Bump the cdk group across 1 directory with 2 updates

[dependabot]

Bumps the cdk group with 2 updates in the / directory: @guardian/cdk and aws-cdk-lib.

Updates @guardian/cdk from 62.6.1 to 63.3.1

Release notes

Sourced from @​guardian/cdk's releases.

v63.3.1

Patch Changes

• b656328: Correct Riff-Raff project tag key to match the one previously introduced in guardian/riff-raff#1374: gu:riff-raff:project.

v63.3.0

Minor Changes

• a7726ad: Add a comment to generated riff-raff.yaml files for additional clarity.

v63.2.1

Patch Changes

• d2f2a3a: Update @aws-sdk/* dependencies.

v63.2.0

Minor Changes

• ac2348e: Fix warnings around childProcess.spawn and shell: true.

Patch Changes

• bc0f9b8: Bump the Cognito auth lambda runtime from PROVIDED_AL2 (deprecated) to PROVIDED_AL2023 in the GuEc2App pattern. No client changes needed.

v63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

v63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in cloudformation metadata to allow us to track the usage of that switch in order to study how often this is needed.

v63.0.0

Major Changes

• c6e30e1: Support generating multiple riff-raff.yaml files. To do this, set the riffRaffProjectName property of a GuStack.

... (truncated)

Changelog

Sourced from @​guardian/cdk's changelog.

63.3.1

Patch Changes

• b656328: Correct Riff-Raff project tag key to match the one previously introduced in guardian/riff-raff#1374: gu:riff-raff:project.

63.3.0

Minor Changes

• a7726ad: Add a comment to generated riff-raff.yaml files for additional clarity.

63.2.1

Patch Changes

• d2f2a3a: Update @aws-sdk/* dependencies.

63.2.0

Minor Changes

• ac2348e: Fix warnings around childProcess.spawn and shell: true.

Patch Changes

• bc0f9b8: Bump the Cognito auth lambda runtime from PROVIDED_AL2 (deprecated) to PROVIDED_AL2023 in the GuEc2App pattern. No client changes needed.

63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in cloudformation metadata to allow us to track the usage of that switch in order to study how often this is

... (truncated)

Commits

• 50ceac8 Merge pull request #2907 from guardian/changeset-release/main
• 5da8ba0 Bump package version
• a4c0940 Merge pull request #2906 from guardian/aa/riff-raff-tag
• b656328 fix: Correct Riff-Raff project tag key
• 16d1afc Merge pull request #2902 from guardian/dependabot/npm_and_yarn/fast-xml-build...
• 4a8ab46 chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0
• a6c0652 Merge pull request #2901 from guardian/add-devx-reliability-owners-1777543115
• 1cd16b4 Add .github/CODEOWNERS file for devx-reliability-and-ops team
• bcf8aa4 Merge pull request #2899 from guardian/changeset-release/main
• 3d3d4f4 Bump package version
• Additional commits viewable in compare view

Updates aws-cdk-lib from 2.246.0 to 2.257.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.257.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

  • aws-neptunegraph: AWS::NeptuneGraph::GraphSnapshot: GraphIdentifier property is now required.

Features

• update L1 CloudFormation resource definitions (#37955) (211b06c)
• core: failSynthOnValidationErrors context key to suppress console output and exit code (#37909) (deb968f), closes aws/aws-cdk-cli#1515

---

Alpha modules (2.257.0-alpha.0)

v2.256.1

Bug Fixes

• invalid lock file (#37943) (73ae91d), closes #37726 #37929 #37870

---

Alpha modules (2.256.1-alpha.0)

v2.256.0

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37919) (caa0f4c), closes #37843
• core: validations report is always written to cloud assembly (#37867) (dddc6e0)
• ec2: replace any return types with specific interfaces in IPeer methods (#36637) (626e44d), closes #36636
• s3: support bucketNamePrefix and bucketNamespace properties (#37386) (997b003), closes #37760

Bug Fixes

• core: handle token-wrapped Boxes in property merge strategies (#37902) (18435e3)
• core: prevent stack overflow on large construct trees (#37901) (10163cb), closes #37903

---

Alpha modules (2.256.0-alpha.0)

v2.255.0

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37843) (ea33967)
• bedrockagentcore: graduate to stable 🚀 (#37876) (00cf601)
• core: builtin PropertyMergeStrategys are now compatible with deferred Box values (#37844) (ca4b722)
• core: persist asset fingerprinting cache (#37822) (605a776)
• ec2: add C8A instance type support (#36736) (0d088ca), closes #36722

Bug Fixes

• core: cached Lazys use the Box API internally (#37889) (464fa3d)

... (truncated)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.257.0-alpha.0 (2026-05-21)

2.256.1-alpha.0 (2026-05-20)

2.256.0-alpha.0 (2026-05-19)

2.255.0-alpha.0 (2026-05-18)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

2.254.0-alpha.0 (2026-05-13)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

2.253.1-alpha.0 (2026-05-08)

2.253.0-alpha.0 (2026-05-06)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197

2.252.0-alpha.0 (2026-04-29)

2.251.0-alpha.0 (2026-04-24)

... (truncated)

Commits

• 211b06c feat: update L1 CloudFormation resource definitions (#37955)
• c0fe7ee chore(bundling): check if docker image is cached before building (#37951)
• 95284c5 fix: invalid lock file (#37943)
• b7090dd refactor: replace Lazy.uncachedString with Box API where context is not neede...
• deb968f feat(core): failSynthOnValidationErrors context key to suppress console outpu...
• 68c62d7 chore: update analytics metadata blueprints
• 30c7a2b chore: upgrade cloud-assembly packages to fix npm ci (#37932)
• 3c5e5f8 fix(merge-back): move dispose-polyfill to lib/private where perf.ts expects it
• 1f4c823 Merge remote-tracking branch 'origin/main' into merge-back/2.255.0
• 626e44d feat(ec2): replace any return types with specific interfaces in IPeer met...
• Additional commits viewable in compare view

[github-actions]

Hello 👋! When you're ready to run Chromatic, please apply the run_chromatic label to this PR.

You will need to reapply the label each time you want to run Chromatic.

Click here to see the Chromatic project.

[github-actions]

Deploy build 27433 of dotcom:rendering-all to CODE

All deployment options

• Deploy build 27433 of dotcom:rendering-all to CODE
• Deploy parts of build 27433 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.