⚠ BREAKING CHANGES

• lambda: Runtime.NODEJS_LATEST now resolves to nodejs24.x in every region. Customers who pin to a concrete runtime (Runtime.NODEJS_22_X, useLatestRuntimeVersion: false in aws-lambda-nodejs.NodejsFunction) are unaffected. Existing AWS::Lambda::Function resources synthesized with NODEJS_LATEST will see Runtime: nodejs22.x → Runtime: nodejs24.x on next deploy. Lambda accepts runtime updates in place.

  Customer-code compatibility — IMPORTANT: Node.js 24 removes support for callback-style asynchronous handlers ((event, context, callback) => {...}) per the launch blog. Customers whose Lambda code still uses callback-based handlers will see runtime errors after the bump. Customers should migrate to async (event, context) => {...} or pin to Runtime.NODEJS_22_X explicitly.

Features

• core: recommend the use of weak references if no choice has been made (#38070) (6e74e5e)
• ecs: add forceNewDeployment option for Fargate and EC2 services (#36797) (3d9c4df), closes #27762
• eks: use the recommended AL2023 instead of AL2 AMI type (under feature flag) (#37850) (6a2dcb7), closes #32211
• lambda: upgrade lambda and custom resource default runtime to nodejs24.x (#38031) (36c84c6)

Bug Fixes

• spec2cdk: sanitize hyphens in EventBridge event namespace names (#38088) (b8f41bf), closes 40aws-cdk/spec2cdk/lib/naming/conventions.ts#L195

Reverts

• "chore(bundling): check if docker image is cached before building" (#38116) (359f2fb), closes aws/aws-cdk#37951

Alpha modules (2.259.0-alpha.0)

Reverts

• "chore(bundling): check if docker image is cached before building" (#38116) (8ec236c), closes aws/aws-cdk#37951

Alpha modules (2.258.1-alpha.0)

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-pcaconnectorad: AWS::PCAConnectorAD::ServicePrincipalName: ConnectorArn property is now required.
• aws-pcaconnectorad: AWS::PCAConnectorAD::ServicePrincipalName: DirectoryRegistrationArn property is now required.
• aws-pcaconnectorad: AWS::PCAConnectorAD::TemplateGroupAccessControlEntry: GroupSecurityIdentifier property is now required.
• aws-pcaconnectorad: AWS::PCAConnectorAD::TemplateGroupAccessControlEntry: TemplateArn property is now required.

Features

• core: trace property assignments in CfnResource.addPropertyOverride (#38072) (a226372)
• update L1 CloudFormation resource definitions (#37993) (664a878)
• aws-cdk-lib: emits performance counters if synthesis is slow (#38004) (cb03794), closes #37919 #37843
• bedrockagentcore: expose default endpoint application log group on Runtime (#37812) (8e25d78), closes #37796
• core: add scope to IPolicyValidationContext (#38006) (cae7456)
• core: allow validation plugins to create new files in cloud assembly (#38007) (d9f38a9)
• core: fine-grained control over cross-stack reference strength (#37840) (bddcd44)
• core: include suppressed violations in validation-report.json (#38009) (f396892)
• core: new validation report schema (#37970) (4e09b52), closes aws/aws-cdk-cli#1515
• eks: add AlbControllerVersion support for v2.8.3 through v3.2.2 (#37752) (20abc6a), closes #37414
• eks: add deletionProtection property to Cluster construct (#36474) (5b19ac5), closes #36460
• elasticache: replace CacheEngine/UserEngine enums with enum-like classes (#37816) (6ad84b3), closes #37813

Bug Fixes

• autoscaling: use of ScheduledAction.endTime is dangerous (#38014) (109fae7)
• aws-cdk-lib: make token resolution ~25% faster (#37920) (87483dc)
• bedrockagentcore: relax allowlistedHeaders pattern to match CFN schema (#37969) (e0d6c8a), closes #37964
• cloudwatch: metric math validation reports quoted strings as unknown identifiers (#37977) (59bae38)
• core: cross-region SSM writer orphans parameters when resource is replaced during stack update (#38059) (f130388)
• core: handle string "false" for boolean context values in validation (#37989) (a26ed73)
• integ-tests: responseURL logged in onTimeout (#37972) (b9259dd)
• lambda-nodejs: bundling rejects entry paths containing ".." (#38022) (a7cc53c), closes #38017 #37572 #37572
• lambda-nodejs: perf counters e2e test uses incorrect filename (#38033) (d88637f)

Alpha modules (2.258.0-alpha.0)

Features

• integ-tests-alpha: add option to set the provider log level (#38005) (c634a79)

Bug Fixes

• custom-resource-handlers: deterministic asset hashes for generated lambdas (#37634) (6c3d5bc), closes #34307
• glue-alpha: deprecate Ray Jobs (#38055) (3fa428b)
• glue-alpha: restore notifyDelayAfter to PySpark and Scala Spark ETL jobs (#37815) (05be88a), closes #33839
• integ-tests-alpha: assertion failures print too much unnecessary information (#37974) (bc0de1d)
• mediapackagev2-alpha: cdnAuth on OriginEndpoint now generates the required policy (#38013) (1d56b46)

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

  • aws-neptunegraph: AWS::NeptuneGraph::GraphSnapshot: GraphIdentifier property is now required.

Features

• update L1 CloudFormation resource definitions (#37955) (211b06c)
• core: failSynthOnValidationErrors context key to suppress console output and exit code (#37909) (deb968f), closes aws/aws-cdk-cli#1515

Alpha modules (2.257.0-alpha.0)

Bug Fixes

• invalid lock file (#37943) (73ae91d), closes #37726 #37929 #37870

Alpha modules (2.256.1-alpha.0)

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37919) (caa0f4c), closes #37843
• core: validations report is always written to cloud assembly (#37867) (dddc6e0)
• ec2: replace any return types with specific interfaces in IPeer methods (#36637) (626e44d), closes #36636
• s3: support bucketNamePrefix and bucketNamespace properties (#37386) (997b003), closes #37760

Bug Fixes

• core: handle token-wrapped Boxes in property merge strategies (#37902) (18435e3)
• core: prevent stack overflow on large construct trees (#37901) (10163cb), closes #37903

Alpha modules (2.256.0-alpha.0)

Features

• aws-cdk-lib: emits performance counters if synthesis is slow (#37843) (ea33967)
• bedrockagentcore: graduate to stable 🚀 (#37876) (00cf601)
• core: builtin PropertyMergeStrategys are now compatible with deferred Box values (#37844) (ca4b722)
• core: persist asset fingerprinting cache (#37822) (605a776)
• ec2: add C8A instance type support (#36736) (0d088ca), closes #36722

Bug Fixes

• core: cached Lazys use the Box API internally (#37889) (464fa3d)
• core: default stack trace size adds unnecessary overhead (#37827) (0b1fb2b)
• core: share a single IAM role across cross-account Fn::GetStackOutput consumers (#37871) (fee8b90)
• dynamodb: remove deprecated scope for stream grants (#36680) (570d552), closes #36289
• iam: validate PolicyStatement SID is alphanumeric for identity policies (#36150) (a7edd72), closes #34819 #34828 #34819

Alpha modules (2.255.0-alpha.0)

Features

• bedrock-agentcore-alpha: Graduation of the library to stable. The Policy submodule is the only submodule that remains in alpha. All other constructs have graduated to stable in aws-cdk-lib/aws-bedrockagentcore and we recommend migrating to the stable versions (#37876) (00cf601)

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-elasticache: AWS::ElastiCache::CacheCluster: Id attribute removed.
aws-sagemaker: AWS::SageMaker::Model: Id attribute removed.
aws-vpclattice: AWS::VpcLattice::AuthPolicy: State attribute enum values changed from ACTIVE|INACTIVE to Active|Inactive.

Features

• update L1 CloudFormation resource definitions (#37826) (fb4197e)
• cloudwatch: add PromQL Alarm L2 construct (#37793) (13a4924)
• core: PropertyMergeStrategy now supports array merge strategies (#37841) (701305d)
• core: plugin violations can be suppressed (#37808) (a47ad39), closes #37781
• core: weak cross environment references (#37800) (fe23dce)
• core: weak cross-stack references in the same environment (#37824) (167ff3c)
• dynamodb: resource policies for streams (#37254) (7e5679c)
• lambda: add SQS provisionedPollerConfig support with validation and fix type mismatch (#37550) (086738b), closes #37197 /github.com/aws/aws-cdk/pull/37197#pullrequestreview-2772143562 #37197
• ses: auto email validation for configuration sets (#36679) (3a58641)

Bug Fixes

• file fingerprinting is now ~33% faster (#37802) (b871018)
• core: "exports cannot be updated" for cross-region references (#37790) (af11f00)
• rds: add lower bound validation for ClusterInstance promotionTier (#37519) (16c0a29), closes #37518
• s3deploy: empty sources leads to deployment error (#37786) (d28ad30)
• bundled jsonschema in @aws-cdk/cloud-assembly-api causes ELSPROBLEMS (#37774) (64651d3), closes #37756

Alpha modules (2.254.0-alpha.0)

Features

• bedrock-agentcore-alpha: add tags support to Evaluator and OnlineEvaluationConfig (#37804) (adbf88f)
• bedrock-agentcore-alpha: add identity L2 constructs (#37610) (67c3af2)
• mediapackagev2-alpha: add OAC integration between CloudFront and MediaPackageV2 (#37701) (654f59c)

Bug Fixes

• bedrock-agentcore-alpha: fix cedar policy bug (#37782) (e678d5c), closes #37828
• custom-resource-handlers: deployment fails when parameter already exists (#37852) (025c38c)

Bug Fixes

• core: "exports cannot be updated" for cross-region references (#37790) (b0c00e2)
• s3deploy: empty sources leads to deployment error (#37786) (f61656a)

Alpha modules (2.253.1-alpha.0)

Features

• update L1 CloudFormation resource definitions (#37753) (a661c2d)
• apigatewayv2-integrations: auto-include EventBusName in HttpEventBridgeIntegration default parameter mapping (#36780) (9734bb4), closes #36775
• core: add Fn::GetStackOutput for cross-region references (#37724) (ffae861)
• core: integrate construct annotations into validation report (#37712) (438bd0b)
• synthetics: add Playwright 5.1 and 6.0 runtimes (#37665) (c1afb43)
• emr instance fleet priority allocation (#35731) (db1188a), closes #35710 /github.com/aws/aws-cdk/blob/3ec6d06c7c58e4f14b3fb114d7c35dc6d01794d9/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/private/cluster-utils.ts#L91

Bug Fixes

• cloudfront: skip cachePolicyName length validation for unresolved tokens (#37751) (3b96e97), closes #23567 #34102
• cloudwatch: remove false positive warning for CDK tokens in MathExpression (#36882) (c29dc17), closes #34977
• codebuild: correct S3 log encryption boolean inversion (#37761) (4031918)
• ecs: enabling the circuitBreaker is not recommended loudly enough (#37755) (a52af7d)
• eks: add dependency from HelmChart custom resource to s3 chartAsset IAM policy (#37731) (99d0a5b), closes #19880

Alpha modules (2.253.0-alpha.0)

Features

• bedrock-agentcore-alpha: add OnlineEvaluationConfig and Evaluator L2 constructs (#37615) (c13de04), closes #37614
• glue-alpha: add extraPythonFiles support to PythonShellJob (#37130) (c9c6f9c), closes #34448

Bug Fixes

• bedrock-agentcore-alpha: self-managed memory strategy validation throws on unresolved tokens (#37691) (7956537), closes #37197