Bump the cdk group across 1 directory with 3 updates

[dependabot]

Bumps the cdk group with 3 updates in the / directory: @guardian/cdk, aws-cdk and aws-cdk-lib.

Updates @guardian/cdk from 62.3.5 to 62.5.0

Release notes

Sourced from @​guardian/cdk's releases.

v62.5.0

Minor Changes

• 6a41012: Remove dependency @oclif/core.

  We were using @oclif/core to create a spinner with the new project CLI. See https://github.com/oclif/core/tree/main/src/ux#action. We currently have some open vulnerabilities with minimatch, which @oclif/core adds transitively. This change removes @oclif/core in favour of console.log statements.

v62.4.0

Minor Changes

• 62c6674: Add a class for safe instantiation of managed policies with a specific structure of path which enables them to be discoverable.

  This enables teams to define sets of permissions which are re-usable and can be used to create credentials suitable to approach a given workload, consistent with the Principle of Least Privilege. This is preferred to existing workflows where a wide-ranging developer role is used.

  These can be reused in multiple locations, so, for example, an EC2 instance can be given a specific set of permissions which are also identically available for a support task. Changing one would then change the other, ensuring encapsulation of requirements in a single place.

Changelog

Sourced from @​guardian/cdk's changelog.

62.5.0

Minor Changes

• 6a41012: Remove dependency @oclif/core.

  We were using @oclif/core to create a spinner with the new project CLI. See https://github.com/oclif/core/tree/main/src/ux#action. We currently have some open vulnerabilities with minimatch, which @oclif/core adds transitively. This change removes @oclif/core in favour of console.log statements.

62.4.0

Minor Changes

• 62c6674: Add a class for safe instantiation of managed policies with a specific structure of path which enables them to be discoverable.

  This enables teams to define sets of permissions which are re-usable and can be used to create credentials suitable to approach a given workload, consistent with the Principle of Least Privilege. This is preferred to existing workflows where a wide-ranging developer role is used.

  These can be reused in multiple locations, so, for example, an EC2 instance can be given a specific set of permissions which are also identically available for a support task. Changing one would then change the other, ensuring encapsulation of requirements in a single place.

Commits

• 3ce5900 Merge pull request #2839 from guardian/changeset-release/main
• b1aec7d Bump package version
• 8d7747a Merge pull request #2838 from guardian/aa/rm-oclif-core
• 6a41012 chore(deps): Remove @oclif/core
• 6c2a0b6 Merge pull request #2836 from guardian/dependabot/npm_and_yarn/npm-dependenci...
• bd1f20f chore(deps): bump the npm-dependencies group with 5 updates
• bb0eb7b Merge pull request #2833 from guardian/changeset-release/main
• df25208 Bump package version
• 1af601b Merge pull request #2822 from guardian/raw-managed-policies
• 1254019 Mark as experimental
• Additional commits viewable in compare view

Updates aws-cdk from 2.1107.0 to 2.1108.0

Release notes

Sourced from aws-cdk's releases.

aws-cdk@v2.1108.0

2.1108.0 (2026-02-26)

Features

• deps: upgrade aws-cdk-lib (#1176) (755842d)

Commits

• 755842d feat(deps): upgrade aws-cdk-lib (#1176)
• 34d217f chore(deps): upgrade dependencies (#1174)
• See full diff in compare view

Updates aws-cdk-lib from 2.240.0 to 2.241.0

Release notes

Sourced from aws-cdk-lib's releases.

v2.241.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-codedeploy: AWS::CodeDeploy::DeploymentGroup: Id attribute removed.

Features

• update L1 CloudFormation resource definitions (#37103) (f1ee45c)
• autoscaling: add deletionProtection property to AutoScalingGroup (#36924) (467f2b4)
• core: introducing CDK Mixins (#37055) (cda96cb)
• eks: add support for Kubernetes version 1.35 (#37065) (909fca3), closes #36920 #36016 cdklabs/awscdk-asset-kubectl#2669 #37070 #36950 #36016
• s3: attribute-based access control (#36229) (9ec4db3)

Bug Fixes

• bump minimatch to ^10.2.3 to resolve ReDoS vulnerabilities (#37127) (c359329), closes #37100
• dynamodb: fix SID for grants on multi-account global tables (#37057) (98d5e82)
• rds: correct engine version deprecation tags and add missing versions (#37080) (127b359), closes #37079 #36937

---

Alpha modules (2.241.0-alpha.0)

Features

• mixins-preview: add recordFields and outputFormat to Vended Logs Mixin (#37042) (dd94c31)
• mixins-preview: cross account delivery destinations (#36827) (a759eb6)

Changelog

Sourced from aws-cdk-lib's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.241.0-alpha.0 (2026-03-02)

Features

• mixins-preview: add recordFields and outputFormat to Vended Logs Mixin (#37042) (dd94c31)
• mixins-preview: cross account delivery destinations (#36827) (a759eb6)

2.240.0-alpha.0 (2026-02-23)

2.239.0-alpha.0 (2026-02-19)

⚠ BREAKING CHANGES

redshift-alpha: update default node type from DC2_LARGE to RA3_LARGE

Features

• bedrock-agentcore-alpha: add fromCodeAsset method to create runtime artifact with local code assets (#36472) (c5a87e6), closes #36473
• bedrock-agentcore-alpha: added new target type (api gateway) in agentcore gateway target. (#36841) (0842754), closes #36817
• mixins-preview: add ECS ClusterSettingsMixin (#36796) (b8ab5be)
• mixins-preview: add s3 bucket mixin for publicAccessBlock (#36905) (feed4b2)
• mixins-preview: send Vended Logs to pre-created DeliveryDestination using toDestination() (#36896) (48f1fe6)

Bug Fixes

• redshift-alpha: update default node type from DC2_LARGE to RA3_LARGE (#36516) (ea19e5c), closes #36416

2.238.0-alpha.0 (2026-02-09)

Features

• eks-v2-alpha: add support for bootstrapSelfManagedAddons (#36740) (1ffe38d)
• eks-v2-alpha: add support for EKS hybrid nodes (#36749) (48ace56)

Bug Fixes

• eks-v2-alpha: ensure kubectl provider and handler functions use the same vpc configuration (#36735) (4e02f08), closes #34878 #34877
• ivs-alpha: add region constraints to integration tests (#36851) (d55fec4)
• mixins-preview: apply mixins in order (#36847) (726060c)
• mixins-preview: apply mixins in order in MixinApplicator (#36877) (09db1c9), closes #36847

2.237.1-alpha.0 (2026-02-03)

... (truncated)

Commits

• 416eec3 chore: update analytics metadata blueprints
• c359329 fix: bump minimatch to ^10.2.3 to resolve ReDoS vulnerabilities (#37127)
• f1ee45c feat: update L1 CloudFormation resource definitions (#37103)
• d756201 docs(s3): fix addEventNotification docstring examples for correct Rosetta tra...
• 71d8f24 fix(events): correct docs on schema discovery and CMK encryption (#37102)
• cda96cb feat(core): introducing CDK Mixins (#37055)
• e22b50a chore: bump @​aws-cdk/asset-node-proxy-agent-v6 to ^2.1.1 (#37098)
• 69a37dc chore(jsii): upgrade toolchain and enforce strict warnings (#37091)
• 467f2b4 feat(autoscaling): add deletionProtection property to AutoScalingGroup (#36924)
• 52ac55f chore(rds): fix all rds tests (#36921)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Hello 👋! When you're ready to run Chromatic, please apply the run_chromatic label to this PR.

You will need to reapply the label each time you want to run Chromatic.

Click here to see the Chromatic project.

[github-actions]

Deploy build 25295 of dotcom:rendering-all to CODE

All deployment options

• Deploy build 25295 of dotcom:rendering-all to CODE
• Deploy parts of build 25295 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.