fix(deps): update dependency aws-cdk-lib to v2.177.0 [security] (#206)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [aws-cdk-lib](https://redirect.github.com/aws/aws-cdk) ([source](https://redirect.github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib)) | [`2.176.0` -> `2.177.0`](https://renovatebot.com/diffs/npm/aws-cdk-lib/2.176.0/2.177.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/aws-cdk-lib/2.177.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/aws-cdk-lib/2.177.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/aws-cdk-lib/2.176.0/2.177.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/aws-cdk-lib/2.176.0/2.177.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-23206](https://redirect.github.com/aws/aws-cdk/security/advisories/GHSA-v4mq-x674-ff73)

### Impact
Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34. 

However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. 

Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack.

As a best practice, CDK should still fix this issue under a feature flag to avoid regression.

```
packages/@​aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
❯❱ problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS
verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized
to false bypasses verification against the list of trusted CAs, which also leads to insecure
transport.
```

### Patches
The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22). 
Once upgraded, please make sure the feature flag '@​aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in `cdk.context.json` or `cdk.json`. More details on feature flag setting is [here](https://docs.aws.amazon.com/cdk/v2/guide/featureflags.html).

### Workarounds
N/A

### References
[https://github.com/aws/aws-cdk/issues/32920](https://redirect.github.com/aws/aws-cdk/issues/32920)

---

### Release Notes

<details>
<summary>aws/aws-cdk (aws-cdk-lib)</summary>

### [`v2.177.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.177.0)

[Compare Source](https://redirect.github.com/aws/aws-cdk/compare/v2.176.0...v2.177.0)

##### Features

-   **apigatewayv2:**  throw `ValidationError` instead of untyped errors ([#&#8203;33072](https://redirect.github.com/aws/aws-cdk/issues/33072)) ([8b472fc](https://redirect.github.com/aws/aws-cdk/commit/8b472fc5a68c2c83349dbfc11fa502f08d0bd5c8)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **apigatewayv2:** throw `ValidationError` instead of untyped errors ([#&#8203;33082](https://redirect.github.com/aws/aws-cdk/issues/33082)) ([5377586](https://redirect.github.com/aws/aws-cdk/commit/537758607623d364529ccad78983eaa3f380762e)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **apigatewayv2-authorizers:** throw `ValidationError` instead of untyped errors ([#&#8203;33076](https://redirect.github.com/aws/aws-cdk/issues/33076)) ([dd34d2e](https://redirect.github.com/aws/aws-cdk/commit/dd34d2e3286048eb5079d93b743c444c4ee1e9bf)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **bedrock:** deprecate Claude 2, 2.1, Instant ([#&#8203;33058](https://redirect.github.com/aws/aws-cdk/issues/33058)) ([c0ed449](https://redirect.github.com/aws/aws-cdk/commit/c0ed4491a399cff5a098b0e4de389437c0cb55ba))
-   **cli:** add --untrust option to bootstrap ([#&#8203;33091](https://redirect.github.com/aws/aws-cdk/issues/33091)) ([4713bdd](https://redirect.github.com/aws/aws-cdk/commit/4713bdd3bdd64e924c403c6c680d3205e4cef491))
-   **cli:** show all information from waiter errors ([#&#8203;33035](https://redirect.github.com/aws/aws-cdk/issues/33035)) ([b512a72](https://redirect.github.com/aws/aws-cdk/commit/b512a72cd6457a4d95d7346338894a4e3ed503f3))
-   **cli:** throw typed errors ([#&#8203;33005](https://redirect.github.com/aws/aws-cdk/issues/33005)) ([bf81b3c](https://redirect.github.com/aws/aws-cdk/commit/bf81b3ce17941f1f84b386f1e935150893b58315)), closes [#&#8203;32548](https://redirect.github.com/aws/aws-cdk/issues/32548)
-   **cloudfront-origins:** list access level for 404 response ([#&#8203;32059](https://redirect.github.com/aws/aws-cdk/issues/32059)) ([2b2443d](https://redirect.github.com/aws/aws-cdk/commit/2b2443de2f566f1595657f94195d8b61243fb800)), closes [#&#8203;13983](https://redirect.github.com/aws/aws-cdk/issues/13983) [#&#8203;31689](https://redirect.github.com/aws/aws-cdk/issues/31689)
-   **cognito:** managed login ([#&#8203;33097](https://redirect.github.com/aws/aws-cdk/issues/33097)) ([188f52d](https://redirect.github.com/aws/aws-cdk/commit/188f52d5750274b86c5ebc6ce55ec7cdbc6fc8a7))
-   **elbv2:** throw `ValidationError` intsead of untyped errors ([#&#8203;33111](https://redirect.github.com/aws/aws-cdk/issues/33111)) ([cc1988a](https://redirect.github.com/aws/aws-cdk/commit/cc1988acd3a5d8f6a348140af8ca69176b18a52c)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **lambda:** throw `ValidationError` instead of untyped errors ([#&#8203;33033](https://redirect.github.com/aws/aws-cdk/issues/33033)) ([a928748](https://redirect.github.com/aws/aws-cdk/commit/a928748717baf6d7eb90724c2fd7ee980eda284b)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **rds:** throw `ValidationError` instead of untyped errors ([#&#8203;33042](https://redirect.github.com/aws/aws-cdk/issues/33042)) ([0b2db62](https://redirect.github.com/aws/aws-cdk/commit/0b2db62850913a1af5b0018aff7c71fad6a7714f)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **route53:** throw `ValidationError` instead of untyped errors ([#&#8203;33110](https://redirect.github.com/aws/aws-cdk/issues/33110)) ([5e0f16d](https://redirect.github.com/aws/aws-cdk/commit/5e0f16d5f5782784a7b572caa6531460bb4eed50)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **s3:** replicating objects ([#&#8203;30966](https://redirect.github.com/aws/aws-cdk/issues/30966)) ([9d8a7e2](https://redirect.github.com/aws/aws-cdk/commit/9d8a7e20fbdb0fa956bf01b0f1dc6b26173dd161)), closes [#&#8203;1680](https://redirect.github.com/aws/aws-cdk/issues/1680) [/docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrulefilter.html#cfn-s3](https://redirect.github.com/aws//docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrulefilter.html/issues/cfn-s3) [/docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3](https://redirect.github.com/aws//docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html/issues/cfn-s3) [/docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3](https://redirect.github.com/aws//docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html/issues/cfn-s3)
-   **s3:** throw `ValidationError` instead of untyped errors ([#&#8203;33031](https://redirect.github.com/aws/aws-cdk/issues/33031)) ([61e876b](https://redirect.github.com/aws/aws-cdk/commit/61e876bd3ed65742b9b4321d0a514dfc606313f4)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **s3:** throw `ValidationError` instead of untyped errors ([#&#8203;33109](https://redirect.github.com/aws/aws-cdk/issues/33109)) ([aea8f3b](https://redirect.github.com/aws/aws-cdk/commit/aea8f3b4f1bf80d5ffa390fee2986d864cd842c5)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **sns:** throw `ValidationError` instead of untyped errors ([#&#8203;33045](https://redirect.github.com/aws/aws-cdk/issues/33045)) ([7452462](https://redirect.github.com/aws/aws-cdk/commit/7452462550a100f5bd2dcab6f495c9f68bf0db4a)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **sqs:** throw `ValidationError` instead of untyped errors ([#&#8203;33046](https://redirect.github.com/aws/aws-cdk/issues/33046)) ([6469412](https://redirect.github.com/aws/aws-cdk/commit/64694124e37113eaeed50635e5d1fb8db9badc89)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **ssm:** throw `ValidationError` instead of untyped errors ([#&#8203;33067](https://redirect.github.com/aws/aws-cdk/issues/33067)) ([6677b33](https://redirect.github.com/aws/aws-cdk/commit/6677b3373157c71b104c97ae3bbece39e44e29de)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **synthetics:** cleanup provisioned lambda and layers for canary ([#&#8203;32738](https://redirect.github.com/aws/aws-cdk/issues/32738)) ([bdb4a59](https://redirect.github.com/aws/aws-cdk/commit/bdb4a594c16a2051ca157f5f06f059d7edcf457c))
-   **synthetics:** node playwright 1.0 and python selenium 4.1 runtime ([#&#8203;32245](https://redirect.github.com/aws/aws-cdk/issues/32245)) ([d68020b](https://redirect.github.com/aws/aws-cdk/commit/d68020b8c1dc957a7e99aefab31de91f5a304b31)), closes [/docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html#CloudWatch_Synthetics_runtimeversion-syn-python-selenium-4](https://redirect.github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html/issues/CloudWatch_Synthetics_runtimeversion-syn-python-selenium-4)
-   **synthetics:** throw `ValidationError` instead of untyped errors ([#&#8203;33079](https://redirect.github.com/aws/aws-cdk/issues/33079)) ([e4703c1](https://redirect.github.com/aws/aws-cdk/commit/e4703c19598753a2b6f240b906d3e1da3954851f)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
-   **VpcV2:** add BYOIP IPv6 to VPCv2 ([#&#8203;32927](https://redirect.github.com/aws/aws-cdk/issues/32927)) ([93c95fc](https://redirect.github.com/aws/aws-cdk/commit/93c95fc1a4f547d309732ae7b32f65e3763c2d37))
-   update L1 CloudFormation resource definitions ([#&#8203;33019](https://redirect.github.com/aws/aws-cdk/issues/33019)) ([e31924a](https://redirect.github.com/aws/aws-cdk/commit/e31924a7ec472f165382f5cca8b55b747e9c4208)), closes [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseRoute53](https://redirect.github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html/issues/CloudWatch-Logs-Transformation-parseRoute53) [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parseRoute53](https://redirect.github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html/issues/CloudWatch-Logs-Transformation-parseRoute53)

##### Bug Fixes

-   **bundling:** enclosing metafile & tsconfig paths with quotes ([#&#8203;32725](https://redirect.github.com/aws/aws-cdk/issues/32725)) ([5410e10](https://redirect.github.com/aws/aws-cdk/commit/5410e1016b39ef3ef45a02da151ce40c83ce9e0d))
-   **cli:** disallow import of internal cli libraries ([#&#8203;33021](https://redirect.github.com/aws/aws-cdk/issues/33021)) ([e5ac918](https://redirect.github.com/aws/aws-cdk/commit/e5ac918efbb66674176c81171e0d61affddcbeab))
-   **cli:** trace output (-vv) is useless when files are uploaded ([#&#8203;33104](https://redirect.github.com/aws/aws-cdk/issues/33104)) ([d95add3](https://redirect.github.com/aws/aws-cdk/commit/d95add33fc3fe355752ff56cd37381cb808890b6))
-   **cloudfront:** add validations on ResponseHeadersCorsBehavior.accessControlAllowMethods ([#&#8203;32769](https://redirect.github.com/aws/aws-cdk/issues/32769)) ([4c42800](https://redirect.github.com/aws/aws-cdk/commit/4c4280050e67d5779edeb09baf3287b431839aed))
-   **cx-api:** cannot detect CloudAssembly across different libraries ([#&#8203;32998](https://redirect.github.com/aws/aws-cdk/issues/32998)) ([94ba772](https://redirect.github.com/aws/aws-cdk/commit/94ba7721b5c6adeb7974152d67d7b56524687cbe)), closes [aws/aws-cdk#31041](https://redirect.github.com/aws/aws-cdk/issues/31041)
-   **rds:** does not print all failed validations for DatabaseCluster props ([#&#8203;32841](https://redirect.github.com/aws/aws-cdk/issues/32841)) ([344d916](https://redirect.github.com/aws/aws-cdk/commit/344d916480f6facc437841033cd3d072ebc07010)), closes [#&#8203;32840](https://redirect.github.com/aws/aws-cdk/issues/32840) [#&#8203;32840](https://redirect.github.com/aws/aws-cdk/issues/32840) [/github.com/aws/aws-cdk/pull/32151/files#diff-49b4a9e1bf0b7db3ab71f4f08580da0cb2191d84605dc82a70c324bd122d5cf7R805-R828](https://redirect.github.com/aws//github.com/aws/aws-cdk/pull/32151/files/issues/diff-49b4a9e1bf0b7db3ab71f4f08580da0cb2191d84605dc82a70c324bd122d5cf7R805-R828) [/github.com/aws/aws-cdk/pull/32841/files#diff-5d08d37e744e173239879212c59fd45cb9a279349f3dfb1c66923cb015ed3a3](https://redirect.github.com/aws//github.com/aws/aws-cdk/pull/32841/files/issues/diff-5d08d37e744e173239879212c59fd45cb9a279349f3dfb1c66923cb015ed3a3) [/github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-ec2/lib/volume.ts#L672-L743](https://redirect.github.com/aws//github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-ec2/lib/volume.ts/issues/L672-L743) [/github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/eventbridge-scheduler/create-schedule.ts#L324-L362](https://redirect.github.com/aws//github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/eventbridge-scheduler/create-schedule.ts/issues/L324-L362) [/github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-fsx/lib/lustre-file-system.ts#L360-L380](https://redirect.github.com/aws//github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-fsx/lib/lustre-file-system.ts/issues/L360-L380)
-   **sqs:** does not print all failed validations for Queue props ([#&#8203;33070](https://redirect.github.com/aws/aws-cdk/issues/33070)) ([b77e937](https://redirect.github.com/aws/aws-cdk/commit/b77e9379e8d1e6d653042a2be35efb18983e1973)), closes [#&#8203;33098](https://redirect.github.com/aws/aws-cdk/issues/33098) [#&#8203;33098](https://redirect.github.com/aws/aws-cdk/issues/33098)
-   update fetchOpenPullRequests method to pass organisation in github action workflow for prioritization ([#&#8203;33073](https://redirect.github.com/aws/aws-cdk/issues/33073)) ([066cd4f](https://redirect.github.com/aws/aws-cdk/commit/066cd4f45e194cff5ed39582e50f5b95e83cbeed))

***

##### Alpha modules (2.177.0-alpha.0)

##### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

-   **glue-alpha:** Developers must refactor their existing Job
    instantiation method calls to choose the right job type and language,
    and use the new constants static values to define the associated Job
    configuration settings. See the RFC and/or new README for examples.

##### Description of how you validated changes

Increased unit test coverage to > 90%, consulted with Glue service team
on best practices and sane defaults, updated integration tests.

##### Features

-   **amplify-alpha:** throw `ValidationError` instead of untyped errors ([#&#8203;33141](https://redirect.github.com/aws/aws-cdk/issues/33141)) ([a7cd9eb](https://redirect.github.com/aws/aws-cdk/commit/a7cd9ebc55f8fd70a469aea7dcf1c16919475982)), closes [#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)

##### Bug Fixes

-   **custom-resource-handlers:** do not allow unauthorized connection for iam OIDC connection (under feature flag) ([#&#8203;32921](https://redirect.github.com/aws/aws-cdk/issues/32921)) ([3e4f377](https://redirect.github.com/aws/aws-cdk/commit/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e)), closes [#&#8203;32920](https://redirect.github.com/aws/aws-cdk/issues/32920)

##### Code Refactoring

-   **glue-alpha:**  Refactored glue-alpha L2 CDK construct RFC 0497 ([#&#8203;32521](https://redirect.github.com/aws/aws-cdk/issues/32521)) ([1a18dc9](https://redirect.github.com/aws/aws-cdk/commit/1a18dc951a3946430231b685bd3584f62055127c))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SvenKirschbaum/aws-utils).

package.json

@@ -23,7 +23,7 @@
   "dependencies": {
     "@fallobst22/cdk-cross-account-route53": "^0.0.52",
     "@trautonen/cdk-dns-validated-certificate": "0.1.12",
-    "aws-cdk-lib": "2.176.0",
+    "aws-cdk-lib": "2.177.0",
     "constructs": "10.4.2",
     "source-map-support": "0.5.21"
   }