambda:recognizeVersionProps](#aws-cdkaws-lambdarecognizeversionprops) | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the  `fn.currentVersion`. | (fix) | 1.106.0 | `false` | `true` |
 | [@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2\_2021](#aws-cdkaws-cloudfrontdefaultsecuritypolicytlsv12_2021) | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | (fix) | 1.117.0 | `false` | `true` |
+| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | (default) |  | `false` | `true` |
 
 <!-- END diff -->
 
@@ -185,7 +191,8 @@ Here is an example of a `cdk.json` file that restores v1 behavior for these flag
     "@aws-cdk/aws-rds:lowercaseDbIdentifier": false,
     "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false,
     "@aws-cdk/aws-lambda:recognizeVersionProps": false,
-    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false,
+    "@aws-cdk/pipelines:reduceAssetRoleTrustScope": false
   }
 }
 ```
@@ -1293,9 +1300,60 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil
 | Since | Default | Recommended |
 | ----- | ----- | ----- |
 | (not in v1) |  |  |
-| V2NEXT | `false` | `true` |
+| 2.140.0 | `false` | `true` |
 
 **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior.
 
 
+### @aws-cdk/pipelines:reduceAssetRoleTrustScope
+
+*Remove the root account principal from PipelineAssetsFileRole trust policy* (default)
+
+When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role.
+When this feature flag is disabled, it will keep the root account principal in the trust policy.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.141.0 | `true` | `true` |
+
+**Compatibility with old behavior:** Disable the feature flag to add the root account principal back
+
+
+### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm
+
+*When enabled, remove default deployment alarm settings* (default)
+
+When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.143.0 | `false` | `true` |
+
+**Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior.
+
+
+### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault
+
+*When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix)
+
+This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't
+have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN:
+
+CustomResource attribute error: Vendor response doesn't contain <attribute-name> attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details.
+
+Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in
+the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData'
+property from the event object.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `false` |
+
+
 <!-- END details -->

packages/@aws-cdk/cx-api/package.json

@@ -79,7 +79,7 @@
     "organization": true
   },
   "dependencies": {
-    "semver": "^7.6.0"
+    "semver": "^7.6.2"
   },
   "peerDependencies": {
     "@aws-cdk/cloud-assembly-schema": "0.0.0"

packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES

@@ -1,6 +1,6 @@
 The @aws-cdk/integ-runner package includes the following third-party software/licensing:
 
-** ajv@8.13.0 - https://www.npmjs.com/package/ajv/v/8.13.0 | MIT
+** ajv@8.16.0 - https://www.npmjs.com/package/ajv/v/8.16.0 | MIT
 The MIT License (MIT)
 
 Copyright (c) 2015-2021 Evgeny Poberezkin
@@ -115,10 +115,10 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 ----------------
 
-** braces@3.0.2 - https://www.npmjs.com/package/braces/v/3.0.2 | MIT
+** braces@3.0.3 - https://www.npmjs.com/package/braces/v/3.0.3 | MIT
 The MIT License (MIT)
 
-Copyright (c) 2014-2018, Jon Schlinkert.
+Copyright (c) 2014-present, Jon Schlinkert.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -337,7 +337,7 @@ SOFTWARE.
 
 ----------------
 
-** fill-range@7.0.1 - https://www.npmjs.com/package/fill-range/v/7.0.1 | MIT
+** fill-range@7.1.1 - https://www.npmjs.com/package/fill-range/v/7.1.1 | MIT
 The MIT License (MIT)
 
 Copyright (c) 2014-present, Jon Schlinkert.
@@ -643,26 +643,6 @@ licenses; we recommend you read them, as their terms may differ from the
 terms above.
 
 
-----------------
-
-** lru-cache@6.0.0 - https://www.npmjs.com/package/lru-cache/v/6.0.0 | ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
 ----------------
 
 ** normalize-path@3.0.0 - https://www.npmjs.com/package/normalize-path/v/3.0.0 | MIT
@@ -770,7 +750,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 ----------------
 
-** semver@7.6.0 - https://www.npmjs.com/package/semver/v/7.6.0 | ISC
+** semver@7.6.2 - https://www.npmjs.com/package/semver/v/7.6.2 | ISC
 The ISC License
 
 Copyright (c) Isaac Z. Schlueter and Contributors
@@ -1163,26 +1143,6 @@ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
 THIS SOFTWARE.
 
 
-----------------
-
-** yallist@4.0.0 - https://www.npmjs.com/package/yallist/v/4.0.0 | ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
 ----------------
 
 ** yargs-parser@20.2.9 - https://www.npmjs.com/package/yargs-parser/v/20.2.9 | ISC

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -71,7 +71,7 @@ Flags come in three types:
 | [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | 2.140.0 | (default) |
 | [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) |
 | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) |
-| [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for AwsCustomResource will configure the logApiResponseData property as true by default | V2NEXT | (fix) |
+| [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -1338,12 +1338,16 @@ When this featuer flag is enabled, remove the default deployment alarm settings
 
 ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault
 
-*When enabled, the custom resource used for AwsCustomResource will configure the logApiResponseData property as true by default* (fix)
+*When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix)
 
-When this feature flag is enabled, the custom resource used for AwsCustomResource will configure the logApiResponseData property as true by default. This
-results in logApiResponseData being passed as true to the custom resource provider. Unlike most feature flags, we don't recommend setting this feature flag
-to true unless you're using the AwsCustomResource construct with logApiResponseData set to true as a custom resource event property by default and do not
-want to trigger an update by letting the default logApiResponseData value go back to undefined.
+This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't
+have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN:
+
+CustomResource attribute error: Vendor response doesn't contain <attribute-name> attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details.
+
+Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in
+the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData'
+property from the event object.
 
 
 | Since | Default | Recommended |

packages/aws-cdk-lib/package.json

@@ -129,7 +129,7 @@
     "jsonschema": "^1.4.1",
     "minimatch": "^3.1.2",
     "punycode": "^2.3.1",
-    "semver": "^7.6.0",
+    "semver": "^7.6.2",
     "table": "^6.8.2",
     "yaml": "1.10.2",
     "mime-types": "^2.1.35"
@@ -160,28 +160,28 @@
     "@aws-sdk/node-http-handler": "^3.370.0",
     "@aws-sdk/types": "^3.433.0",
     "@smithy/util-stream": "^2.2.0",
-    "@types/aws-lambda": "^8.10.137",
+    "@types/aws-lambda": "^8.10.138",
     "@types/jest": "^29.5.12",
-    "@types/lodash": "^4.17.0",
+    "@types/lodash": "^4.17.4",
     "@types/punycode": "^2.1.4",
     "@types/mime-types": "^2.1.4",
     "@aws-cdk/lazify": "0.0.0",
-    "aws-sdk": "^2.1610.0",
+    "aws-sdk": "^2.1636.0",
     "aws-sdk-client-mock": "^3.1.0",
     "aws-sdk-client-mock-jest": "^3.1.0",
     "aws-sdk-mock": "5.8.0",
-    "cdk8s": "2.68.65",
+    "cdk8s": "2.68.76",
     "constructs": "^10.0.0",
     "delay": "5.0.0",
-    "esbuild": "^0.20.2",
-    "fast-check": "^3.18.0",
+    "esbuild": "^0.21.4",
+    "fast-check": "^3.19.0",
     "jest": "^29.7.0",
     "jest-each": "^29.7.0",
     "lambda-tester": "^4.0.1",
     "lodash": "^4.17.21",
     "nock": "^13.5.4",
     "sinon": "^9.2.4",
-    "ts-mock-imports": "^1.3.8",
+    "ts-mock-imports": "^1.3.16",
     "ts-node": "^10.9.2",
     "typescript": "~5.4.5",
     "typescript-json-schema": "^0.63.0"