chore(release): 2.234.0 #36612

aws-cdk-automation · 2026-01-08T10:47:33Z

## Fix SQS inline policy guard rule and add experimental disclaimer to security reports ### Issue - `sqs-no-world-accessible-inline.guard` was checking incorrect resource type and property path - Security report comments lacked disclaimer about experimental status ### Solution **Fixed SQS inline policy rule:** - Changed from checking `AWS::SQS::Queue` resources to `AWS::SQS::QueueInlinePolicy` resources per [CloudFormation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queueinlinepolicy.html) - Fixed property path from `Properties.QueuePolicy.Statement` to `Properties.PolicyDocument.Statement` - Added documentation noting queues without QueueInlinePolicy are secure by default per [SQS documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-add-permissions.html) **Added experimental disclaimer:** - Security report workflow now appends disclaimer to both static and resolved template result comments - Disclaimer indicates feature is experimental and may include false positives ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change The build environment needs to explicitly use Node.js 20 to align with the CDK's supported runtime versions and ensure consistent builds. ### Description of changes Explicitly specify Node.js 20 as the runtime version in `buildspec.yaml`. Also removes unused `buildspec-pr.yaml` and `buildspec-remodel.yaml` files as cleanup. ### Describe any new or updated permissions being added No new permissions required. ### Description of how you validated changes Reviewed the buildspec configuration changes. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…dedLogs` (#36431) ### Reason for this change We are switching `<Resource>.vendedLogs` to have a different type for better current and future compatibility. ``` OLD TYPE ... vendedLogs: VendedLog; } export interface VendedLog { readonly permissionsVersion: string; readonly logTypes: string[]; readonly destinations: DestinationService[]; } ``` ``` NEW TYPE ... vendedLogs: VendedLogs[]; } export interface VendedLogs { readonly permissionsVersion: string; readonly logType: string; readonly destinations: DestinationService[]; } ``` ### Description of changes Since there is not an easy way to do this were we can keep using the `vendedLogs` property the whole time, we are going to temporarily use `vendedLogsConfig` and remove it in a later PR. ### Description of how you validated changes Ensured generated Mixin still looks right ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #24477 Relates #30054 ### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/12/elastic-beanstalk-additional-regions/ ### Description of changes Ref https://docs.aws.amazon.com/general/latest/gr/elasticbeanstalk.html Beside from 4 entirely new regions, `ap-southeast-5` seems to be moved to new hosted zone id. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…atibility with service-spec (#36446) ### Reason for this change An earlier PR was not entirely compatible with some changes that are incoming from service-spec: #36431 ### Description of changes Entirely flipped to using `vendedLogsConfig` property to get compatibility since the type of the `vendedLogs` property is changing. ### Description of how you validated changes Addressed issue brought up by this test failure: https://github.com/cdklabs/awscdk-service-spec/actions/runs/20316716077/job/58452433464 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-aps │ └ resources │ ├[~] resource AWS::APS::Scraper │ └[~] resource AWS::APS::Workspace ├[~] service aws-b2bi │ └ resources │ └[~] resource AWS::B2BI::Transformer ├[~] service aws-backupgateway │ └ resources │ └[~] resource AWS::BackupGateway::Hypervisor ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Agent │ ├[~] resource AWS::Bedrock::AgentAlias │ ├[~] resource AWS::Bedrock::Flow │ └[~] resource AWS::Bedrock::KnowledgeBase ├[~] service aws-bedrockagentcore │ └ resources │ ├[~] resource AWS::BedrockAgentCore::BrowserCustom │ ├[~] resource AWS::BedrockAgentCore::CodeInterpreterCustom │ ├[~] resource AWS::BedrockAgentCore::Gateway │ ├[~] resource AWS::BedrockAgentCore::GatewayTarget │ │ └ types │ │ └[~] type OAuthCredentialProvider │ │ └ properties │ │ ├[+] DefaultReturnUrl: string │ │ └[+] GrantType: string │ ├[~] resource AWS::BedrockAgentCore::Memory │ ├[~] resource AWS::BedrockAgentCore::Runtime │ └[~] resource AWS::BedrockAgentCore::WorkloadIdentity ├[~] service aws-cleanrooms │ └ resources │ └[~] resource AWS::CleanRooms::Membership ├[~] service aws-cloudformation │ └ resources │ └[~] resource AWS::CloudFormation::WaitCondition │ └ - documentation: The `AWS::CloudFormation::WaitCondition` resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process. In these situations, we recommend that you associate a `CreationPolicy` attribute with the wait condition instead of using a wait condition handle. For more information and an example, see [CreationPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-creationpolicy.html) in the *CloudFormation User Guide* . If you use a `CreationPolicy` with a wait condition, don't specify any of the wait condition's properties. │ > If you use AWS PrivateLink , resources in the VPC that respond to wait conditions must have access to CloudFormation , specific Amazon S3 buckets. Resources must send wait condition responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *CloudFormation User Guide* . > For Amazon EC2 and Amazon EC2 Auto Scaling resources, we recommend that you use a `CreationPolicy` attribute instead of wait conditions. Add a `CreationPolicy` attribute to those resources, and use the `cfn-signal` helper script to signal when an instance creation process has completed successfully. │ + documentation: The `AWS::CloudFormation::WaitCondition` resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process. In these situations, we recommend that you associate a `CreationPolicy` attribute with the wait condition instead of using a wait condition handle. For more information and an example, see [CreationPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-creationpolicy.html) in the *CloudFormation User Guide* . If you use a `CreationPolicy` with a wait condition, don't specify any of the wait condition's properties. │ > If you use AWS PrivateLink , resources in the VPC that respond to wait conditions must have access to CloudFormation , specific Amazon S3 buckets. Resources must send wait condition responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *CloudFormation User Guide* . > For Amazon EC2 and Auto Scaling resources, we recommend that you use a `CreationPolicy` attribute instead of wait conditions. Add a `CreationPolicy` attribute to those resources, and use the `cfn-signal` helper script to signal when an instance creation process has completed successfully. ├[~] service aws-cloudfront │ └ resources │ ├[~] resource AWS::CloudFront::AnycastIpList │ │ ├ properties │ │ │ └ IpamCidrConfigs: (documentation changed) │ │ ├ attributes │ │ │ └ IpamCidrConfigResults: (documentation changed) │ │ └ types │ │ ├[~] type AnycastIpList │ │ │ └ properties │ │ │ └ IpamCidrConfigResults: (documentation changed) │ │ └[~] type IpamCidrConfigResult │ │ ├ - documentation: undefined │ │ │ + documentation: The result for the IPAM CIDR that defines a specific IP address range, IPAM pool, and associated Anycast IP address. │ │ └ properties │ │ ├ AnycastIp: (documentation changed) │ │ ├ Cidr: (documentation changed) │ │ ├ IpamPoolArn: (documentation changed) │ │ └ Status: (documentation changed) │ └[~] resource AWS::CloudFront::Distribution ├[~] service aws-codedeploy │ └ resources │ └[~] resource AWS::CodeDeploy::DeploymentGroup │ ├ properties │ │ ├ AutoScalingGroups: (documentation changed) │ │ └ TerminationHookEnabled: (documentation changed) │ └ types │ └[~] type GreenFleetProvisioningOption │ └ properties │ └ Action: (documentation changed) ├[~] service aws-cognito │ └ resources │ └[~] resource AWS::Cognito::UserPool ├[~] service aws-connect │ └ resources │ └[~] resource AWS::Connect::Instance ├[~] service aws-datasync │ └ resources │ ├[~] resource AWS::DataSync::LocationAzureBlob │ │ ├ properties │ │ │ ├ CmkSecretConfig: (documentation changed) │ │ │ └ CustomSecretConfig: (documentation changed) │ │ └ types │ │ ├[~] type CmkSecretConfig │ │ │ └ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token, secret key, password, or Kerberos keytab that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ └[~] type CustomSecretConfig │ │ └ - documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ + documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location credentials is stored in Secrets Manager as plain text (for authentication token, secret key, or password) or as binary (for Kerberos keytab). This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ ├[~] resource AWS::DataSync::LocationObjectStorage │ │ ├ properties │ │ │ ├ CmkSecretConfig: (documentation changed) │ │ │ └ CustomSecretConfig: (documentation changed) │ │ └ types │ │ ├[~] type CmkSecretConfig │ │ │ └ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token, secret key, password, or Kerberos keytab that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ └[~] type CustomSecretConfig │ │ └ - documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ + documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location credentials is stored in Secrets Manager as plain text (for authentication token, secret key, or password) or as binary (for Kerberos keytab). This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ └[~] resource AWS::DataSync::LocationSMB │ ├ properties │ │ ├ CmkSecretConfig: (documentation changed) │ │ └ CustomSecretConfig: (documentation changed) │ └ types │ ├[~] type CmkSecretConfig │ │ └ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token, secret key, password, or Kerberos keytab that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ └[~] type CustomSecretConfig │ └ - documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ + documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location credentials is stored in Secrets Manager as plain text (for authentication token, secret key, or password) or as binary (for Kerberos keytab). This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. ├[~] service aws-dax │ └ resources │ └[~] resource AWS::DAX::SubnetGroup ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ └ types │ ├[~] type AcceleratorCapabilities │ │ ├ - documentation: Provides information about the GPU accelerators used for jobs processed by a fleet. │ │ │ + documentation: Provides information about the GPU accelerators used for jobs processed by a fleet. │ │ │ > Accelerator capabilities cannot be used with wait-and-save fleets. If you specify accelerator capabilities, you must use either spot or on-demand instance market options. > Each accelerator type maps to specific EC2 instance families: │ │ │ > │ │ │ > - `t4` : Uses G4dn instance family │ │ │ > - `a10g` : Uses G5 instance family │ │ │ > - `l4` : Uses G6 and Gr6 instance families │ │ │ > - `l40s` : Uses G6e instance family │ │ └ properties │ │ ├ Count: (documentation changed) │ │ └ Selections: (documentation changed) │ └[~] type AcceleratorSelection │ └ properties │ ├ Name: (documentation changed) │ └ Runtime: (documentation changed) ├[~] service aws-devicefarm │ └ resources │ └[~] resource AWS::DeviceFarm::Project │ ├ properties │ │ ├[+] EnvironmentVariables: Array<EnvironmentVariable> │ │ └[+] ExecutionRoleArn: string │ └ types │ └[+] type EnvironmentVariable │ ├ name: EnvironmentVariable │ └ properties │ ├ Name: string (required) │ └ Value: string (required) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::CapacityReservation │ │ └ - tagInformation: {"tagPropertyName":"TagSpecifications","variant":"standard"} │ │ + tagInformation: undefined │ ├[~] resource AWS::EC2::RouteServerPeer │ ├[~] resource AWS::EC2::VerifiedAccessInstance │ ├[~] resource AWS::EC2::VPC │ └[~] resource AWS::EC2::VPNConnection ├[~] service aws-eks │ └ resources │ ├[~] resource AWS::EKS::Cluster │ └[~] resource AWS::EKS::Nodegroup │ ├ - documentation: Creates a managed node group for an Amazon EKS cluster. │ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. │ │ For later updates, you will only be able to update a node group using a launch template only if it was originally deployed with a launch template. Additionally, the launch template ID or name must match what was used when the node group was created. You can update the launch template version with necessary changes. For more information about using launch templates, see [Customizing managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) . │ │ An Amazon EKS managed node group is an Amazon EC2 Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS. │ │ + documentation: Creates a managed node group for an Amazon EKS cluster. │ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. │ │ For later updates, you will only be able to update a node group using a launch template only if it was originally deployed with a launch template. Additionally, the launch template ID or name must match what was used when the node group was created. You can update the launch template version with necessary changes. For more information about using launch templates, see [Customizing managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) . │ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS. │ └ types │ └[~] type ScalingConfig │ └ - documentation: An object representing the scaling configuration details for the Amazon EC2 Auto Scaling group that is associated with your node group. When creating a node group, you must specify all or none of the properties. When updating a node group, you can specify any or none of the properties. │ + documentation: An object representing the scaling configuration details for the Auto Scaling group that is associated with your node group. When creating a node group, you must specify all or none of the properties. When updating a node group, you can specify any or none of the properties. ├[~] service aws-elasticache │ └ resources │ └[~] resource AWS::ElastiCache::CacheCluster ├[~] service aws-elasticloadbalancingv2 │ └ resources │ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer ├[~] service aws-entityresolution │ └ resources │ ├[~] resource AWS::EntityResolution::IdMappingWorkflow │ └[~] resource AWS::EntityResolution::MatchingWorkflow ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::EventBus ├[~] service aws-gameliftstreams │ └ resources │ └[~] resource AWS::GameLiftStreams::StreamGroup │ └ types │ └[~] type LocationConfiguration │ └ properties │ ├[+] MaximumCapacity: integer │ └[+] TargetIdleCapacity: integer ├[~] service aws-grafana │ └ resources │ └[~] resource AWS::Grafana::Workspace ├[~] service aws-groundstation │ └ resources │ └[+] resource AWS::GroundStation::DataflowEndpointGroupV2 │ ├ name: DataflowEndpointGroupV2 │ │ cloudFormationType: AWS::GroundStation::DataflowEndpointGroupV2 │ │ documentation: Resource Type definition for AWS Ground Station DataflowEndpointGroupV2 │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ Endpoints: Array<CreateEndpointDetails> (immutable) │ │ ├ ContactPrePassDurationSeconds: integer (immutable) │ │ ├ ContactPostPassDurationSeconds: integer (immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ EndpointDetails: Array<EndpointDetails> │ │ ├ Id: string │ │ └ Arn: string │ └ types │ ├ type ConnectionDetails │ │ ├ documentation: Socket address of an uplink or downlink agent endpoint with an optional mtu. │ │ │ name: ConnectionDetails │ │ └ properties │ │ ├ SocketAddress: SocketAddress (required) │ │ └ Mtu: integer │ ├ type CreateEndpointDetails │ │ ├ name: CreateEndpointDetails │ │ └ properties │ │ ├ UplinkAwsGroundStationAgentEndpoint: UplinkAwsGroundStationAgentEndpoint │ │ └ DownlinkAwsGroundStationAgentEndpoint: DownlinkAwsGroundStationAgentEndpoint │ ├ type DownlinkAwsGroundStationAgentEndpoint │ │ ├ documentation: Information about DownlinkAwsGroundStationAgentEndpoint used for create │ │ │ name: DownlinkAwsGroundStationAgentEndpoint │ │ └ properties │ │ ├ Name: string (required) │ │ └ DataflowDetails: DownlinkDataflowDetails (required) │ ├ type DownlinkAwsGroundStationAgentEndpointDetails │ │ ├ documentation: Information about DownlinkAwsGroundStationAgentEndpoint │ │ │ name: DownlinkAwsGroundStationAgentEndpointDetails │ │ └ properties │ │ ├ Name: string (required) │ │ ├ DataflowDetails: DownlinkDataflowDetails (required) │ │ ├ AgentStatus: string │ │ └ AuditResults: string │ ├ type DownlinkConnectionDetails │ │ ├ documentation: Connection details for downlink, from ground station to agent, and customer to agent │ │ │ name: DownlinkConnectionDetails │ │ └ properties │ │ ├ EgressAddressAndPort: ConnectionDetails (required) │ │ └ AgentIpAndPortAddress: RangedConnectionDetails (required) │ ├ type DownlinkDataflowDetails │ │ ├ documentation: Dataflow details for downlink │ │ │ name: DownlinkDataflowDetails │ │ └ properties │ │ └ AgentConnectionDetails: DownlinkConnectionDetails (required) │ ├ type EndpointDetails │ │ ├ name: EndpointDetails │ │ └ properties │ │ ├ UplinkAwsGroundStationAgentEndpoint: UplinkAwsGroundStationAgentEndpointDetails │ │ └ DownlinkAwsGroundStationAgentEndpoint: DownlinkAwsGroundStationAgentEndpointDetails │ ├ type IntegerRange │ │ ├ documentation: An integer range that has a minimum and maximum value. │ │ │ name: IntegerRange │ │ └ properties │ │ ├ Minimum: integer (required) │ │ └ Maximum: integer (required) │ ├ type RangedConnectionDetails │ │ ├ documentation: Socket address of an uplink or downlink agent endpoint with a port range and an optional mtu. │ │ │ name: RangedConnectionDetails │ │ └ properties │ │ ├ SocketAddress: RangedSocketAddress (required) │ │ └ Mtu: integer │ ├ type RangedSocketAddress │ │ ├ documentation: A socket address with a port range. │ │ │ name: RangedSocketAddress │ │ └ properties │ │ ├ Name: string (required) │ │ └ PortRange: IntegerRange (required) │ ├ type SocketAddress │ │ ├ name: SocketAddress │ │ └ properties │ │ ├ Name: string (required) │ │ └ Port: integer (required) │ ├ type UplinkAwsGroundStationAgentEndpoint │ │ ├ documentation: Information about UplinkAwsGroundStationAgentEndpoint used for create │ │ │ name: UplinkAwsGroundStationAgentEndpoint │ │ └ properties │ │ ├ Name: string (required) │ │ └ DataflowDetails: UplinkDataflowDetails (required) │ ├ type UplinkAwsGroundStationAgentEndpointDetails │ │ ├ documentation: Information about UplinkAwsGroundStationAgentEndpoint │ │ │ name: UplinkAwsGroundStationAgentEndpointDetails │ │ └ properties │ │ ├ Name: string (required) │ │ ├ DataflowDetails: UplinkDataflowDetails (required) │ │ ├ AgentStatus: string │ │ └ AuditResults: string │ ├ type UplinkConnectionDetails │ │ ├ documentation: Connection details for uplink, from ground station to agent, and customer to agent │ │ │ name: UplinkConnectionDetails │ │ └ properties │ │ ├ IngressAddressAndPort: ConnectionDetails (required) │ │ └ AgentIpAndPortAddress: RangedConnectionDetails (required) │ └ type UplinkDataflowDetails │ ├ documentation: Dataflow details for uplink │ │ name: UplinkDataflowDetails │ └ properties │ └ AgentConnectionDetails: UplinkConnectionDetails (required) ├[~] service aws-iotanalytics │ └ resources │ ├[~] resource AWS::IoTAnalytics::Channel │ │ ├ - documentation: The AWS::IoTAnalytics::Channel resource collects data from an MQTT topic and archives the raw, unprocessed messages before publishing the data to a pipeline. For more information, see [How to Use AWS IoT Analytics](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *AWS IoT Analytics User Guide* . │ │ │ + documentation: The AWS::IoTAnalytics::Channel resource collects data from an MQTT topic and archives the raw, unprocessed messages before publishing the data to a pipeline. For more information, see [How to Use](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *User Guide* . │ │ └ types │ │ ├[~] type ChannelStorage │ │ │ └ properties │ │ │ └ ServiceManagedS3: (documentation changed) │ │ └[~] type CustomerManagedS3 │ │ └ properties │ │ └ RoleArn: (documentation changed) │ ├[~] resource AWS::IoTAnalytics::Dataset │ │ ├ - documentation: The AWS::IoTAnalytics::Dataset resource stores data retrieved from a data store by applying a `queryAction` (an SQL query) or a `containerAction` (executing a containerized application). The data set can be populated manually by calling `CreateDatasetContent` or automatically according to a `trigger` you specify. For more information, see [How to Use AWS IoT Analytics](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *AWS IoT Analytics User Guide* . │ │ │ + documentation: The AWS::IoTAnalytics::Dataset resource stores data retrieved from a data store by applying a `queryAction` (an SQL query) or a `containerAction` (executing a containerized application). The data set can be populated manually by calling `CreateDatasetContent` or automatically according to a `trigger` you specify. For more information, see [How to Use](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *User Guide* . │ │ ├ properties │ │ │ └ VersioningConfiguration: (documentation changed) │ │ └ types │ │ ├[~] type DeltaTimeSessionWindowConfiguration │ │ │ ├ - documentation: A structure that contains the configuration information of a delta time session window. │ │ │ │ [`DeltaTime`](https://docs.aws.amazon.com/iotanalytics/latest/APIReference/API_DeltaTime.html) specifies a time interval. You can use `DeltaTime` to create dataset contents with data that has arrived in the data store since the last execution. For an example of `DeltaTime` , see [Creating a SQL dataset with a delta window (CLI)](https://docs.aws.amazon.com/iotanalytics/latest/userguide/automate-create-dataset.html#automate-example6) in the *AWS IoT Analytics User Guide* . │ │ │ │ + documentation: A structure that contains the configuration information of a delta time session window. │ │ │ │ [`DeltaTime`](https://docs.aws.amazon.com/iotanalytics/latest/APIReference/API_DeltaTime.html) specifies a time interval. You can use `DeltaTime` to create dataset contents with data that has arrived in the data store since the last execution. For an example of `DeltaTime` , see [Creating a SQL dataset with a delta window (CLI)](https://docs.aws.amazon.com/iotanalytics/latest/userguide/automate-create-dataset.html#automate-example6) in the *ITA User Guide* . │ │ │ └ properties │ │ │ └ TimeoutInMinutes: (documentation changed) │ │ ├[~] type IotEventsDestinationConfiguration │ │ │ └ properties │ │ │ └ RoleArn: (documentation changed) │ │ └[~] type S3DestinationConfiguration │ │ └ properties │ │ └ RoleArn: (documentation changed) │ ├[~] resource AWS::IoTAnalytics::Datastore │ │ ├ - documentation: AWS::IoTAnalytics::Datastore resource is a repository for messages. For more information, see [How to Use AWS IoT Analytics](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *AWS IoT Analytics User Guide* . │ │ │ + documentation: AWS::IoTAnalytics::Datastore resource is a repository for messages. For more information, see [How to Use](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *User Guide* . │ │ ├ properties │ │ │ └ FileFormatConfiguration: (documentation changed) │ │ └ types │ │ ├[~] type CustomerManagedS3 │ │ │ └ properties │ │ │ └ RoleArn: (documentation changed) │ │ ├[~] type DatastoreStorage │ │ │ └ properties │ │ │ └ ServiceManagedS3: (documentation changed) │ │ └[~] type FileFormatConfiguration │ │ └ - documentation: Contains the configuration information of file formats. AWS IoT Analytics data stores support JSON and [Parquet](https://docs.aws.amazon.com/https://parquet.apache.org/) . │ │ The default file format is JSON. You can specify only one format. │ │ You can't change the file format after you create the data store. │ │ + documentation: Contains the configuration information of file formats. ITA data stores support JSON and [Parquet](https://docs.aws.amazon.com/https://parquet.apache.org/) . │ │ The default file format is JSON. You can specify only one format. │ │ You can't change the file format after you create the data store. │ └[~] resource AWS::IoTAnalytics::Pipeline │ └ - documentation: The AWS::IoTAnalytics::Pipeline resource consumes messages from one or more channels and allows you to process the messages before storing them in a data store. You must specify both a `channel` and a `datastore` activity and, optionally, as many as 23 additional activities in the `pipelineActivities` array. For more information, see [How to Use AWS IoT Analytics](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *AWS IoT Analytics User Guide* . │ + documentation: The AWS::IoTAnalytics::Pipeline resource consumes messages from one or more channels and allows you to process the messages before storing them in a data store. You must specify both a `channel` and a `datastore` activity and, optionally, as many as 23 additional activities in the `pipelineActivities` array. For more information, see [How to Use](https://docs.aws.amazon.com/iotanalytics/latest/userguide/welcome.html#aws-iot-analytics-how) in the *User Guide* . ├[~] service aws-iotfleetwise │ └ resources │ ├[~] resource AWS::IoTFleetWise::Campaign │ └[~] resource AWS::IoTFleetWise::Vehicle ├[~] service aws-ivschat │ └ resources │ └[~] resource AWS::IVSChat::Room ├[~] service aws-kafkaconnect │ └ resources │ └[~] resource AWS::KafkaConnect::Connector │ └ properties │ └[+] NetworkType: string (immutable) ├[~] service aws-lex │ └ resources │ ├[~] resource AWS::Lex::Bot │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"BotTags","variant":"standard"} │ │ └ types │ │ ├[~] type BotLocale │ │ │ └ properties │ │ │ ├[+] SpeechDetectionSensitivity: string │ │ │ └[+] UnifiedSpeechSettings: UnifiedSpeechSettings │ │ ├[~] type Intent │ │ │ └ properties │ │ │ └[+] DisplayName: string │ │ ├[+] type IntentDisambiguationSettings │ │ │ ├ name: IntentDisambiguationSettings │ │ │ └ properties │ │ │ ├ Enabled: boolean (required) │ │ │ ├ MaxDisambiguationIntents: integer │ │ │ └ CustomDisambiguationMessage: string │ │ ├[~] type NluImprovementSpecification │ │ │ └ properties │ │ │ ├[+] AssistedNluMode: string │ │ │ └[+] IntentDisambiguationSettings: IntentDisambiguationSettings │ │ ├[~] type Specifications │ │ │ └ properties │ │ │ ├ SlotTypeId: - string (required) │ │ │ │ + string │ │ │ └[+] SlotTypeName: string │ │ ├[+] type SpeechFoundationModel │ │ │ ├ name: SpeechFoundationModel │ │ │ └ properties │ │ │ ├ ModelArn: string (required) │ │ │ └ VoiceId: string │ │ ├[~] type SubSlotTypeComposition │ │ │ └ properties │ │ │ ├ SlotTypeId: - string (required) │ │ │ │ + string │ │ │ └[+] SlotTypeName: string │ │ └[+] type UnifiedSpeechSettings │ │ ├ name: UnifiedSpeechSettings │ │ └ properties │ │ └ SpeechFoundationModel: SpeechFoundationModel (required) │ └[~] resource AWS::Lex::BotAlias │ └ - tagInformation: undefined │ + tagInformation: {"tagPropertyName":"BotAliasTags","variant":"standard"} ├[~] service aws-logs │ └ resources │ └[~] resource AWS::Logs::Transformer │ └ types │ └[~] type ParseToOCSF │ └ properties │ └ MappingVersion: (documentation changed) ├[~] service aws-m2 │ └ resources │ └[~] resource AWS::M2::Application ├[~] service aws-mediapackagev2 │ └ resources │ └[~] resource AWS::MediaPackageV2::ChannelGroup ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::PlaybackConfiguration ├[~] service aws-msk │ └ resources │ └[~] resource AWS::MSK::Cluster ├[~] service aws-networkfirewall │ └ resources │ └[~] resource AWS::NetworkFirewall::Firewall ├[~] service aws-opensearchserverless │ └ resources │ └[~] resource AWS::OpenSearchServerless::Collection │ ├ properties │ │ ├[+] CollectionGroupName: string (immutable) │ │ └[+] EncryptionConfig: EncryptionConfig (immutable) │ └ types │ └[+] type EncryptionConfig │ ├ documentation: The configuration to encrypt the collection │ │ name: EncryptionConfig │ └ properties │ ├ AWSOwnedKey: boolean │ └ KmsKeyArn: string ├[~] service aws-osis │ └ resources │ └[~] resource AWS::OSIS::Pipeline ├[~] service aws-pcs │ └ resources │ └[~] resource AWS::PCS::Cluster ├[~] service aws-pinpoint │ └ resources │ └[~] resource AWS::Pinpoint::SmsTemplate │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE ├[~] service aws-pipes │ └ resources │ └[~] resource AWS::Pipes::Pipe ├[~] service aws-qbusiness │ └ resources │ └[~] resource AWS::QBusiness::Application ├[~] service aws-route53profiles │ └ resources │ └[~] resource AWS::Route53Profiles::Profile │ └ attributes │ └ ShareStatus: (documentation changed) ├[~] service aws-route53resolver │ └ resources │ └[~] resource AWS::Route53Resolver::ResolverEndpoint │ └ properties │ ├ RniEnhancedMetricsEnabled: (documentation changed) │ └ TargetNameServerMetricsEnabled: (documentation changed) ├[~] service aws-rum │ └ resources │ └[~] resource AWS::RUM::AppMonitor ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Workteam ├[~] service aws-ses │ └ resources │ ├[~] resource AWS::SES::MailManagerIngressPoint │ └[~] resource AWS::SES::MailManagerRuleSet ├[~] service aws-shield │ └ resources │ └[~] resource AWS::Shield::Protection ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::MaintenanceWindowTask │ └ attributes │ └[-] Id: string ├[~] service aws-stepfunctions │ └ resources │ └[~] resource AWS::StepFunctions::StateMachine ├[~] service aws-transfer │ └ resources │ └[~] resource AWS::Transfer::Server ├[~] service aws-vpclattice │ └ resources │ ├[~] resource AWS::VpcLattice::ResourceConfiguration │ └[~] resource AWS::VpcLattice::Service ├[~] service aws-wafv2 │ └ resources │ └[~] resource AWS::WAFv2::WebACL ├[~] service aws-wisdom │ └ resources │ └[~] resource AWS::Wisdom::Assistant └[~] service aws-workspacesweb └ resources └[~] resource AWS::WorkSpacesWeb::UserSettings ├ properties │ └ BrandingConfiguration: (documentation changed) ├ attributes │ ├ BrandingConfiguration.FaviconMetadata: (documentation changed) │ ├ BrandingConfiguration.LogoMetadata: (documentation changed) │ └ BrandingConfiguration.WallpaperMetadata: (documentation changed) └ types ├[~] type BrandingConfiguration │ ├ - documentation: undefined │ │ + documentation: The branding configuration that customizes the appearance of the web portal for end users. This includes a custom logo, favicon, wallpaper, localized strings, color theme, and an optional terms of service. │ │ > The `LogoMetadata` , `FaviconMetadata` , and `WallpaperMetadata` properties are read-only and cannot be specified in your template. They are automatically populated by the service after you upload images and can be retrieved using the `Fn::GetAtt` intrinsic function. │ └ properties │ ├ ColorTheme: (documentation changed) │ ├ Favicon: (documentation changed) │ ├ FaviconMetadata: (documentation changed) │ ├ LocalizedStrings: (documentation changed) │ ├ Logo: (documentation changed) │ ├ LogoMetadata: (documentation changed) │ ├ TermsOfService: (documentation changed) │ ├ Wallpaper: (documentation changed) │ └ WallpaperMetadata: (documentation changed) ├[~] type ImageMetadata │ ├ - documentation: undefined │ │ + documentation: Metadata information about an uploaded image file. │ └ properties │ ├ FileExtension: (documentation changed) │ ├ LastUploadTimestamp: (documentation changed) │ └ MimeType: (documentation changed) └[~] type LocalizedBrandingStrings ├ - documentation: undefined │ + documentation: Localized text strings for a specific language that customize the web portal. └ properties ├ BrowserTabTitle: (documentation changed) ├ ContactButtonText: (documentation changed) ├ ContactLink: (documentation changed) ├ LoadingText: (documentation changed) ├ LoginButtonText: (documentation changed) ├ LoginDescription: (documentation changed) ├ LoginTitle: (documentation changed) └ WelcomeText: (documentation changed) ```

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.233.0/CHANGELOG.md)

### Reason for this change `vendedLogs` property now has the right type for us to use it again. ### Description of changes Replace instances where `vendedLogsConfig` was used with `vendedLogs` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ironments (#36356) ### Issue # (if applicable) Closes #36348. ### Reason for this change The AWS Batch documentation within the CDK library incorrectly stated that the default Spot allocation strategy is `SPOT_CAPACITY_OPTIMIZED`. However, the default was changed to `SPOT_PRICE_CAPACITY_OPTIMIZED` in PR #26731 (August 2023), and several JSDoc `@default` annotations were never updated. This resulted in inconsistencies between: - The published CDK API documentation - The JSDoc source annotations - The actual implementation (`determineAllocationStrategy()`), which correctly uses `SPOT_PRICE_CAPACITY_OPTIMIZED` This PR updates the documentation to accurately reflect the correct behavior. ### Description of changes - Updated all incorrect JSDoc `@default` annotations in `managed-compute-environment.ts`. - Replaced all mentions of `SPOT_CAPACITY_OPTIMIZED` with `SPOT_PRICE_CAPACITY_OPTIMIZED` in affected interfaces and props. - Ensured consistency across: - `IManagedEc2EcsComputeEnvironment` - `ManagedEc2EcsComputeEnvironmentProps` - `IManagedEc2EksComputeEnvironment` - `ManagedEc2EksComputeEnvironmentProps` - No runtime logic was modified; this PR corrects documentation only. **Alternatives considered:** - Leaving the outdated docs in place — rejected because it causes user confusion. - Introducing a transitional deprecation note — rejected to maintain clean, accurate documentation. **Design decisions:** - Align JSDoc documentation with the real default used by the CDK implementation. ### Describe any new or updated permissions being added No new or updated IAM permissions are introduced. This PR updates documentation only. ### Description of how you validated changes - Verified via code inspection that `determineAllocationStrategy()` already uses the correct default (`SPOT_PRICE_CAPACITY_OPTIMIZED`). - Searched for all relevant JSDoc `@default` comments and corrected them. - Rebuilt the module to ensure no JSII or TypeScript documentation inconsistencies. - Confirmed that no integration tests or runtime behavior are affected. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…esCapacityProvider (#35796) ### Issue # (if applicable) Related to #35742 ### Reason for this change The ManagedInstancesCapacityProvider construct was requiring users to pass `ec2InstanceProfile`. This PR makes this optional and automatically creates one. Note that the role name must be prefixed with "ecsInstanceRole". This is a restriction from the managed policy on the infrastructure role https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonECSInfrastructureRolePolicyForManagedInstances.html https://docs.aws.amazon.com/AmazonECS/latest/developerguide/managed-instances-instance-profile.html ### Description of changes ec2InstanceProfile is now optional ### Describe any new or updated permissions being added - A default role is created with a scoped down version of `AmazonECSInstanceRolePolicyForManagedInstances` - AWS managed policy attached to the EC2 instance profile role that provides necessary permissions for ECS managed instances to register with ecs clusters, pull from ECR, send logs to CW and access ECS agent endpoint. ### Description of how you validated changes ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…36275) ### Issue # (if applicable) N/a ### Reason for this change Current validation of fields for recent capacity provider additions in `aws-lambda` does not take into account unresolved tokens. ### Description of changes Added `Token.isUnresolved()` checks before all new validations. This ensures that validation only occurs when concrete values are provided, while still allowing tokens to pass through for CloudFormation resolution. ### Describe any new or updated permissions being added N/a ### Description of how you validated changes Changes should be only internal, validated that unit and integration tests continued to work. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

….amazonaws for new region eusc-de-east-1 for ECR & API Gateway services (#36471) ### Reason for this change For the new region `eusc-de-east-1` will be launched in [AWS European Sovereign Cloud](https://aws.amazon.com/blogs/security/introducing-the-overview-of-the-aws-european-sovereign-cloud-whitepaper/), services like:- - ECR - API Gateway - Security Hub They have their VPC endpoint service name starts with prefix `eu.amazonaws` rather than the default `com.amazonaws` This requires special handling similar to what's already implemented for China regions `cn-north-1` & `cn-northwest-1` otherwise, while deploying, CloudFormation stacks will hit the error *"The Vpc Endpoint Service `com.amazonaws.eusc-de-east-1.ecr.dkr` does not exist"* ### Description of changes In the file `packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts`, I am updating the method `getDefaultEndpointPrefix`, adding special handling for `eusc-de-east-1` when services are `['ecr.dkr', 'ecr.api', 'execute-api', 'securityhub']` to return `eu.amazonaws` instead of `com.amazonaws`. This is similar to what's already existing for China regions. ### Description of how you validated changes I also updated `packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts` to cover unit tests and was confirmed tests are passed `````` maelnabi@c889f3aaec8b aws-cdk-lib % yarn test aws-ec2 yarn run v1.22.22 $ jest aws-ec2 PASS aws-ec2/test/volume.test.ts (13.106 s) PASS aws-ec2/test/instance.test.ts (14.333 s) PASS aws-ec2/test/vpc.test.ts (15.864 s) PASS aws-ec2/test/vpc-endpoint.test.ts (17.116 s) PASS aws-ec2/test/launch-template.test.ts PASS aws-ec2/test/security-group.test.ts PASS aws-ec2/test/vpc-flow-logs.test.ts PASS aws-ec2/test/userdata.test.ts PASS aws-ec2/test/cfn-init.test.ts PASS aws-ec2/test/cfn-init-element.test.ts PASS aws-ec2/test/machine-image.test.ts PASS aws-ec2/test/ip-addresses.test.ts PASS aws-ec2/test/vpc.from-lookup.test.ts PASS aws-ec2/test/connections.test.ts PASS aws-ec2/test/vpc-endpoint-service.test.ts PASS aws-ec2/test/vpn.test.ts PASS aws-ec2/test/client-vpn-endpoint.test.ts PASS aws-ec2/test/prefix-list.test.ts PASS aws-ec2/test/network-utils.test.ts PASS aws-ec2/test/bastion-host.test.ts PASS aws-ec2/test/aspects/require-imdsv2-aspect.test.ts PASS aws-ec2/test/client-vpn-route.test.ts PASS aws-ec2/test/key-pair.test.ts PASS aws-ec2/test/client-vpn-authorization-rule.test.ts PASS aws-ec2/test/placement-group.test.ts PASS aws-ec2/test/cidr-splits.test.ts PASS aws-ec2/test/instance-requirements.test.ts PASS aws-ec2/test/l1.test.ts PASS aws-ec2/test/instance-type.test.ts =============================== Coverage summary =============================== Statements : 59.25% ( 12033/20308 ) Branches : 41.58% ( 3168/7618 ) Functions : 43.44% ( 1860/4281 ) Lines : 60.55% ( 11632/19210 ) ================================================================================ Test Suites: 29 passed, 29 total Tests: 941 passed, 941 total Snapshots: 0 total Time: 29.278 s Ran all test suites matching /aws-ec2/i. ✨ Done in 32.88s. `````` ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

…FN (#36493) This is the change in CDK that consumes the spec update cdklabs/awscdk-service-spec#2328. This accounts for `{ Ref }` not always returning what the schema says that the primary identifier of a resource is. This is not unexpected or wrong: the Registry Schema describes the behavior of Cloud Control API, and the identifier uniquely identifies a resource in an account. We do need to account for the differences though. What we will do is: - Retain the CC-API fields in the reference interface if we hvae the values. - Fall back to the (smaller) CFN identifier fields if we don't have the values. - Make the CFN identifier fields win if the identifiers are equal size (in which case we probably a Name vs ARN distinction). This brings in a new version of service-spec so it also adds a new service. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #36484. ### Reason for this change `App.of()` falls through to `Stage.of()`, causing incorrect return values: 1. Returns `Stage` instead of `App` when both exist in hierarchy 2. Returns `undefined` when called on App itself ### Description of changes - Added `App.of()` method that directly checks root using `construct.node.root` and `App.isApp()` validation - Added unit tests for `App.of()` ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit tests: - `App.of() returns the app when scope is app` - `App.of() returns the app when scope is stack->stage->app` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@default

### Issue # (if applicable) None ### Reason for this change Default description is not correctly styled. ```ts @default - 0 @default some long sentence ``` ### Description of changes Update default description ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change Add support for newly supported 8.0.mysql_aurora.3.11.1. ### Description of changes Add a new version as a new property to AuroraMysqlEngineVersion class. ### Description of how you validated changes ``` aws rds describe-db-engine-versions --engine aurora-mysql --query "DBEngineVersions[?EngineVersion=='8.0.mysql_aurora.3.11.1']" [ { "Engine": "aurora-mysql", "MajorEngineVersion": "8.0", "EngineVersion": "8.0.mysql_aurora.3.11.1", "DBParameterGroupFamily": "aurora-mysql8.0", "DBEngineDescription": "Aurora MySQL", "DBEngineVersionDescription": "Aurora MySQL 3.11.1 (compatible with MySQL 8.0.43)", "ValidUpgradeTarget": [], "ExportableLogTypes": [ "audit", "error", "general", "iam-db-auth-error", "instance", "slowquery" ], "SupportsLogExportsToCloudwatchLogs": true, "SupportsReadReplica": false, "SupportedEngineModes": [ "provisioned" ], "SupportedFeatureNames": [ "Bedrock" ], "Status": "available", "SupportsParallelQuery": true, "SupportsGlobalDatabases": true, "SupportsBabelfish": false, "SupportsLimitlessDatabase": false, "SupportsCertificateRotationWithoutRestart": true, "SupportedCACertificateIdentifiers": [ "rds-ca-ecc384-g1", "rds-ca-rsa4096-g1", "rds-ca-rsa2048-g1" ], "SupportsLocalWriteForwarding": true, "SupportsIntegrations": true, "ServerlessV2FeaturesSupport": { "MinCapacity": 0.0, "MaxCapacity": 256.0 } } ] ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…36487) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change `MathExpression` class has multiple props that needs to be alphanumeric, that check for this is already there, but the problem is the checker doesn't check first if it's token or not. so for any tokens it always throw an error since it has `$` even if the resolve of this token is alphanumeric string. ### Description of changes I'm checking if it's token or not, and if it's i'm passing the alphanumeric checker, since in this case u can't check it. ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Extend Copyright year range to 2026, Happy New Year 🎉 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::Authorizer │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["AuthorizerId"] │ ├[~] resource AWS::ApiGateway::Deployment │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["DeploymentId"] │ ├[~] resource AWS::ApiGateway::DocumentationPart │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["DocumentationPartId"] │ ├[~] resource AWS::ApiGateway::Model │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Name"] │ ├[~] resource AWS::ApiGateway::RequestValidator │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["RequestValidatorId"] │ ├[~] resource AWS::ApiGateway::Resource │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ResourceId"] │ └[~] resource AWS::ApiGateway::Stage │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["StageName"] ├[~] service aws-apigatewayv2 │ └ resources │ ├[~] resource AWS::ApiGatewayV2::ApiMapping │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ApiMappingId"] │ ├[~] resource AWS::ApiGatewayV2::Authorizer │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["AuthorizerId"] │ ├[~] resource AWS::ApiGatewayV2::Deployment │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["DeploymentId"] │ ├[~] resource AWS::ApiGatewayV2::Integration │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["IntegrationId"] │ ├[~] resource AWS::ApiGatewayV2::IntegrationResponse │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["IntegrationResponseId"] │ ├[~] resource AWS::ApiGatewayV2::Model │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ModelId"] │ ├[~] resource AWS::ApiGatewayV2::Route │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["RouteId"] │ ├[~] resource AWS::ApiGatewayV2::RouteResponse │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["RouteResponseId"] │ └[~] resource AWS::ApiGatewayV2::Stage │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["StageName"] ├[~] service aws-appconfig │ └ resources │ ├[~] resource AWS::AppConfig::ConfigurationProfile │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ConfigurationProfileId"] │ ├[~] resource AWS::AppConfig::Environment │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["EnvironmentId"] │ └[~] resource AWS::AppConfig::HostedConfigurationVersion │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["VersionNumber"] ├[~] service aws-appmesh │ └ resources │ ├[~] resource AWS::AppMesh::GatewayRoute │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ ├[~] resource AWS::AppMesh::Mesh │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ ├[~] resource AWS::AppMesh::Route │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ ├[~] resource AWS::AppMesh::VirtualGateway │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ ├[~] resource AWS::AppMesh::VirtualNode │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ ├[~] resource AWS::AppMesh::VirtualRouter │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ └[~] resource AWS::AppMesh::VirtualService │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Arn"] ├[~] service aws-appsync │ └ resources │ ├[~] resource AWS::AppSync::ApiKey │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Arn"] │ └[~] resource AWS::AppSync::GraphQLApi │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Arn"] ├[~] service aws-arcregionswitch │ └ resources │ └[~] resource AWS::ARCRegionSwitch::Plan │ ├ properties │ │ └[+] ReportConfiguration: ReportConfiguration │ └ types │ ├[+] type DocumentDbConfiguration │ │ ├ name: DocumentDbConfiguration │ │ └ properties │ │ ├ TimeoutMinutes: number (default=60) │ │ ├ CrossAccountRole: string │ │ ├ ExternalId: string │ │ ├ Behavior: string (required) │ │ ├ GlobalClusterIdentifier: string (required) │ │ ├ DatabaseClusterArns: Array<string> (required) │ │ └ Ungraceful: DocumentDbUngraceful │ ├[+] type DocumentDbUngraceful │ │ ├ name: DocumentDbUngraceful │ │ └ properties │ │ └ Ungraceful: string │ ├[~] type ExecutionBlockConfiguration │ │ └ properties │ │ └[+] DocumentDbConfig: DocumentDbConfiguration │ ├[+] type ReportConfiguration │ │ ├ name: ReportConfiguration │ │ └ properties │ │ └ ReportOutput: Array<ReportOutputConfiguration> │ ├[+] type ReportOutputConfiguration │ │ ├ name: ReportOutputConfiguration │ │ └ properties │ │ └ S3Configuration: S3ReportOutputConfiguration (required) │ └[+] type S3ReportOutputConfiguration │ ├ name: S3ReportOutputConfiguration │ └ properties │ ├ BucketPath: string │ └ BucketOwner: string ├[~] service aws-autoscaling │ └ resources │ └[~] resource AWS::AutoScaling::AutoScalingGroup │ ├ properties │ │ └ InstanceLifecyclePolicy: (documentation changed) │ └ types │ ├[~] type InstanceLifecyclePolicy │ │ ├ - documentation: undefined │ │ │ + documentation: The instance lifecycle policy for the Auto Scaling group. This policy controls instance behavior when an instance transitions through its lifecycle states. Configure retention triggers to specify when instances should move to a `Retained` state instead of automatic termination. │ │ │ For more information, see [Control instance retention with instance lifecycle policies](https://docs.aws.amazon.com/autoscaling/ec2/userguide/instance-lifecycle-policy.html) in the *Amazon EC2 Auto Scaling User Guide* . │ │ └ properties │ │ └ RetentionTriggers: (documentation changed) │ ├[~] type LaunchTemplateOverrides │ │ └ properties │ │ └ ImageId: (documentation changed) │ └[~] type RetentionTriggers │ ├ - documentation: undefined │ │ + documentation: Defines the specific triggers that cause instances to be retained in a Retained state rather than terminated. Each trigger corresponds to a different failure scenario during the instance lifecycle. This allows fine-grained control over when to preserve instances for manual intervention. │ └ properties │ └ TerminateHookAbandon: (documentation changed) ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::JobDefinition │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["JobDefinitionArn"] ├[~] service aws-billingconductor │ └ resources │ └[~] resource AWS::BillingConductor::BillingGroup │ └ types │ └[~] type AccountGrouping │ └ properties │ └ ResponsibilityTransferArn: (documentation changed) ├[+] service aws-cases │ ├ capitalized: Cases │ │ cloudFormationNamespace: AWS::Cases │ │ name: aws-cases │ │ shortName: cases │ └ resources │ ├ resource AWS::Cases::CaseRule │ │ ├ name: CaseRule │ │ │ cloudFormationType: AWS::Cases::CaseRule │ │ │ documentation: Creates a new case rule. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ primaryIdentifier: ["CaseRuleArn"] │ │ ├ properties │ │ │ ├ Description: string │ │ │ ├ DomainId: string (immutable) │ │ │ ├ Name: string (required) │ │ │ ├ Rule: CaseRuleDetails (required) │ │ │ └ Tags: Array<tag> │ │ ├ attributes │ │ │ ├ CaseRuleId: string │ │ │ ├ CreatedTime: string │ │ │ ├ LastModifiedTime: string │ │ │ └ CaseRuleArn: string │ │ └ types │ │ ├ type BooleanCondition │ │ │ ├ documentation: Boolean condition for a rule. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ │ name: BooleanCondition │ │ │ └ properties │ │ │ ├ EqualTo: BooleanOperands │ │ │ └ NotEqualTo: BooleanOperands │ │ ├ type BooleanOperands │ │ │ ├ documentation: Boolean operands for a condition. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ │ name: BooleanOperands │ │ │ └ properties │ │ │ ├ OperandOne: OperandOne (required) │ │ │ ├ OperandTwo: OperandTwo (required) │ │ │ └ Result: boolean (required) │ │ ├ type CaseRuleDetails │ │ │ ├ documentation: Represents what rule type should take place, under what conditions. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ │ name: CaseRuleDetails │ │ │ └ properties │ │ │ ├ Required: RequiredCaseRule │ │ │ └ Hidden: HiddenCaseRule │ │ ├ type HiddenCaseRule │ │ │ ├ documentation: A rule that controls field visibility based on conditions. Fields can be shown or hidden dynamically based on values in other fields. │ │ │ │ name: HiddenCaseRule │ │ │ └ properties │ │ │ ├ DefaultValue: boolean (required) │ │ │ └ Conditions: Array<BooleanCondition> (required) │ │ ├ type OperandOne │ │ │ ├ documentation: Represents the left hand operand in the condition. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ │ name: OperandOne │ │ │ └ properties │ │ │ └ FieldId: string (required) │ │ ├ type OperandTwo │ │ │ ├ documentation: Represents the right hand operand in the condition. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ │ name: OperandTwo │ │ │ └ properties │ │ │ ├ StringValue: string │ │ │ ├ BooleanValue: boolean │ │ │ ├ DoubleValue: number │ │ │ └ EmptyValue: json │ │ └ type RequiredCaseRule │ │ ├ documentation: Required rule type, used to indicate whether a field is required. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ │ name: RequiredCaseRule │ │ └ properties │ │ ├ DefaultValue: boolean (required) │ │ └ Conditions: Array<BooleanCondition> (required) │ ├ resource AWS::Cases::Domain │ │ ├ name: Domain │ │ │ cloudFormationType: AWS::Cases::Domain │ │ │ documentation: Creates a domain, which is a container for all case data, such as cases, fields, templates and layouts. Each Amazon Connect instance can be associated with only one Cases domain. │ │ │ > This will not associate your connect instance to Cases domain. Instead, use the Amazon Connect [CreateIntegrationAssociation](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateIntegrationAssociation.html) API. You need specific IAM permissions to successfully associate the Cases domain. For more information, see [Onboard to Cases](https://docs.aws.amazon.com/connect/latest/adminguide/required-permissions-iam-cases.html#onboard-cases-iam) . │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ arnTemplate: arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId} │ │ │ primaryIdentifier: ["DomainArn"] │ │ ├ properties │ │ │ ├ Name: string (required, immutable) │ │ │ └ Tags: Array<tag> │ │ └ attributes │ │ ├ CreatedTime: string │ │ ├ DomainArn: string │ │ ├ DomainId: string │ │ └ DomainStatus: string │ ├ resource AWS::Cases::Field │ │ ├ name: Field │ │ │ cloudFormationType: AWS::Cases::Field │ │ │ documentation: Creates a field in the Cases domain. This field is used to define the case object model (that is, defines what data can be captured on cases) in a Cases domain. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ primaryIdentifier: ["FieldArn"] │ │ ├ properties │ │ │ ├ Description: string │ │ │ ├ DomainId: string (immutable) │ │ │ ├ Name: string (required) │ │ │ ├ Tags: Array<tag> │ │ │ └ Type: string (required, immutable) │ │ └ attributes │ │ ├ FieldArn: string │ │ ├ FieldId: string │ │ ├ Namespace: string │ │ ├ CreatedTime: string │ │ └ LastModifiedTime: string │ ├ resource AWS::Cases::Layout │ │ ├ name: Layout │ │ │ cloudFormationType: AWS::Cases::Layout │ │ │ documentation: Creates a layout in the Cases domain. Layouts define the following configuration in the top section and More Info tab of the Cases user interface: │ │ │ - Fields to display to the users │ │ │ - Field ordering │ │ │ > Title and Status fields cannot be part of layouts since they are not configurable. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ primaryIdentifier: ["LayoutArn"] │ │ ├ properties │ │ │ ├ Content: LayoutContent (required) │ │ │ ├ DomainId: string (immutable) │ │ │ ├ Name: string (required) │ │ │ └ Tags: Array<tag> │ │ ├ attributes │ │ │ ├ CreatedTime: string │ │ │ ├ LastModifiedTime: string │ │ │ ├ LayoutArn: string │ │ │ └ LayoutId: string │ │ └ types │ │ ├ type BasicLayout │ │ │ ├ documentation: Content specific to `BasicLayout` type. It configures fields in the top panel and More Info tab of agent application. │ │ │ │ name: BasicLayout │ │ │ └ properties │ │ │ ├ TopPanel: LayoutSections │ │ │ └ MoreInfo: LayoutSections │ │ ├ type FieldGroup │ │ │ ├ documentation: Object for a group of fields and associated properties. │ │ │ │ name: FieldGroup │ │ │ └ properties │ │ │ ├ Name: string │ │ │ └ Fields: Array<FieldItem> (required) │ │ ├ type FieldItem │ │ │ ├ documentation: Object for field related information. │ │ │ │ name: FieldItem │ │ │ └ properties │ │ │ └ Id: string (required) │ │ ├ type LayoutContent │ │ │ ├ documentation: Object to store union of different versions of layout content. │ │ │ │ name: LayoutContent │ │ │ └ properties │ │ │ └ Basic: BasicLayout (required) │ │ ├ type LayoutSections │ │ │ ├ documentation: Ordered list containing different kinds of sections that can be added. A LayoutSections object can only contain one section. │ │ │ │ name: LayoutSections │ │ │ └ properties │ │ │ └ Sections: Array<Section> │ │ └ type Section │ │ ├ documentation: This represents a sections within a panel or tab of the page layout. │ │ │ name: Section │ │ └ properties │ │ └ FieldGroup: FieldGroup (required) │ └ resource AWS::Cases::Template │ ├ name: Template │ │ cloudFormationType: AWS::Cases::Template │ │ documentation: Creates a template in the Cases domain. This template is used to define the case object model (that is, to define what data can be captured on cases) in a Cases domain. A template must have a unique name within a domain, and it must reference existing field IDs and layout IDs. Additionally, multiple fields with same IDs are not allowed within the same Template. A template can be either Active or Inactive, as indicated by its status. Inactive templates cannot be used to create cases. │ │ Other template APIs are: │ │ - [DeleteTemplate](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-cases_DeleteTemplate.html) │ │ - [GetTemplate](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-cases_GetTemplate.html) │ │ - [ListTemplates](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-cases_ListTemplates.html) │ │ - [UpdateTemplate](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-cases_UpdateTemplate.html) │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ primaryIdentifier: ["TemplateArn"] │ ├ properties │ │ ├ DomainId: string (immutable) │ │ ├ Name: string (required) │ │ ├ Description: string │ │ ├ LayoutConfiguration: LayoutConfiguration │ │ ├ RequiredFields: Array<RequiredField> │ │ ├ Rules: Array<TemplateRule> │ │ ├ Status: string │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ CreatedTime: string │ │ ├ LastModifiedTime: string │ │ ├ TemplateArn: string │ │ └ TemplateId: string │ └ types │ ├ type LayoutConfiguration │ │ ├ documentation: Object to store configuration of layouts associated to the template. │ │ │ name: LayoutConfiguration │ │ └ properties │ │ └ DefaultLayout: string │ ├ type RequiredField │ │ ├ documentation: List of fields that must have a value provided to create a case. │ │ │ name: RequiredField │ │ └ properties │ │ └ FieldId: string (required) │ └ type TemplateRule │ ├ documentation: An association representing a case rule acting upon a field. In the Amazon Connect admin website, case rules are known as *case field conditions* . For more information about case field conditions, see [Add case field conditions to a case template](https://docs.aws.amazon.com/connect/latest/adminguide/case-field-conditions.html) . │ │ name: TemplateRule │ └ properties │ ├ CaseRuleId: string (required) │ └ FieldId: string ├[~] service aws-cloudwatch │ └ resources │ └[~] resource AWS::CloudWatch::InsightRule │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Arn"] ├[~] service aws-codebuild │ └ resources │ ├[~] resource AWS::CodeBuild::Project │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Name"] │ └[~] resource AWS::CodeBuild::ReportGroup │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Arn"] ├[~] service aws-codedeploy │ └ resources │ └[~] resource AWS::CodeDeploy::DeploymentGroup │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["DeploymentGroupName"] ├[~] service aws-codepipeline │ └ resources │ └[~] resource AWS::CodePipeline::Webhook │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Name"] ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::UserPoolClient │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ClientId"] │ ├[~] resource AWS::Cognito::UserPoolDomain │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Domain"] │ ├[~] resource AWS::Cognito::UserPoolGroup │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["GroupName"] │ ├[~] resource AWS::Cognito::UserPoolIdentityProvider │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ProviderName"] │ ├[~] resource AWS::Cognito::UserPoolResourceServer │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Identifier"] │ └[~] resource AWS::Cognito::UserPoolUser │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Username"] ├[~] service aws-connect │ └ resources │ ├[~] resource AWS::Connect::ContactFlowModule │ │ ├ properties │ │ │ ├[+] ExternalInvocationConfiguration: ExternalInvocationConfiguration │ │ │ └[+] Settings: string │ │ └ types │ │ └[+] type ExternalInvocationConfiguration │ │ ├ documentation: The external invocation configuration for the flow module │ │ │ name: ExternalInvocationConfiguration │ │ └ properties │ │ └ Enabled: boolean (required) │ └[~] resource AWS::Connect::HoursOfOperation │ ├ properties │ │ ├[+] ChildHoursOfOperations: Array<HoursOfOperationsIdentifier> │ │ └[+] ParentHoursOfOperations: Array<HoursOfOperationsIdentifier> │ └ types │ ├[~] type HoursOfOperationOverride │ │ └ properties │ │ ├[+] OverrideType: string │ │ └[+] RecurrenceConfig: RecurrenceConfig │ ├[+] type HoursOfOperationsIdentifier │ │ ├ documentation: Identifier for hours of operation. │ │ │ name: HoursOfOperationsIdentifier │ │ └ properties │ │ ├ Name: string │ │ └ Id: string (required) │ ├[+] type RecurrenceConfig │ │ ├ documentation: Configuration for recurring hours of operation overrides. │ │ │ name: RecurrenceConfig │ │ └ properties │ │ └ RecurrencePattern: RecurrencePattern (required) │ └[+] type RecurrencePattern │ ├ documentation: Pattern for recurring hours of operation overrides. │ │ name: RecurrencePattern │ └ properties │ ├ Frequency: string │ ├ Interval: integer │ ├ ByMonth: Array<integer> │ ├ ByMonthDay: Array<integer> │ └ ByWeekdayOccurrence: Array<integer> ├[~] service aws-dax │ └ resources │ ├[~] resource AWS::DAX::Cluster │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ClusterName"] │ ├[~] resource AWS::DAX::ParameterGroup │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ParameterGroupName"] │ └[~] resource AWS::DAX::SubnetGroup │ └ - primaryIdentifier: ["SubnetGroupName"] │ + primaryIdentifier: ["Id"] │ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["SubnetGroupName"] ├[~] service aws-directoryservice │ └ resources │ └[~] resource AWS::DirectoryService::MicrosoftAD │ └ - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId} │ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId} ├[~] service aws-dms │ └ resources │ └[~] resource AWS::DMS::EventSubscription │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["SubscriptionName"] ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::ClientVpnEndpoint │ │ └ properties │ │ ├[+] EndpointIpAddressType: string (immutable) │ │ └[+] TrafficIpAddressType: string (immutable) │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ └[~] type FleetLaunchTemplateOverridesRequest │ │ └ properties │ │ └ AvailabilityZone: (documentation changed) │ ├[~] resource AWS::EC2::EIP │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["PublicIp"] │ ├[~] resource AWS::EC2::SpotFleet │ │ └ types │ │ └[~] type LaunchTemplateOverrides │ │ └ properties │ │ └ AvailabilityZone: (documentation changed) │ ├[~] resource AWS::EC2::TransitGatewayMeteringPolicy │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-metering-policy/${TransitGatewayMeteringPolicyId} │ ├[~] resource AWS::EC2::VPCEncryptionControl │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:ec2:${Region}:${Account}:vpc-encryption-control/${VpcEncryptionControlId} │ ├[~] resource AWS::EC2::VPNConcentrator │ │ ├ - arnTemplate: undefined │ │ │ + arnTemplate: arn:${Partition}:ec2:${Region}:${Account}:vpn-concentrator/${VpnConcentratorId} │ │ └ attributes │ │ └ VpnConcentratorId: (documentation changed) │ └[~] resource AWS::EC2::VPNConnection │ └ properties │ ├ TunnelBandwidth: (documentation changed) │ └ VpnConcentratorId: (documentation changed) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::CapacityProvider │ │ └ types │ │ └[~] type InstanceLaunchTemplate │ │ └ properties │ │ └[+] CapacityOptionType: string │ ├[~] resource AWS::ECS::ExpressGatewayService │ │ ├ attributes │ │ │ ├ ECSManagedResourceArns.AutoScaling.ApplicationAutoScalingPolicies: (documentation changed) │ │ │ ├ ECSManagedResourceArns.AutoScaling.ScalableTarget: (documentation changed) │ │ │ ├ ECSManagedResourceArns.IngressPath.CertificateArn: (documentation changed) │ │ │ ├ ECSManagedResourceArns.IngressPath.ListenerArn: (documentation changed) │ │ │ ├ ECSManagedResourceArns.IngressPath.ListenerRuleArn: (documentation changed) │ │ │ ├ ECSManagedResourceArns.IngressPath.LoadBalancerArn: (documentation changed) │ │ │ ├ ECSManagedResourceArns.IngressPath.LoadBalancerSecurityGroups: (documentation changed) │ │ │ ├ ECSManagedResourceArns.IngressPath.TargetGroupArns: (documentation changed) │ │ │ ├ ECSManagedResourceArns.LogGroups: (documentation changed) │ │ │ ├ ECSManagedResourceArns.MetricAlarms: (documentation changed) │ │ │ ├ ECSManagedResourceArns.ServiceSecurityGroups: (documentation changed) │ │ │ └ Endpoint: (documentation changed) │ │ └ types │ │ ├[~] type AutoScalingArns │ │ │ └ properties │ │ │ ├ ApplicationAutoScalingPolicies: (documentation changed) │ │ │ └ ScalableTarget: (documentation changed) │ │ ├[~] type ECSManagedResourceArns │ │ │ └ properties │ │ │ ├ LogGroups: (documentation changed) │ │ │ ├ MetricAlarms: (documentation changed) │ │ │ └ ServiceSecurityGroups: (documentation changed) │ │ └[~] type IngressPathArns │ │ └ properties │ │ ├ CertificateArn: (documentation changed) │ │ ├ ListenerArn: (documentation changed) │ │ ├ ListenerRuleArn: (documentation changed) │ │ ├ LoadBalancerArn: (documentation changed) │ │ ├ LoadBalancerSecurityGroups: (documentation changed) │ │ └ TargetGroupArns: (documentation changed) │ └[~] resource AWS::ECS::Service │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["ServiceArn"] ├[~] service aws-elasticache │ └ resources │ ├[~] resource AWS::ElastiCache::CacheCluster │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["ClusterName"] │ └[~] resource AWS::ElastiCache::User │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["UserName"] ├[~] service aws-elasticloadbalancing │ └ resources │ └[~] resource AWS::ElasticLoadBalancing::LoadBalancer │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["LoadBalancerName"] ├[~] service aws-elasticsearch │ └ resources │ └[~] resource AWS::Elasticsearch::Domain │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["DomainName"] ├[~] service aws-emr │ └ resources │ └[~] resource AWS::EMR::Step │ └ properties │ ├[+] EncryptionKeyArn: string (immutable) │ └[+] LogUri: string (immutable) ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::Rule │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["EventBusName","Name"] ├[~] service aws-eventschemas │ └ resources │ └[~] resource AWS::EventSchemas::RegistryPolicy │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["RegistryName"] ├[~] service aws-gameliftstreams │ └ resources │ └[~] resource AWS::GameLiftStreams::StreamGroup │ ├ properties │ │ └ StreamClass: (documentation changed) │ └ types │ └[~] type LocationConfiguration │ └ properties │ ├ AlwaysOnCapacity: (documentation changed) │ └ OnDemandCapacity: (documentation changed) ├[~] service aws-glue │ └ resources │ ├[~] resource AWS::Glue::DevEndpoint │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["EndpointName"] │ └[~] resource AWS::Glue::Workflow │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Name"] ├[~] service aws-groundstation │ └ resources │ └[~] resource AWS::GroundStation::DataflowEndpointGroupV2 │ ├ - documentation: Resource Type definition for AWS Ground Station DataflowEndpointGroupV2 │ │ + documentation: Creates a `DataflowEndpoint` group containing the specified list of Ground Station Agent based endpoints. │ │ The `name` field in each endpoint is used in your mission profile `DataflowEndpointConfig` to specify which endpoints to use during a contact. │ │ When a contact uses multiple `DataflowEndpointConfig` objects, each `Config` must match a `DataflowEndpoint` in the same group. │ │ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:groundstation:${Region}:${Account}:dataflow-endpoint-group/${DataflowEndpointGroupId} │ ├ properties │ │ ├ ContactPostPassDurationSeconds: (documentation changed) │ │ ├ ContactPrePassDurationSeconds: (documentation changed) │ │ ├ Endpoints: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ └ EndpointDetails: (documentation changed) │ └ types │ ├[~] type ConnectionDetails │ │ ├ - documentation: Socket address of an uplink or downlink agent endpoint with an optional mtu. │ │ │ + documentation: Egress address of AgentEndpoint with an optional mtu. │ │ └ properties │ │ └ SocketAddress: (documentation changed) │ ├[~] type CreateEndpointDetails │ │ ├ - documentation: undefined │ │ │ + documentation: Endpoint definition used for creating a dataflow endpoint │ │ └ properties │ │ ├ DownlinkAwsGroundStationAgentEndpoint: (documentation changed) │ │ └ UplinkAwsGroundStationAgentEndpoint: (documentation changed) │ ├[~] type DownlinkAwsGroundStationAgentEndpoint │ │ ├ - documentation: Information about DownlinkAwsGroundStationAgentEndpoint used for create │ │ │ + documentation: Definition for a downlink agent endpoint │ │ └ properties │ │ ├ DataflowDetails: (documentation changed) │ │ └ Name: (documentation changed) │ ├[~] type DownlinkAwsGroundStationAgentEndpointDetails │ │ ├ - documentation: Information about DownlinkAwsGroundStationAgentEndpoint │ │ │ + documentation: Details for a downlink agent endpoint │ │ └ properties │ │ ├ AgentStatus: (documentation changed) │ │ ├ AuditResults: (documentation changed) │ │ ├ DataflowDetails: (documentation changed) │ │ └ Name: (documentation changed) │ ├[~] type DownlinkConnectionDetails │ │ ├ - documentation: Connection details for downlink, from ground station to agent, and customer to agent │ │ │ + documentation: Connection details for Ground Station to Agent and Agent to customer │ │ └ properties │ │ ├ AgentIpAndPortAddress: (documentation changed) │ │ └ EgressAddressAndPort: (documentation changed) │ ├[~] type DownlinkDataflowDetails │ │ ├ - documentation: Dataflow details for downlink │ │ │ + documentation: Dataflow details for a downlink endpoint │ │ └ properties │ │ └ AgentConnectionDetails: (documentation changed) │ ├[~] type EndpointDetails │ │ ├ - documentation: undefined │ │ │ + documentation: Information about the endpoint details. │ │ └ properties │ │ ├ DownlinkAwsGroundStationAgentEndpoint: (documentation changed) │ │ └ UplinkAwsGroundStationAgentEndpoint: (documentation changed) │ ├[~] type RangedConnectionDetails │ │ ├ - documentation: Socket address of an uplink or downlink agent endpoint with a port range and an optional mtu. │ │ │ + documentation: Ingress address of AgentEndpoint with a port range and an optional mtu. │ │ └ properties │ │ └ SocketAddress: (documentation changed) │ ├[~] type RangedSocketAddress │ │ └ properties │ │ └ PortRange: (documentation changed) │ ├[~] type SocketAddress │ │ ├ - documentation: undefined │ │ │ + documentation: Information about the socket address. │ │ └ properties │ │ └ Name: (documentation changed) │ ├[~] type UplinkAwsGroundStationAgentEndpoint │ │ ├ - documentation: Information about UplinkAwsGroundStationAgentEndpoint used for create │ │ │ + documentation: Definition for an uplink agent endpoint │ │ └ properties │ │ ├ DataflowDetails: (documentation changed) │ │ └ Name: (documentation changed) │ ├[~] type UplinkAwsGroundStationAgentEndpointDetails │ │ ├ - documentation: Information about UplinkAwsGroundStationAgentEndpoint │ │ │ + documentation: Details for an uplink agent endpoint │ │ └ properties │ │ ├ AgentStatus: (documentation changed) │ │ ├ AuditResults: (documentation changed) │ │ ├ DataflowDetails: (documentation changed) │ │ └ Name: (documentation changed) │ ├[~] type UplinkConnectionDetails │ │ ├ - documentation: Connection details for uplink, from ground station to agent, and customer to agent │ │ │ + documentation: Connection details for customer to Agent and Agent to Ground Station │ │ └ properties │ │ ├ AgentIpAndPortAddress: (documentation changed) │ │ └ IngressAddressAndPort: (documentation changed) │ └[~] type UplinkDataflowDetails │ ├ - documentation: Dataflow details for uplink │ │ + documentation: Dataflow details for an uplink endpoint │ └ properties │ └ AgentConnectionDetails: (documentation changed) ├[~] service aws-iot │ └ resources │ ├[~] resource AWS::IoT::Policy │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["PolicyName"] │ └[~] resource AWS::IoT::TopicRule │ └ types │ ├[+] type BatchConfig │ │ ├ name: BatchConfig │ │ └ properties │ │ ├ MaxBatchOpenMs: integer │ │ ├ MaxBatchSize: integer │ │ └ MaxBatchSizeBytes: integer │ └[~] type HttpAction │ └ properties │ ├[+] BatchConfig: BatchConfig │ └[+] EnableBatching: boolean ├[~] service aws-kafkaconnect │ └ resources │ └[~] resource AWS::KafkaConnect::Connector │ └ properties │ └ NetworkType: (documentation changed) ├[~] service aws-lex │ └ resources │ └[~] resource AWS::Lex::Bot │ └ types │ ├[~] type IntentDisambiguationSettings │ │ ├ - documentation: undefined │ │ │ + documentation: Configures the Intent Disambiguation feature that helps resolve ambiguous user inputs when multiple intents could match. When enabled, the system presents clarifying questions to users, helping them specify their exact intent for improved conversation accuracy. │ │ └ properties │ │ ├ CustomDisambiguationMessage: (documentation changed) │ │ ├ Enabled: (documentation changed) │ │ └ MaxDisambiguationIntents: (documentation changed) │ ├[~] type NluImprovementSpecification │ │ └ properties │ │ ├ AssistedNluMode: (documentation changed) │ │ └ IntentDisambiguationSettings: (documentation changed) │ ├[~] type SpeechFoundationModel │ │ ├ - documentation: undefined │ │ │ + documentation: Configuration for a foundation model used for speech synthesis and recognition capabilities. │ │ └ properties │ │ └ VoiceId: (documentation changed) │ └[~] type UnifiedSpeechSettings │ ├ - documentation: undefined │ │ + documentation: Unified configuration settings that combine speech recognition and synthesis capabilities. │ └ properties │ └ SpeechFoundationModel: (documentation changed) ├[~] service aws-logs │ └ resources │ ├[~] resource AWS::Logs::LogGroup │ │ └ properties │ │ └[+] DeletionProtectionEnabled: boolean (default=false) │ ├[~] resource AWS::Logs::LogStream │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["LogStreamName"] │ └[~] resource AWS::Logs::SubscriptionFilter │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["FilterName"] ├[~] service aws-mediaconvert │ └ resources │ ├[~] resource AWS::MediaConvert::JobTemplate │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Name"] │ ├[~] resource AWS::MediaConvert::Preset │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["Name"] │ └[~] resource AWS::MediaConvert::Queue │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Name"] ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::PlaybackConfiguration │ ├ properties │ │ └[+] AdDecisionServerConfiguration: AdDecisionServerConfiguration │ └ types │ ├[+] type AdDecisionServerConfiguration │ │ ├ documentation: The configuration for the request to the specified Ad Decision Server URL. │ │ │ name: AdDecisionServerConfiguration │ │ └ properties │ │ └ HttpRequest: HttpRequest (required) │ └[+] type HttpRequest │ ├ documentation: The configuration for the request to the Ad Decision Server URL. │ │ name: HttpRequest │ └ properties │ ├ HttpMethod: string │ ├ Body: string │ ├ Headers: Map<string, string> │ └ CompressRequest: string ├[~] service aws-observabilityadmin │ └ resources │ ├[~] resource AWS::ObservabilityAdmin::S3TableIntegration │ │ ├ properties │ │ │ ├ LogSources: (documentation changed) │ │ │ ├ RoleArn: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ └ Arn: (documentation changed) │ │ └ types │ │ ├[~] type EncryptionConfig │ │ │ ├ - documentation: Encryption configuration for the S3 Table Integration │ │ │ │ + documentation: Defines the encryption configuration for S3 Table integrations, including the encryption algorithm and KMS key settings. │ │ │ └ properties │ │ │ ├ KmsKeyArn: (documentation changed) │ │ │ └ SseAlgorithm: (documentation changed) │ │ └[~] type LogSource │ │ ├ - documentation: CloudWatch Logs data source to associate with the S3 Table Integration │ │ │ + documentation: A data source with an S3 Table integration for query access in the `logs` namespace. │ │ └ properties │ │ ├ Identifier: (documentation changed) │ │ ├ Name: (documentation changed) │ │ └ Type: (documentation changed) │ └[~] resource AWS::ObservabilityAdmin::TelemetryPipelines │ ├ - documentation: Resource Type definition for AWS::ObservabilityAdmin::TelemetryPipelines │ │ + documentation: Creates a telemetry pipeline for processing and transforming telemetry data. The pipeline defines how data flows from sources through processors to destinations, enabling data transformation and delivering capabilities. │ │ **Using CloudWatch as a pipeline source** The following is an example of a `Body` property value for the `Configuration` object. { "Type": "AWS::ObservabilityAdmin::TelemetryPipelines", "Properties": { "Configuration": { "Body": "pipeline:\n source:\n cloudwatch_logs:\n log_event_metadata:\n data_source_name: \"my_data_source\"\n data_source_type: \"default\"\n aws:\n sts_role_arn: \"arn:aws:iam::123456789012:role/MyPipelineAccessRole\"\n processor:\n - parse_json: {}\n sink:\n - cloudwatch_logs:\n log_group: \"@original\"" } } │ │ } Type: AWS::ObservabilityAdmin::TelemetryPipelines │ │ Properties: Configuration: Body: | pipeline: source: cloudwatch_logs: log_event_metadata: data_source_name: "my_data_source" data_source_type: "default" aws: sts_role_arn: "arn:aws:iam::123456789012:role/MyPipelineAccessRole" processor: - parse_json: {} sink: - cloudwatch_logs: log_group: "@original" **Using Amazon S3 as a pipeline source** The following is an example of a `Body` property value for the `Configuration` object. { "Type": "AWS::ObservabilityAdmin::TelemetryPipelines", "Properties": { "Configuration": { "Body": "pipeline:\n source:\n s3:\n sqs:\n visibility_timeout: \"PT60S\"\n visibility_duplication_protection: true\n maximum_messages: 10\n queue_url: \"https://sqs.us-east-1.amazonaws.com/123456789012/my-sqs-queue\"\n notification_type: \"sqs\"\n codec:\n ndjson: {}\n aws:\n region: \"us-east-1\"\n sts_role_arn: \"arn:aws:iam::123456789012:role/MyAccessRole\"\n data_source_name: \"crowdstrike_falcon\"\n processor:\n - ocsf:\n version: \"1.5\"\n mapping_version: \"1.5.0\"\n schema:\n crowdstrike_falcon:\n sink:\n - cloudwatch_logs:\n log_group: \"my-log-group\"" } } │ │ } Type: AWS::ObservabilityAdmin::TelemetryPipelines │ │ Properties: Configuration: Body: | pipeline: source: s3: sqs: visibility_timeout: "PT60S" visibility_duplication_protection: true maximum_messages: 10 queue_url: "https://sqs.us-east-1.amazonaws.com/123456789012/my-sqs-queue" notification_type: "sqs" codec: ndjson: {} aws: region: "us-east-1" sts_role_arn: "arn:aws:iam::123456789012:role/MyAccessRole" data_source_name: "crowdstrike_falcon" processor: - ocsf: version: "1.5" mapping_version: "1.5.0" schema: crowdstrike_falcon: sink: - cloudwatch_logs: log_group: "my-log-group" │ ├ properties │ │ ├ Configuration: (documentation changed) │ │ ├ Name: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ Arn: (documentation changed) │ │ ├ PipelineIdentifier: (documentation changed) │ │ └ Status: (documentation changed) │ └ types │ └[~] type TelemetryPipeline │ └ properties │ └ Configuration: (documentation changed) ├[~] service aws-odb │ └ resources │ └[~] resource AWS::ODB::OdbPeeringConnection │ ├ properties │ │ └ DisplayName: - string (immutable) │ │ + string │ └ attributes │ └ PeerNetworkCidrs: (documentation changed) ├[~] service aws-pinpoint │ └ resources │ ├[~] resource AWS::Pinpoint::EmailTemplate │ │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE │ │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL │ └[~] resource AWS::Pinpoint::SmsTemplate │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS ├[~] service aws-quicksight │ └ resources │ └[~] resource AWS::QuickSight::Dashboard │ └ types │ ├[~] type FreeFormLayoutElement │ │ └ properties │ │ ├[+] BorderRadius: string │ │ └[+] Padding: string │ ├[~] type FreeFormLayoutElementBorderStyle │ │ └ properties │ │ └[+] Width: string │ ├[~] type GridLayoutElement │ │ └ properties │ │ ├[+] BackgroundStyle: GridLayoutElementBackgroundStyle │ │ ├[+] BorderRadius: string │ │ ├[+] BorderStyle: GridLayoutElementBorderStyle │ │ ├[+] LoadingAnimation: LoadingAnimation │ │ ├[+] Padding: string │ │ └[+] SelectedBorderStyle: GridLayoutElementBorderStyle │ ├[+] type GridLayoutElementBackgroundStyle │ │ ├ documentation: The background style configuration of a grid layout element. │ │ │ name: GridLayoutElementBackgroundStyle │ │ └ properties │ │ ├ Color: string │ │ └ Visibility: string │ └[+] type GridLayoutElementBorderStyle │ ├ documentation: The border style configuration of a grid layout element. │ │ name: GridLayoutElementBorderStyle │ └ properties │ ├ Color: string │ ├ Visibility: string │ └ Width: string ├[~] service aws-ram │ └ resources │ └[~] resource AWS::RAM::Permission │ └ - arnTemplate: arn:${Partition}:ram::${Account}:permission/${ResourcePath} │ + arnTemplate: arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath} ├[~] service aws-route53 │ └ resources │ └[~] resource AWS::Route53::RecordSet │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["Name"] ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Device │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["DeviceFleetName"] ├[~] service aws-secretsmanager │ └ resources │ ├[~] resource AWS::SecretsManager::ResourcePolicy │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["SecretId"] │ └[~] resource AWS::SecretsManager::SecretTargetAttachment │ └ - cfnRefIdentifier: undefined │ + cfnRefIdentifier: ["SecretId"] ├[~] service aws-securityhub │ └ resources │ └[~] resource AWS::SecurityHub::ConnectorV2 │ ├ attributes │ │ ├[-] Provider.JiraCloud.AuthStatus: string │ │ ├[-] Provider.JiraCloud.AuthUrl: string │ │ ├[-] Provider.JiraCloud.CloudId: string │ │ ├[-] Provider.JiraCloud.Domain: string │ │ └[-] Provider.ServiceNow.AuthStatus: string │ └ types │ ├[-] type JiraCloud │ │ ├ documentation: Information about the configuration and status of a Jira Cloud integration. │ │ │ name: JiraCloud │ │ └ properties │ │ ├ ProjectKey: string (required) │ │ ├ CloudId: string │ │ ├ Domain: string │ │ ├ AuthUrl: string │ │ └ AuthStatus: string │ ├[+] type JiraCloudProviderConfiguration │ │ ├ documentation: The initial configuration settings required to establish an integration between Security Hub CSPM and Jira Cloud. │ │ │ name: JiraCloudProviderConfiguration │ │ └ properties │ │ └ ProjectKey: string (required) │ ├[~] type Provider │ │ └ properties │ │ ├ JiraCloud: - JiraCloud │ │ │ + JiraCloudProviderConfiguration │ │ └ ServiceNow: - ServiceNow │ │ + ServiceNowProviderConfiguration │ ├[-] type ServiceNow │ │ ├ documentation: Information about a ServiceNow ITSM integration. │ │ │ name: ServiceNow │ │ └ properties │ │ ├ InstanceName: string (required, immutable) │ │ ├ SecretArn: string (required) │ │ └ AuthStatus: string │ └[+] type ServiceNowProviderConfiguration │ ├ documentation: The initial configuration settings required to establish an integration between Security Hub CSPM and ServiceNow ITSM. │ │ name: ServiceNowProviderConfiguration │ └ properties │ ├ InstanceName: string (required, immutable) │ └ SecretArn: string (required) ├[~] service aws-ses │ └ resources │ ├[~] resource AWS::SES::MultiRegionEndpoint │ │ └ types │ │ ├[~] type Details │ │ │ └ properties │ │ │ └ RouteDetails: (documentation changed) │ │ └[~] type RouteDetailsItems │ │ ├ - documentation: undefined │ │ │ + documentation: An object that contains route configuration. Includes secondary region name. │ │ └ properties │ │ └ Region: (documentation changed) │ ├[~] resource AWS::SES::ReceiptRuleSet │ │ └ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["RuleSetName"] │ └[~] resource AWS::SES::Tenant │ ├ - documentation: Resource Type definition for AWS::SES::Tenant │ │ + documentation: Create a tenant. │ │ *Tenants* are logical containers that group related SES resources together. Each tenant can have its own set of resources like email identities, configuration sets, and templates, along with reputation metrics and sending status. This helps isolate and manage email sending for different customers or business units within your Amazon SES API v2 account. │ ├ properties │ │ ├ Tags: (documentation changed) │ │ └ TenantName: (documentation changed) │ ├ attributes │ │ └ Arn: (documentation changed) │ └ types │ └[~] type ResourceAssociation │ ├ - documentation: The resource to associate with the tenant │ │ + documentation: The resource to associate with the tenant. │ └ properties │ └ ResourceArn: (documentation changed) ├[~] service aws-ssm │ └ resources │ ├[~] resource AWS::SSM::MaintenanceWindowTarget │ │ ├ - cfnRefIdentifier: undefined │ │ │ + cfnRefIdentifier: ["WindowTargetId"] │ │ └ attributes │ │ └[-] Id: string │ └[~] resource AWS::SSM::MaintenanceWindowTask │ ├ - cfnRefIdentifier: undefined │ │ + cfnRefIdentifier: ["WindowTaskId"] │ └ attributes │ └ WindowTaskId: (documentation changed) ├[~] service aws-wisdom │ └ resources │ └[~] resource AWS::Wisdom::AssistantAssociation │ └ types │ ├[~] type AssociationData │ │ └ properties │ │ ├[+] ExternalBedrockKnowledgeBaseConfig: ExternalBedrockKnowledgeBaseConfig │ │ └ KnowledgeBaseId: - string (required, immutable) │ │ + string (immutable) │ └[+] type ExternalBedrockKnowledgeBaseConfig │ ├ name: ExternalBedrockKnowledgeBaseConfig │ └ properties │ ├ BedrockKnowledgeBaseArn: string (required) │ └ AccessRoleArn: string (required) └[~] service aws-workspacesweb └ resources └[~] resource AWS::WorkSpacesWeb::UserSettings └ properties └[+] WebAuthnAllowed: string ``` **CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed: aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthStatus attribute removed. aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthUrl attribute removed. aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.CloudId attribute removed. aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.Domain attribute removed. aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.ServiceNow.AuthStatus attribute removed. aws-securityhub: AWS::SecurityHub::ConnectorV2: JiraCloud type removed, replaced by JiraCloudProviderConfiguration. aws-securityhub: AWS::SecurityHub::ConnectorV2: ServiceNow type removed, replaced by ServiceNowProviderConfiguration. aws-ssm: AWS::SSM::MaintenanceWindowTarget: Id attribute removed.

…6553) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change The `s3-encryption-enabled.guard` rule in security-guardian was generating false positives and provides no security value because: **AWS enforces S3 encryption automatically** - Since January 5, 2023, AWS applies SSE-S3 encryption to all S3 buckets by default at the service level ([AWS S3 Default Encryption FAQ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html), [Setting default server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html)) ### Description of changes **Removed:** - `tools/@aws-cdk/security-guardian/rules/s3/s3-encryption-enabled.guard` - The guard rule file - `tools/@aws-cdk/security-guardian/test/templates/malformed-s3-encryption-example.template.json` - Malformed test template (not security-guardian's job to test syntax) - All S3 encryption tests from `tools/@aws-cdk/security-guardian/test/guard-rules.test.ts` ### Describe any new or updated permissions being added No new or updated IAM permissions. ### Description of how you validated changes Security guardian unit tests ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…efault endpoint port (#35738) ### Issue # (if applicable) N/A ### Reason for this change A security group ingress for the new `ServerlessCache` construct does not use an endpoint port. The following CDK code generates an INVALID CFn template with `null` for `FromPort` and `ToPort`: ```ts const cache = new ServerlessCache(this, 'ServerlessCache', { vpc, }); const sg = new SecurityGroup(this, 'SecurityGroup', { vpc, }); sg.connections.allowToDefaultPort(cache); ``` ```json "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { // ... // ... "FromPort": null, // ... // ... "ToPort": null }, ``` An expected template: ```json "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { // ... // ... "FromPort": { "Fn::GetAtt": [ "Cache18F6EE16", "Endpoint.Port" ] }, // ... // ... "ToPort": { "Fn::GetAtt": [ "Cache18F6EE16", "Endpoint.Port" ] } } }, ``` FYI: The method `cache.connections.defaultPort?.toRuleJson()` outputs `{"Value":{"ipProtocol":"tcp","fromPort":null,"toPort":null}}`. But we expect `{"Value":{"ipProtocol":"tcp","fromPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]},"toPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]}}}`. ### Description of changes Use `Token.asNumber` for the `defaultPort` of `Connections` in `ServerlessCache`: ```diff this.connections = new ec2.Connections({ securityGroups: this.securityGroups, - defaultPort: ec2.Port.tcp(Lazy.number({ produce: () => parseInt(this.serverlessCacheEndpointPort) })), + defaultPort: ec2.Port.tcp(Token.asNumber(this.serverlessCacheEndpointPort)), }); ``` ### Describe any new or updated permissions being added ### Description of how you validated changes Both an unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…StackName (#36550) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Trying to run this integration test `packages/@aws-cdk-testing/framework-integ/test/aws-route53-targets/test/integ.elastic-beanstalk-hostedzoneid.ts` results in deployment failure with error ``` Resource handler returned message: "No Solution Stack named '64bit Amazon Linux 2023 v6.5.0 running Node.js 22' found. (Service: ElasticBeanstalk, Status Code: 400, Request ID: 4ffea708-b6af-4ece-95bc-b6b7aca49e26) (SDK Attempt Count: 1)" (RequestToken: 4e49f1e7-1459-c6e9-d290-598328fab9c7, HandlerErrorCode: InvalidRequest) ``` ### Description of changes I updated all the `solutionStackName` that i was able to find with the latest ones, and collected them in a single util file for easier maintenance in the future and add a code comment where i got those strings from. ### Describe any new or updated permissions being added ### Description of how you validated changes deployed the integration test again ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change MSK with Kafka v3.9 now supports express brokers. Ref: [Amazon MSK introduces KRaft support for Express Brokers with Apache Kafka v3.9](https://aws.amazon.com/about-aws/whats-new/2025/12/aws-msk-express-brokers-support-kraft/) ### Description of changes Modify a validation and a unit test. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Run unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #36501 ### Reason for this change Synthetics runtime syn-nodejs-puppeteer-12.0 and 13.0 are available. ### Description of changes I add the following runtimes: - syn-nodejs-puppeteer-12.0 - syn-nodejs-puppeteer-13.0 ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI) BREAKING CHANGE: unfortunately `JobQueue` exposes `public readonly computeEnvironments: OrderedComputeEnvironment[]`. The `computeEnvironment` member of that structure now fewer guarantees, and needs casting. This should not have been exposed, and we assume the use of the exposed property here is rare.

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

… resources (#36599) All `CfnXxxx` classes have a helper to return the ARN for a given resource, given an `IXxxRef`. For example: ```ts declare const bucket: IBucketRef; console.log(CfnBucket.arnForBucket(bucket)); ``` This will use the already-existing ARN if available (as a CloudFormation attribute), but may also construct a fresh ARN from the ARN components if they are not available. In the second case, this would always use the Stack's account and region, which might be incorrect in case of a resource referenced by ARN. The following can happen: ```ts const stack = new Stack(..., { account: '11111' }); const resource = Resource.fromResourceArn(stack, ..., '...:222222:...'); console.log(CfnResource.arnForResource(resource)); // Should return 22222 not 11111 ``` This PR fixes that. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…36598) ### Reason for this change Tests that timeout will leave an expired token which can't be used to release Atmosphere resources. See the following for an example: https://github.com/aws/aws-cdk/actions/runs/20137124927/job/57793467916#step:12:475 ### Description of changes This commit solves this by throwing a warning instead of an error if the Atmosphere release request fails. ### Describe any new or updated permissions being added No new permissions are added. ### Description of how you validated changes Added unit test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

…36609) Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-custom-build directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-dockercopy directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-pipenv directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-poetry directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-project/lambda directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the pip group with 1 update in the /packages/@aws-cdk/aws-lambda-python-alpha/test/lambda-handler-project/shared directory: [urllib3](https://github.com/urllib3/urllib3). Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Updates `urllib3` from 2.6.0 to 2.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.3</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by <a href="https://github.com/D47A"><code>@D47A</code></a>, 8.9 High, GHSA-38jv-5279-wg99)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<a href="https://github.com/urllib3/urllib3/issues/3743">urllib3/urllib3#3743</a>)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<a href="https://github.com/urllib3/urllib3/issues/3752">urllib3/urllib3#3752</a>)</li> </ul> <h2>2.6.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<a href="https://github.com/urllib3/urllib3/issues/3734">urllib3/urllib3#3734</a>)</li> </ul> <h2>2.6.1</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<a href="https://github.com/urllib3/urllib3/issues/3731">#3731</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.3 (2026-01-07)</h1> <ul> <li>Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (<code>GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99></code>__)</li> <li>Started treating <code>Retry-After</code> times greater than 6 hours as 6 hours by default. (<code>[#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743></code>__)</li> <li>Fixed <code>urllib3.connection.VerifiedHTTPSConnection</code> on Emscripten. (<code>[#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752></code>__)</li> </ul> <h1>2.6.2 (2025-12-11)</h1> <ul> <li>Fixed <code>HTTPResponse.read_chunked()</code> to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (<code>[#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734></code>__)</li> </ul> <h1>2.6.1 (2025-12-08)</h1> <ul> <li>Restore previously removed <code>HTTPResponse.getheaders()</code> and <code>HTTPResponse.getheader()</code> methods. (<code>[#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc"><code>0248277</code></a> Release 2.6.3</li> <li><a href="https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"><code>8864ac4</code></a> Merge commit from fork</li> <li><a href="https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c"><code>70cecb2</code></a> Fix Scorecard issues related to vulnerable dev dependencies (<a href="https://github.com/urllib3/urllib3/issues/3755">#3755</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359"><code>41f249a</code></a> Move "v2.0 Migration Guide" to the end of the table of contents (<a href="https://github.com/urllib3/urllib3/issues/3747">#3747</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c"><code>fd4dffd</code></a> Patch <code>VerifiedHTTPSConnection</code> for Emscripten (<a href="https://github.com/urllib3/urllib3/issues/3752">#3752</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab"><code>13f0bfd</code></a> Handle massive values in Retry-After when calculating time to sleep for (<a href="https://github.com/urllib3/urllib3/issues/3743">#3743</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b"><code>8c480bf</code></a> Bump actions/upload-artifact from 5.0.0 to 6.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3748">#3748</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1"><code>4b40616</code></a> Bump actions/cache from 4.3.0 to 5.0.1 (<a href="https://github.com/urllib3/urllib3/issues/3750">#3750</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b"><code>82b8479</code></a> Bump actions/download-artifact from 6.0.0 to 7.0.0 (<a href="https://github.com/urllib3/urllib3/issues/3749">#3749</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2"><code>34284cb</code></a> Mention experimental features in the security policy (<a href="https://github.com/urllib3/urllib3/issues/3746">#3746</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.6.0...2.6.3">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

alvazjor · 2026-01-08T11:15:05Z

@Mergifyio refresh

mergify · 2026-01-08T11:15:36Z

refresh

✅ Pull request refreshed

github-actions · 2026-01-08T11:50:48Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

kumvprat and others added 30 commits December 18, 2025 14:55

Merge branch 'main' into merge-back/2.233.0

bb1d16a

chore(merge-back): 2.233.0 (#36448)

ea89774

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.233.0/CHANGELOG.md)

chore(dynamodb): reference interfaces (#36437)

13bceb9

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

rix0rrr and others added 15 commits January 6, 2026 23:15

chore(codebuild): reference interfaces (#36524)

cf6ca47

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(cloudwatch): reference interfaces (#36523)

cb12ce3

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(kinesis): reference interfaces (#36489)

a0d7fc3

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(elasticloadbalancing): reference interfaces (#36533)

9180ca6

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(inspector): reference interfaces (#36488)

f85be6f

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(secretsmanager): reference interfaces (#36576)

f7802a7

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(appsync): reference interfaces (#36521)

d43951a

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(codepipeline): reference interfaces (#36526)

46188f8

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore(route53): reference interfaces (#36574)

ffaccc0

Reference interfaces for L2s, like #35271. "chore" because I plan to make a lot of these PRs and they're not adding value to the changelog. (Generated with AI)

chore: npm-check-updates && yarn upgrade (#36579)

f5892c6

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

chore(release): 2.234.0

4ab9137

aws-cdk-automation requested a review from a team as a code owner January 8, 2026 10:47

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Jan 8, 2026

aws-cdk-automation requested a review from a team January 8, 2026 10:47

github-actions bot added the p2 label Jan 8, 2026

github-actions bot approved these changes Jan 8, 2026

View reviewed changes

mergify bot added the contribution/core This is a PR that came from AWS. label Jan 8, 2026

chore: update analytics metadata blueprints

bef2b84

alvazjor closed this Jan 8, 2026

github-actions bot locked as resolved and limited conversation to collaborators Jan 8, 2026

alvazjor deleted the bump/2.234.0 branch January 8, 2026 12:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(release): 2.234.0 #36612

chore(release): 2.234.0 #36612

Uh oh!

aws-cdk-automation commented Jan 8, 2026 •

edited

Loading

Uh oh!

alvazjor commented Jan 8, 2026

Uh oh!

mergify bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

chore(release): 2.234.0 #36612

chore(release): 2.234.0 #36612

Uh oh!

Conversation

aws-cdk-automation commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

alvazjor commented Jan 8, 2026

Uh oh!

mergify bot commented Jan 8, 2026

✅ Pull request refreshed

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

aws-cdk-automation commented Jan 8, 2026 •

edited

Loading