fix: resolve dependabot alerts and bump CI actions

[zastrowm]

Summary

• Update CDK example dependencies (vitest ^4.1.6, aws-cdk-lib 2.257.0) to resolve all actionable Dependabot alerts
• Bump CI actions: dorny/paths-filter v4, actions/github-script v9, actions/checkout v6, codecov/codecov-action v6
• Bump production deps: @aws-sdk/client-bedrock-runtime ^3.1053.0, yaml ^2.9.0, zod ^4.4.3

Integ test failures due to billing issues in OpenAI and Gemini

Test plan

• npm audit --audit-level=high passes (0 vulnerabilities)
• strands-ts unit tests pass (2849/2849)
• Pre-commit hook passes (build + test:coverage) on all commits

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Assessment: Approve

Clean maintenance PR that resolves Dependabot alerts and ensures CI action consistency across all workflows. The as Role type assertions in bedrock.ts are a pragmatic fix for the AWS SDK's widened types after the version bump.

Review Notes

• CI Actions: All bumped versions verified to exist; usage is now consistent across all workflow files.
• Dependency Bounds: Production deps use ^ (minor-compatible), CDK examples pin aws-cdk-lib exactly — both appropriate patterns.
• Type Assertions: The as Role casts in bedrock.ts are safe given Bedrock always returns 'assistant' for converse responses, though a runtime validation (e.g., asserting the value is one of the expected literals) would be more defensive if the AWS SDK ever introduces new role values.

Looks good — well-scoped and low-risk.

[github-actions]

Documentation Preview Ready

Your documentation preview has been successfully deployed!

Preview URL: https://d3ehv1nix5p99z.cloudfront.net/pr-cms-2546/docs/user-guide/quickstart/overview/

Updated at: 2026-06-01T20:08:47.964Z

[github-actions]

Assessment: Approve

Clean maintenance PR — well-scoped dependency and CI action bumps with no functional regressions. All changes are consistent across the codebase.

Review Details

• CI Actions: All workflow files consistently use actions/github-script@v9, actions/checkout@v6, codecov/codecov-action@v6, and dorny/paths-filter@v4 (verified v4 exists)
• CDK Examples: All 4 examples (apprunner, ec2, fargate, lambda) consistently bumped to aws-cdk-lib@2.257.0 and vitest@^4.1.6
• Production Deps: Appropriate use of ^ ranges for semver-compatible updates
• Type Fix: The as Role assertions in bedrock.ts are a pragmatic narrowing from the AWS SDK's widened string type to the SDK's 'user' | 'assistant' literal union — acceptable given ensureDefined already validates presence

No blocking issues found.