Bump the cdk group across 1 directory with 2 updates

[dependabot]

Bumps the cdk group with 2 updates in the / directory: @guardian/cdk and aws-cdk.

Updates @guardian/cdk from 62.6.1 to 63.3.0

Release notes

Sourced from @​guardian/cdk's releases.

v63.3.0

Minor Changes

• a7726ad: Add a comment to generated riff-raff.yaml files for additional clarity.

v63.2.1

Patch Changes

• d2f2a3a: Update @aws-sdk/* dependencies.

v63.2.0

Minor Changes

• ac2348e: Fix warnings around childProcess.spawn and shell: true.

Patch Changes

• bc0f9b8: Bump the Cognito auth lambda runtime from PROVIDED_AL2 (deprecated) to PROVIDED_AL2023 in the GuEc2App pattern. No client changes needed.

v63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

v63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in cloudformation metadata to allow us to track the usage of that switch in order to study how often this is needed.

v63.0.0

Major Changes

• c6e30e1: Support generating multiple riff-raff.yaml files. To do this, set the riffRaffProjectName property of a GuStack. This is helpful in a few scenarios, for example if you have a singleton (INFRA) stack, and CODE/PROD application stacks.

  In the following, two files will be produced:

  • /path/to/cdk.out/deploy::core-infra/riff-raff.yaml

... (truncated)

Changelog

Sourced from @​guardian/cdk's changelog.

63.3.0

Minor Changes

• a7726ad: Add a comment to generated riff-raff.yaml files for additional clarity.

63.2.1

Patch Changes

• d2f2a3a: Update @aws-sdk/* dependencies.

63.2.0

Minor Changes

• ac2348e: Fix warnings around childProcess.spawn and shell: true.

Patch Changes

• bc0f9b8: Bump the Cognito auth lambda runtime from PROVIDED_AL2 (deprecated) to PROVIDED_AL2023 in the GuEc2App pattern. No client changes needed.

63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in cloudformation metadata to allow us to track the usage of that switch in order to study how often this is needed.

63.0.0

Major Changes

... (truncated)

Commits

• bcf8aa4 Merge pull request #2899 from guardian/changeset-release/main
• 3d3d4f4 Bump package version
• d1c98fd Merge pull request #2897 from guardian/aa/riff-raff-yaml-comment
• a7726ad feat(riff-raff-generator): Add a comment to generated riff-raff.yaml files ...
• a1d5a78 Merge pull request #2898 from guardian/dependabot/npm_and_yarn/multi-8c3730b1f1
• c1da175 chore(deps): bump fast-xml-parser and @​aws-sdk/xml-builder
• c4373f2 Merge pull request #2853 from guardian/add-devenv-support-and-tool-versions
• 952c36a Add introductory documentation for devenv and devcontainers
• cfc3361 Switch out to tool-versions as requested
• 8c04bcf Add devenv support
• Additional commits viewable in compare view

Updates aws-cdk from 2.1115.1 to 2.1121.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1121.0

2.1121.0 (2026-05-06)

Features

• deps: upgrade aws-cdk-lib (#1465) (9f872c9)

Bug Fixes

• update version includes a spurious newline (#1477) (1f09294)

aws-cdk@v2.1120.0

2.1120.0 (2026-04-29)

Features

• cdk diagnose displays the root cause of a past stack deployment failure (#1378) (acefbf8)
• cli: cdk orphan command detaches resources from a stack, allowing resource type upgrades (behind --unstable) (#1399) (1d0866e)
• cli: add cdk deploy --method=execute-change-set for two-step deployment workflows (#1271) (5770c26)
• deps: upgrade aws-cdk-lib (#1412) (2154bb1)
• deps: upgrade aws-cdk-lib (#1418) (9b14504)

Bug Fixes

• bin field in generated package.json files serves no purpose (#1414) (9ac077d), closes #1202
• every new CloudFormation feature requires a rebootstrap (#1403) (05b05d3)

aws-cdk@v2.1119.0

2.1119.0 (2026-04-23)

Features

• cli: show diff and prompt for deploy on non-addition changes (#1372) (739f687)

Bug Fixes

• ChangeSet cannot be created due to a mismatch with existing attribute ClientToken (#1404) (2ee00f1)
• cli: suppress flags message on stdout during synth in CI mode (#1405) (4a1ac5d), closes /github.com/aws/aws-cdk-cli/blob/main/packages/aws-cdk/lib/cli/io-host/cli-io-host.ts#L411-L424 #913
• skip require-approval prompt when change set is empty (#1402) (9aac45f), closes #1401 #1387

aws-cdk@v2.1118.4

... (truncated)

Commits

• 7abdd4e chore(deps): bump ip-address from 10.1.0 to 10.2.0 (#1479)
• ab82d61 chore(deps): bump @​aws-sdk/client-ssm from 3.1036.0 to 3.1037.0 (#1470)
• 1f09294 fix: update version includes a spurious newline (#1477)
• 63db541 chore(deps): bump @​aws-sdk/client-ecr from 3.1036.0 to 3.1037.0 (#1473)
• 04c27f2 chore(deps): bump @​aws-sdk/client-appsync from 3.1036.0 to 3.1037.0 (#1471)
• 68540cc chore(deps): bump @​aws-sdk/client-cloudformation from 3.1036.0 to 3.1037.0 (#...
• 158daf3 chore(deps): bump @​aws-sdk/client-kms from 3.1036.0 to 3.1037.0 (#1469)
• 0f86332 chore(deps): upgrade dependencies (#1468)
• 09b7f15 chore: Remove package-lock.json from template.gitignore (#1466)
• 9f872c9 feat(deps): upgrade aws-cdk-lib (#1465)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Hello 👋! When you're ready to run Chromatic, please apply the run_chromatic label to this PR.

You will need to reapply the label each time you want to run Chromatic.

Click here to see the Chromatic project.

[github-actions]

Deploy build 26722 of dotcom:rendering-all to CODE

All deployment options

• Deploy build 26722 of dotcom:rendering-all to CODE
• Deploy parts of build 26722 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.