Merge branch 'main' into AEA-6028

Author: MatthewPopat-NHS

.github/workflows/ci.yml

@@ -55,7 +55,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@b933ef1bb3527fd7e7d5a7629fbd4e4dd94bf1b4
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/pull_request.yml

@@ -10,7 +10,7 @@ env:
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
-    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@27a44fb54f4023136d2c14058e3256e73af9901e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
@@ -32,7 +32,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   pr_title_format_check:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@27a44fb54f4023136d2c14058e3256e73af9901e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
   quality_checks:
     uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     needs: [get_asdf_version, get_commit_id]
@@ -112,7 +112,7 @@ jobs:
 
   tag_release:
     needs: [get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@b933ef1bb3527fd7e7d5a7629fbd4e4dd94bf1b4
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.github/workflows/release.yml

@@ -56,7 +56,7 @@ jobs:
 
   tag_release:
     needs: [quality_checks, get_commit_id, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@b933ef1bb3527fd7e7d5a7629fbd4e4dd94bf1b4
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}

.trivyignore.yaml

@@ -23,3 +23,12 @@ vulnerabilities:
   - id: CVE-2025-61729
     statement: downstream dependency for asdf/go - waiting for new asdf release
     expired_at: 2026-06-01
+  - id: CVE-2025-61726
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2025-61728
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2026-25128
+    statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release
+    expired_at: 2026-06-01

package-lock.json

@@ -11,7 +11,7 @@
   "keywords": [],
   "license": "MIT",
   "devDependencies": {
-    "@types/node": "^25.0.10",
+    "@types/node": "^25.1.0",
     "@typescript-eslint/eslint-plugin": "^8.54.0",
     "@typescript-eslint/parser": "^8.54.0",
     "@vitest/coverage-v8": "^4.0.18",
@@ -26,7 +26,7 @@
     "vitest": "^4.0.13"
   },
   "dependencies": {
-    "aws-cdk": "^2.1102.0",
+    "aws-cdk": "^2.1104.0",
     "aws-cdk-lib": "^2.236.0",
     "cdk-nag": "^2.37.52",
     "constructs": "^10.4.5",

package.json

@@ -20,10 +20,10 @@
     "private": false,
     "type": "module",
     "dependencies": {
-        "@aws-sdk/client-cloudformation": "^3.975.0",
+        "@aws-sdk/client-cloudformation": "^3.978.0",
         "@aws-sdk/client-route-53": "^3.975.0",
-        "@aws-sdk/client-s3": "^3.975.0",
-        "aws-cdk": "^2.1102.0",
+        "@aws-sdk/client-s3": "^3.978.0",
+        "aws-cdk": "^2.1104.0",
         "aws-cdk-lib": "^2.236.0",
         "cdk-nag": "^2.37.52",
         "constructs": "^10.4.5"
@@ -38,6 +38,6 @@
     "main": "lib/src/index.js",
     "types": "lib/src/index.d.ts",
     "devDependencies": {
-        "@types/node": "^25.0.10"
+        "@types/node": "^25.1.0"
     }
 }

packages/cdkConstructs/package.json

@@ -17,6 +17,7 @@ import {
 } from "aws-cdk-lib/aws-lambda"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
+import {addSuppressions} from "../utils/helpers"
 
 export interface PythonLambdaFunctionProps {
   /**
@@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct {
 
     // Suppress CFN guard rules for Lambda function
     const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-    cfnLambda.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLambda], [
+      "LAMBDA_DLQ_CHECK",
+      "LAMBDA_INSIDE_VPC",
+      "LAMBDA_CONCURRENCY_CHECK"
+    ])
 
     // Create policy for external services to invoke this Lambda
     const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {

packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts

@@ -15,6 +15,7 @@ import {NodejsFunction, NodejsFunctionProps} from "aws-cdk-lib/aws-lambda-nodejs
 import {Construct} from "constructs"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
+import {addSuppressions} from "../utils/helpers"
 
 export interface TypescriptLambdaFunctionProps {
   /**
@@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct {
     })
 
     const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-    cfnLambda.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLambda], [
+      "LAMBDA_DLQ_CHECK",
+      "LAMBDA_INSIDE_VPC",
+      "LAMBDA_CONCURRENCY_CHECK"
+    ])
 
     const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
       description: `execute lambda ${functionName}`,

packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts

@@ -13,6 +13,7 @@ import {
 } from "aws-cdk-lib/aws-iam"
 import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+import {addSuppressions} from "../utils/helpers"
 
 export interface SharedLambdaResourceProps {
   readonly functionName: string
@@ -65,13 +66,7 @@ export const createSharedLambdaResources = (
   })
 
   const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-  cfnlogGroup.cfnOptions.metadata = {
-    guard: {
-      SuppressedRules: [
-        "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-      ]
-    }
-  }
+  addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
 
   new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
     destinationArn: splunkDeliveryStream.streamArn,