projen 0.79.4__py3-none-any.whl → 0.98.25__py3-none-any.whl

projen/typescript/__init__.py

@@ -1,3 +1,6 @@
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
+
 import abc
 import builtins
 import datetime
@@ -8,7 +11,22 @@ import jsii
 import publication
 import typing_extensions
 
-from typeguard import check_type
+import typeguard
+from importlib.metadata import version as _metadata_package_version
+TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+
+def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
+    if TYPEGUARD_MAJOR_VERSION <= 2:
+        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
+    else:
+        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
+           pass
+        else:
+            if TYPEGUARD_MAJOR_VERSION == 3:
+                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
+                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
+            else:
+                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
 
 from .._jsii import *
 
@@ -40,6 +58,9 @@ from ..github.workflows import (
     JobStep as _JobStep_c3287c05, Triggers as _Triggers_e9ae7617
 )
 from ..javascript import (
+    AuditOptions as _AuditOptions_429c62df,
+    BiomeOptions as _BiomeOptions_452ab984,
+    BuildWorkflowOptions as _BuildWorkflowOptions_b756f97f,
     BundlerOptions as _BundlerOptions_d60b85ed,
     CodeArtifactOptions as _CodeArtifactOptions_e4782b3e,
     Eslint as _Eslint_b3991f7f,
@@ -55,8 +76,11 @@ from ..javascript import (
     ProjenrcOptions as _ProjenrcOptions_179dd39f,
     ScopedPackagesOptions as _ScopedPackagesOptions_52f0a477,
     TypeScriptCompilerOptions as _TypeScriptCompilerOptions_829fc4b0,
+    TypeScriptImportsNotUsedAsValues as _TypeScriptImportsNotUsedAsValues_95cb8527,
+    TypeScriptJsxMode as _TypeScriptJsxMode_8489d67f,
+    TypeScriptModuleDetection as _TypeScriptModuleDetection_28bd432f,
+    TypeScriptModuleResolution as _TypeScriptModuleResolution_56cffb1b,
     TypescriptConfig as _TypescriptConfig_e4a2920d,
-    TypescriptConfigExtends as _TypescriptConfigExtends_ba2a99fc,
     TypescriptConfigOptions as _TypescriptConfigOptions_8c5492cd,
     UpgradeDependenciesOptions as _UpgradeDependenciesOptions_1d8ce4da,
     YarnBerryOptions as _YarnBerryOptions_b6942539,
@@ -734,29 +758,197 @@ class TsJestTsconfig(
     def custom(
         cls,
         *,
-        compiler_options: typing.Union[_TypeScriptCompilerOptions_829fc4b0, typing.Dict[builtins.str, typing.Any]],
-        exclude: typing.Optional[typing.Sequence[builtins.str]] = None,
-        extends: typing.Optional[_TypescriptConfigExtends_ba2a99fc] = None,
-        file_name: typing.Optional[builtins.str] = None,
-        include: typing.Optional[typing.Sequence[builtins.str]] = None,
+        allow_arbitrary_extensions: typing.Optional[builtins.bool] = None,
+        allow_importing_ts_extensions: typing.Optional[builtins.bool] = None,
+        allow_js: typing.Optional[builtins.bool] = None,
+        allow_synthetic_default_imports: typing.Optional[builtins.bool] = None,
+        allow_unreachable_code: typing.Optional[builtins.bool] = None,
+        allow_unused_labels: typing.Optional[builtins.bool] = None,
+        always_strict: typing.Optional[builtins.bool] = None,
+        base_url: typing.Optional[builtins.str] = None,
+        check_js: typing.Optional[builtins.bool] = None,
+        custom_conditions: typing.Optional[typing.Sequence[builtins.str]] = None,
+        declaration: typing.Optional[builtins.bool] = None,
+        declaration_dir: typing.Optional[builtins.str] = None,
+        declaration_map: typing.Optional[builtins.bool] = None,
+        downlevel_iteration: typing.Optional[builtins.bool] = None,
+        emit_declaration_only: typing.Optional[builtins.bool] = None,
+        emit_decorator_metadata: typing.Optional[builtins.bool] = None,
+        es_module_interop: typing.Optional[builtins.bool] = None,
+        exact_optional_property_types: typing.Optional[builtins.bool] = None,
+        experimental_decorators: typing.Optional[builtins.bool] = None,
+        force_consistent_casing_in_file_names: typing.Optional[builtins.bool] = None,
+        imports_not_used_as_values: typing.Optional[_TypeScriptImportsNotUsedAsValues_95cb8527] = None,
+        incremental: typing.Optional[builtins.bool] = None,
+        inline_source_map: typing.Optional[builtins.bool] = None,
+        inline_sources: typing.Optional[builtins.bool] = None,
+        isolated_modules: typing.Optional[builtins.bool] = None,
+        jsx: typing.Optional[_TypeScriptJsxMode_8489d67f] = None,
+        jsx_import_source: typing.Optional[builtins.str] = None,
+        lib: typing.Optional[typing.Sequence[builtins.str]] = None,
+        module: typing.Optional[builtins.str] = None,
+        module_detection: typing.Optional[_TypeScriptModuleDetection_28bd432f] = None,
+        module_resolution: typing.Optional[_TypeScriptModuleResolution_56cffb1b] = None,
+        no_emit: typing.Optional[builtins.bool] = None,
+        no_emit_on_error: typing.Optional[builtins.bool] = None,
+        no_fallthrough_cases_in_switch: typing.Optional[builtins.bool] = None,
+        no_implicit_any: typing.Optional[builtins.bool] = None,
+        no_implicit_override: typing.Optional[builtins.bool] = None,
+        no_implicit_returns: typing.Optional[builtins.bool] = None,
+        no_implicit_this: typing.Optional[builtins.bool] = None,
+        no_property_access_from_index_signature: typing.Optional[builtins.bool] = None,
+        no_unchecked_indexed_access: typing.Optional[builtins.bool] = None,
+        no_unused_locals: typing.Optional[builtins.bool] = None,
+        no_unused_parameters: typing.Optional[builtins.bool] = None,
+        out_dir: typing.Optional[builtins.str] = None,
+        paths: typing.Optional[typing.Mapping[builtins.str, typing.Sequence[builtins.str]]] = None,
+        resolve_json_module: typing.Optional[builtins.bool] = None,
+        resolve_package_json_exports: typing.Optional[builtins.bool] = None,
+        resolve_package_json_imports: typing.Optional[builtins.bool] = None,
+        root_dir: typing.Optional[builtins.str] = None,
+        skip_lib_check: typing.Optional[builtins.bool] = None,
+        source_map: typing.Optional[builtins.bool] = None,
+        source_root: typing.Optional[builtins.str] = None,
+        strict: typing.Optional[builtins.bool] = None,
+        strict_null_checks: typing.Optional[builtins.bool] = None,
+        strict_property_initialization: typing.Optional[builtins.bool] = None,
+        strip_internal: typing.Optional[builtins.bool] = None,
+        target: typing.Optional[builtins.str] = None,
+        ts_build_info_file: typing.Optional[builtins.str] = None,
+        type_roots: typing.Optional[typing.Sequence[builtins.str]] = None,
+        types: typing.Optional[typing.Sequence[builtins.str]] = None,
+        use_unknown_in_catch_variables: typing.Optional[builtins.bool] = None,
+        verbatim_module_syntax: typing.Optional[builtins.bool] = None,
     ) -> "TsJestTsconfig":
         '''(experimental) Inline compiler options.
 
-        :param compiler_options: (experimental) Compiler options to use.
-        :param exclude: (experimental) Filters results from the "include" option. Default: - node_modules is excluded by default
-        :param extends: (experimental) Base ``tsconfig.json`` configuration(s) to inherit from.
-        :param file_name: Default: "tsconfig.json"
-        :param include: (experimental) Specifies a list of glob patterns that match TypeScript files to be included in compilation. Default: - all .ts files recursively
-
-        :see: TypescriptConfigOptions
-        :stability: experimental
-        '''
-        config = _TypescriptConfigOptions_8c5492cd(
-            compiler_options=compiler_options,
-            exclude=exclude,
-            extends=extends,
-            file_name=file_name,
-            include=include,
+        :param allow_arbitrary_extensions: (experimental) Suppress arbitrary extension import errors with the assumption that a bundler will be handling it. Default: undefined
+        :param allow_importing_ts_extensions: (experimental) Allows TypeScript files to import each other with TypeScript-specific extensions (``.ts``, ``.mts``, ``.tsx``). Requires ``noEmit`` or ``emitDeclarationOnly``. Default: undefined
+        :param allow_js: (experimental) Allow JavaScript files to be compiled. Default: false
+        :param allow_synthetic_default_imports: (experimental) Allow default imports from modules with no default export. This does not affect code emit, just typechecking.
+        :param allow_unreachable_code: (experimental) Allow Unreachable Code. When: - ``undefined`` (default) provide suggestions as warnings to editors - ``true`` unreachable code is ignored - ``false`` raises compiler errors about unreachable code These warnings are only about code which is provably unreachable due to the use of JavaScript syntax.
+        :param allow_unused_labels: (experimental) Allow Unused Labels. When: - ``undefined`` (default) provide suggestions as warnings to editors - ``true`` unused labels are ignored - ``false`` raises compiler errors about unused labels Labels are very rare in JavaScript and typically indicate an attempt to write an object literal:: function verifyAge(age: number) { // Forgot 'return' statement if (age > 18) { verified: true; // ^^^^^^^^ Unused label. } }
+        :param always_strict: (experimental) Ensures that your files are parsed in the ECMAScript strict mode, and emit “use strict” for each source file. Default: true
+        :param base_url: (experimental) Lets you set a base directory to resolve non-absolute module names. You can define a root folder where you can do absolute file resolution.
+        :param check_js: (experimental) Check JS. Works in tandem with `allowJs <https://www.typescriptlang.org/tsconfig#allowJs>`_. When checkJs is enabled then errors are reported in JavaScript files. This is the equivalent of including //
+        :param custom_conditions: (experimental) List of additional conditions that should succeed when TypeScript resolves from an ``exports`` or ``imports`` field of a ``package.json``. Default: undefined
+        :param declaration: (experimental) To be specified along with the above.
+        :param declaration_dir: (experimental) Offers a way to configure the root directory for where declaration files are emitted.
+        :param declaration_map: (experimental) Generates a source map for .d.ts files which map back to the original .ts source file. This will allow editors such as VS Code to go to the original .ts file when using features like Go to Definition.
+        :param downlevel_iteration: (experimental) Downleveling is TypeScript’s term for transpiling to an older version of JavaScript. This flag is to enable support for a more accurate implementation of how modern JavaScript iterates through new concepts in older JavaScript runtimes. ECMAScript 6 added several new iteration primitives: the for / of loop (for (el of arr)), Array spread ([a, ...b]), argument spread (fn(...args)), and Symbol.iterator. downlevelIteration allows for these iteration primitives to be used more accurately in ES5 environments if a Symbol.iterator implementation is present.
+        :param emit_declaration_only: (experimental) Only emit .d.ts files; do not emit .js files. Default: false
+        :param emit_decorator_metadata: (experimental) Enables experimental support for decorators, which is in stage 2 of the TC39 standardization process. Decorators are a language feature which hasn’t yet been fully ratified into the JavaScript specification. This means that the implementation version in TypeScript may differ from the implementation in JavaScript when it it decided by TC39. You can find out more about decorator support in TypeScript in the handbook. Default: undefined
+        :param es_module_interop: (experimental) Emit __importStar and __importDefault helpers for runtime babel ecosystem compatibility and enable --allowSyntheticDefaultImports for typesystem compatibility. Default: false
+        :param exact_optional_property_types: (experimental) Specifies that optional property types should be interpreted exactly as written, meaning that ``| undefined`` is not added to the type Available with TypeScript 4.4 and newer. Default: false
+        :param experimental_decorators: (experimental) Enables experimental support for decorators, which is in stage 2 of the TC39 standardization process. Default: true
+        :param force_consistent_casing_in_file_names: (experimental) Disallow inconsistently-cased references to the same file. Default: false
+        :param imports_not_used_as_values: (experimental) This flag works because you can use ``import type`` to explicitly create an ``import`` statement which should never be emitted into JavaScript. Default: "remove"
+        :param incremental: (experimental) Tells TypeScript to save information about the project graph from the last compilation to files stored on disk. This creates a series of .tsbuildinfo files in the same folder as your compilation output. They are not used by your JavaScript at runtime and can be safely deleted. You can read more about the flag in the 3.4 release notes.
+        :param inline_source_map: (experimental) When set, instead of writing out a .js.map file to provide source maps, TypeScript will embed the source map content in the .js files. Default: true
+        :param inline_sources: (experimental) When set, TypeScript will include the original content of the .ts file as an embedded string in the source map. This is often useful in the same cases as inlineSourceMap. Default: true
+        :param isolated_modules: (experimental) Perform additional checks to ensure that separate compilation (such as with transpileModule or. Default: false
+        :param jsx: (experimental) Support JSX in .tsx files: "react", "preserve", "react-native" etc. Default: undefined
+        :param jsx_import_source: (experimental) Declares the module specifier to be used for importing the jsx and jsxs factory functions when using jsx. Default: undefined
+        :param lib: (experimental) Reference for type definitions / libraries to use (eg. ES2016, ES5, ES2018). Default: [ "es2018" ]
+        :param module: (experimental) Sets the module system for the program. See https://www.typescriptlang.org/docs/handbook/modules.html#ambient-modules. Default: "CommonJS"
+        :param module_detection: (experimental) This setting controls how TypeScript determines whether a file is a `script or a module <https://www.typescriptlang.org/docs/handbook/modules/theory.html#scripts-and-modules-in-javascript>`_. Default: "auto"
+        :param module_resolution: (experimental) Determine how modules get resolved. Either "Node" for Node.js/io.js style resolution, or "Classic". Default: "node"
+        :param no_emit: (experimental) Do not emit outputs. Default: false
+        :param no_emit_on_error: (experimental) Do not emit compiler output files like JavaScript source code, source-maps or declarations if any errors were reported. Default: true
+        :param no_fallthrough_cases_in_switch: (experimental) Report errors for fallthrough cases in switch statements. Ensures that any non-empty case inside a switch statement includes either break or return. This means you won’t accidentally ship a case fallthrough bug. Default: true
+        :param no_implicit_any: (experimental) In some cases where no type annotations are present, TypeScript will fall back to a type of any for a variable when it cannot infer the type. Default: true
+        :param no_implicit_override: (experimental) Using ``noImplicitOverride``, you can ensure that sub-classes never go out of sync as they are required to explicitly declare that they are overriding a member using the ``override`` keyword. This also improves readability of the programmer's intent. Available with TypeScript 4.3 and newer. Default: false
+        :param no_implicit_returns: (experimental) When enabled, TypeScript will check all code paths in a function to ensure they return a value. Default: true
+        :param no_implicit_this: (experimental) Raise error on ‘this’ expressions with an implied ‘any’ type. Default: true
+        :param no_property_access_from_index_signature: (experimental) Raise error on use of the dot syntax to access fields which are not defined. Default: true
+        :param no_unchecked_indexed_access: (experimental) Raise error when accessing indexes on objects with unknown keys defined in index signatures. Default: true
+        :param no_unused_locals: (experimental) Report errors on unused local variables. Default: true
+        :param no_unused_parameters: (experimental) Report errors on unused parameters in functions. Default: true
+        :param out_dir: (experimental) Output directory for the compiled files.
+        :param paths: (experimental) A series of entries which re-map imports to lookup locations relative to the baseUrl, there is a larger coverage of paths in the handbook. paths lets you declare how TypeScript should resolve an import in your require/imports.
+        :param resolve_json_module: (experimental) Allows importing modules with a ‘.json’ extension, which is a common practice in node projects. This includes generating a type for the import based on the static JSON shape. Default: true
+        :param resolve_package_json_exports: (experimental) Forces TypeScript to consult the ``exports`` field of ``package.json`` files if it ever reads from a package in ``node_modules``. Default: true
+        :param resolve_package_json_imports: (experimental) Forces TypeScript to consult the ``imports`` field of ``package.json`` when performing a lookup that begins with ``#`` from a file that has a ``package.json`` as an ancestor. Default: undefined
+        :param root_dir: (experimental) Specifies the root directory of input files. Only use to control the output directory structure with ``outDir``.
+        :param skip_lib_check: (experimental) Skip type checking of all declaration files (*.d.ts). Default: false
+        :param source_map: (experimental) Enables the generation of sourcemap files. Default: undefined
+        :param source_root: (experimental) Specify the location where a debugger should locate TypeScript files instead of relative source locations. Default: undefined
+        :param strict: (experimental) The strict flag enables a wide range of type checking behavior that results in stronger guarantees of program correctness. Turning this on is equivalent to enabling all of the strict mode family options, which are outlined below. You can then turn off individual strict mode family checks as needed. Default: true
+        :param strict_null_checks: (experimental) When strictNullChecks is false, null and undefined are effectively ignored by the language. This can lead to unexpected errors at runtime. When strictNullChecks is true, null and undefined have their own distinct types and you’ll get a type error if you try to use them where a concrete value is expected. Default: true
+        :param strict_property_initialization: (experimental) When set to true, TypeScript will raise an error when a class property was declared but not set in the constructor. Default: true
+        :param strip_internal: (experimental) Do not emit declarations for code that has an ``@internal`` annotation in it’s JSDoc comment. Default: true
+        :param target: (experimental) Modern browsers support all ES6 features, so ES6 is a good choice. You might choose to set a lower target if your code is deployed to older environments, or a higher target if your code is guaranteed to run in newer environments. Default: "ES2018"
+        :param ts_build_info_file: (experimental) This setting lets you specify a file for storing incremental compilation information as a part of composite projects which enables faster building of larger TypeScript codebases. You can read more about composite projects in the handbook.
+        :param type_roots: (experimental) If typeRoots is specified, only packages under typeRoots will be included.
+        :param types: (experimental) If types is specified, only packages listed will be included in the global scope.
+        :param use_unknown_in_catch_variables: (experimental) Change the type of the variable in a catch clause from any to unknown Available with TypeScript 4.4 and newer. Default: true
+        :param verbatim_module_syntax: (experimental) Simplifies TypeScript's handling of import/export ``type`` modifiers. Default: undefined
+
+        :see: TypeScriptCompilerOptions
+        :stability: experimental
+        '''
+        config = _TypeScriptCompilerOptions_829fc4b0(
+            allow_arbitrary_extensions=allow_arbitrary_extensions,
+            allow_importing_ts_extensions=allow_importing_ts_extensions,
+            allow_js=allow_js,
+            allow_synthetic_default_imports=allow_synthetic_default_imports,
+            allow_unreachable_code=allow_unreachable_code,
+            allow_unused_labels=allow_unused_labels,
+            always_strict=always_strict,
+            base_url=base_url,
+            check_js=check_js,
+            custom_conditions=custom_conditions,
+            declaration=declaration,
+            declaration_dir=declaration_dir,
+            declaration_map=declaration_map,
+            downlevel_iteration=downlevel_iteration,
+            emit_declaration_only=emit_declaration_only,
+            emit_decorator_metadata=emit_decorator_metadata,
+            es_module_interop=es_module_interop,
+            exact_optional_property_types=exact_optional_property_types,
+            experimental_decorators=experimental_decorators,
+            force_consistent_casing_in_file_names=force_consistent_casing_in_file_names,
+            imports_not_used_as_values=imports_not_used_as_values,
+            incremental=incremental,
+            inline_source_map=inline_source_map,
+            inline_sources=inline_sources,
+            isolated_modules=isolated_modules,
+            jsx=jsx,
+            jsx_import_source=jsx_import_source,
+            lib=lib,
+            module=module,
+            module_detection=module_detection,
+            module_resolution=module_resolution,
+            no_emit=no_emit,
+            no_emit_on_error=no_emit_on_error,
+            no_fallthrough_cases_in_switch=no_fallthrough_cases_in_switch,
+            no_implicit_any=no_implicit_any,
+            no_implicit_override=no_implicit_override,
+            no_implicit_returns=no_implicit_returns,
+            no_implicit_this=no_implicit_this,
+            no_property_access_from_index_signature=no_property_access_from_index_signature,
+            no_unchecked_indexed_access=no_unchecked_indexed_access,
+            no_unused_locals=no_unused_locals,
+            no_unused_parameters=no_unused_parameters,
+            out_dir=out_dir,
+            paths=paths,
+            resolve_json_module=resolve_json_module,
+            resolve_package_json_exports=resolve_package_json_exports,
+            resolve_package_json_imports=resolve_package_json_imports,
+            root_dir=root_dir,
+            skip_lib_check=skip_lib_check,
+            source_map=source_map,
+            source_root=source_root,
+            strict=strict,
+            strict_null_checks=strict_null_checks,
+            strict_property_initialization=strict_property_initialization,
+            strip_internal=strip_internal,
+            target=target,
+            ts_build_info_file=ts_build_info_file,
+            type_roots=type_roots,
+            types=types,
+            use_unknown_in_catch_variables=use_unknown_in_catch_variables,
+            verbatim_module_syntax=verbatim_module_syntax,
         )
 
         return typing.cast("TsJestTsconfig", jsii.sinvoke(cls, "custom", [config]))
@@ -812,8 +1004,13 @@ class TypeScriptProject(
         typescript_version: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -875,6 +1072,7 @@ class TypeScriptProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -887,9 +1085,11 @@ class TypeScriptProject(
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -901,9 +1101,11 @@ class TypeScriptProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -911,12 +1113,14 @@ class TypeScriptProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -942,7 +1146,7 @@ class TypeScriptProject(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -957,13 +1161,18 @@ class TypeScriptProject(
         :param typescript_version: (experimental) TypeScript version to use. NOTE: Typescript is not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~1.2.3``). Default: "latest"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -973,14 +1182,14 @@ class TypeScriptProject(
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -990,8 +1199,8 @@ class TypeScriptProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -1020,6 +1229,7 @@ class TypeScriptProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -1029,26 +1239,30 @@ class TypeScriptProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -1056,15 +1270,17 @@ class TypeScriptProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -1104,8 +1320,13 @@ class TypeScriptProject(
             typescript_version=typescript_version,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
+            build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
             bundler_options=bundler_options,
             check_licenses=check_licenses,
@@ -1167,6 +1388,7 @@ class TypeScriptProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -1179,9 +1401,11 @@ class TypeScriptProject(
             max_node_version=max_node_version,
             min_node_version=min_node_version,
             npm_access=npm_access,
+            npm_provenance=npm_provenance,
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -1193,9 +1417,11 @@ class TypeScriptProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -1203,12 +1429,14 @@ class TypeScriptProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -1231,6 +1459,16 @@ class TypeScriptProject(
 
         jsii.create(self.__class__, self, [options])
 
+    @jsii.member(jsii_name="defaultTypeScriptCompilerOptions")
+    def _default_type_script_compiler_options(
+        self,
+    ) -> _TypeScriptCompilerOptions_829fc4b0:
+        '''(experimental) Projen default Typescript compiler options.
+
+        :stability: experimental
+        '''
+        return typing.cast(_TypeScriptCompilerOptions_829fc4b0, jsii.invoke(self, "defaultTypeScriptCompilerOptions", []))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="DEFAULT_TS_JEST_TRANFORM_PATTERN")
     def DEFAULT_TS_JEST_TRANFORM_PATTERN(cls) -> builtins.str:
@@ -1368,6 +1606,7 @@ class TypeScriptProject(
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -1380,9 +1619,11 @@ class TypeScriptProject(
         "max_node_version": "maxNodeVersion",
         "min_node_version": "minNodeVersion",
         "npm_access": "npmAccess",
+        "npm_provenance": "npmProvenance",
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -1394,9 +1635,11 @@ class TypeScriptProject(
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -1404,12 +1647,14 @@ class TypeScriptProject(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -1418,8 +1663,13 @@ class TypeScriptProject(
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
+        "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
         "bundler_options": "bundlerOptions",
         "check_licenses": "checkLicenses",
@@ -1517,6 +1767,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -1529,9 +1780,11 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1543,9 +1796,11 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -1553,12 +1808,14 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -1567,8 +1824,13 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1662,6 +1924,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -1671,26 +1934,30 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -1698,27 +1965,34 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -1728,14 +2002,14 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -1745,15 +2019,15 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param disable_tsconfig: (experimental) Do not generate a ``tsconfig.json`` file (used by jsii projects since tsconfig.json is generated by the jsii compiler). Default: false
         :param disable_tsconfig_dev: (experimental) Do not generate a ``tsconfig.dev.json`` file. Default: false
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -1799,6 +2073,12 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
+        if isinstance(build_workflow_options, dict):
+            build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
             build_workflow_triggers = _Triggers_e9ae7617(**build_workflow_triggers)
         if isinstance(bundler_options, dict):
@@ -1870,6 +2150,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -1882,9 +2163,11 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             check_type(argname="argument max_node_version", value=max_node_version, expected_type=type_hints["max_node_version"])
             check_type(argname="argument min_node_version", value=min_node_version, expected_type=type_hints["min_node_version"])
             check_type(argname="argument npm_access", value=npm_access, expected_type=type_hints["npm_access"])
+            check_type(argname="argument npm_provenance", value=npm_provenance, expected_type=type_hints["npm_provenance"])
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -1896,9 +2179,11 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -1906,12 +2191,14 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -1920,8 +2207,13 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
+            check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
             check_type(argname="argument bundler_options", value=bundler_options, expected_type=type_hints["bundler_options"])
             check_type(argname="argument check_licenses", value=check_licenses, expected_type=type_hints["check_licenses"])
@@ -2054,6 +2346,8 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -2078,12 +2372,16 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             self._values["min_node_version"] = min_node_version
         if npm_access is not None:
             self._values["npm_access"] = npm_access
+        if npm_provenance is not None:
+            self._values["npm_provenance"] = npm_provenance
         if npm_registry is not None:
             self._values["npm_registry"] = npm_registry
         if npm_registry_url is not None:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -2106,12 +2404,16 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -2126,6 +2428,8 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -2138,6 +2442,8 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -2152,10 +2458,20 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
+        if build_workflow_options is not None:
+            self._values["build_workflow_options"] = build_workflow_options
         if build_workflow_triggers is not None:
             self._values["build_workflow_triggers"] = build_workflow_triggers
         if bundler_options is not None:
@@ -2725,6 +3041,17 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -2859,9 +3186,15 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
 
-        :default: - no max
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
+
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -2870,9 +3203,19 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
+
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
 
-        :default: - no "engines" specified
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -2894,6 +3237,24 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("npm_access")
         return typing.cast(typing.Optional[_NpmAccess_134fa228], result)
 
+    @builtins.property
+    def npm_provenance(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Should provenance statements be generated when the package is published.
+
+        A supported package manager is required to publish a package with npm provenance statements and
+        you will need to use a supported CI/CD provider.
+
+        Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages,
+        which is using npm internally and supports provenance statements independently of the package manager used.
+
+        :default: - true for public packages, false otherwise
+
+        :see: https://docs.npmjs.com/generating-provenance-statements
+        :stability: experimental
+        '''
+        result = self._values.get("npm_provenance")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def npm_registry(self) -> typing.Optional[builtins.str]:
         '''(deprecated) The host name of the npm registry to publish to.
@@ -2931,6 +3292,17 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -2994,7 +3366,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -3071,6 +3443,19 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -3112,6 +3497,36 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -3207,6 +3622,23 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -3284,6 +3716,19 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -3310,7 +3755,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -3379,6 +3824,32 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -3392,6 +3863,28 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -3403,13 +3896,24 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
         result = self._values.get("build_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def build_workflow_options(self) -> typing.Optional[_BuildWorkflowOptions_b756f97f]:
+        '''(experimental) Options for PR build workflow.
+
+        :stability: experimental
+        '''
+        result = self._values.get("build_workflow_options")
+        return typing.cast(typing.Optional[_BuildWorkflowOptions_b756f97f], result)
+
     @builtins.property
     def build_workflow_triggers(self) -> typing.Optional[_Triggers_e9ae7617]:
-        '''(experimental) Build workflow triggers.
+        '''(deprecated) Build workflow triggers.
 
         :default: "{ pullRequest: {}, workflowDispatch: {} }"
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.workflowTriggers``
+
+        :stability: deprecated
         '''
         result = self._values.get("build_workflow_triggers")
         return typing.cast(typing.Optional[_Triggers_e9ae7617], result)
@@ -3438,7 +3942,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -3449,9 +3953,9 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -3563,7 +4067,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
     @builtins.property
     def mutable_build(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Automatically update files modified during builds to pull-request branches.
+        '''(deprecated) Automatically update files modified during builds to pull-request branches.
 
         This means
         that any files synthesized by projen or e.g. test snapshots will always be up-to-date
@@ -3573,7 +4077,9 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
         :default: true
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.mutableBuild``
+
+        :stability: deprecated
         '''
         result = self._values.get("mutable_build")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -3646,7 +4152,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
     def projen_dev_dependency(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Indicates of "projen" should be installed as a devDependency.
 
-        :default: true
+        :default: - true if not a subproject
 
         :stability: experimental
         '''
@@ -3762,7 +4268,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -3771,9 +4277,11 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
+
+        Always use this option if your GitHub Actions workflows require a specific to run.
 
-        :default: - same as ``minNodeVersion``
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -3850,7 +4358,7 @@ class TypeScriptProjectOptions(_NodeProjectOptions_d12f6f3b):
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -4061,8 +4569,13 @@ class TypeScriptAppProject(
         typescript_version: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -4124,6 +4637,7 @@ class TypeScriptAppProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -4136,9 +4650,11 @@ class TypeScriptAppProject(
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -4150,9 +4666,11 @@ class TypeScriptAppProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -4160,12 +4678,14 @@ class TypeScriptAppProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -4191,7 +4711,7 @@ class TypeScriptAppProject(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -4206,13 +4726,18 @@ class TypeScriptAppProject(
         :param typescript_version: (experimental) TypeScript version to use. NOTE: Typescript is not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~1.2.3``). Default: "latest"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -4222,14 +4747,14 @@ class TypeScriptAppProject(
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -4239,8 +4764,8 @@ class TypeScriptAppProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -4269,6 +4794,7 @@ class TypeScriptAppProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -4278,26 +4804,30 @@ class TypeScriptAppProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -4305,15 +4835,17 @@ class TypeScriptAppProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -4353,8 +4885,13 @@ class TypeScriptAppProject(
             typescript_version=typescript_version,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
+            build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
             bundler_options=bundler_options,
             check_licenses=check_licenses,
@@ -4416,6 +4953,7 @@ class TypeScriptAppProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -4428,9 +4966,11 @@ class TypeScriptAppProject(
             max_node_version=max_node_version,
             min_node_version=min_node_version,
             npm_access=npm_access,
+            npm_provenance=npm_provenance,
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -4442,9 +4982,11 @@ class TypeScriptAppProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -4452,12 +4994,14 @@ class TypeScriptAppProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -4515,8 +5059,13 @@ class TypeScriptLibraryProject(
         typescript_version: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -4578,6 +5127,7 @@ class TypeScriptLibraryProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -4590,9 +5140,11 @@ class TypeScriptLibraryProject(
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -4604,9 +5156,11 @@ class TypeScriptLibraryProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -4614,12 +5168,14 @@ class TypeScriptLibraryProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -4645,7 +5201,7 @@ class TypeScriptLibraryProject(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -4660,13 +5216,18 @@ class TypeScriptLibraryProject(
         :param typescript_version: (experimental) TypeScript version to use. NOTE: Typescript is not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~1.2.3``). Default: "latest"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -4676,14 +5237,14 @@ class TypeScriptLibraryProject(
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -4693,8 +5254,8 @@ class TypeScriptLibraryProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -4723,6 +5284,7 @@ class TypeScriptLibraryProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -4732,26 +5294,30 @@ class TypeScriptLibraryProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -4759,15 +5325,17 @@ class TypeScriptLibraryProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -4807,8 +5375,13 @@ class TypeScriptLibraryProject(
             typescript_version=typescript_version,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
+            build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
             bundler_options=bundler_options,
             check_licenses=check_licenses,
@@ -4870,6 +5443,7 @@ class TypeScriptLibraryProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -4882,9 +5456,11 @@ class TypeScriptLibraryProject(
             max_node_version=max_node_version,
             min_node_version=min_node_version,
             npm_access=npm_access,
+            npm_provenance=npm_provenance,
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -4896,9 +5472,11 @@ class TypeScriptLibraryProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -4906,12 +5484,14 @@ class TypeScriptLibraryProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -4978,6 +5558,7 @@ class TypeScriptLibraryProject(
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -4990,9 +5571,11 @@ class TypeScriptLibraryProject(
         "max_node_version": "maxNodeVersion",
         "min_node_version": "minNodeVersion",
         "npm_access": "npmAccess",
+        "npm_provenance": "npmProvenance",
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -5004,9 +5587,11 @@ class TypeScriptLibraryProject(
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -5014,12 +5599,14 @@ class TypeScriptLibraryProject(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -5028,8 +5615,13 @@ class TypeScriptLibraryProject(
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
+        "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
         "bundler_options": "bundlerOptions",
         "check_licenses": "checkLicenses",
@@ -5127,6 +5719,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -5139,9 +5732,11 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5153,9 +5748,11 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -5163,12 +5760,14 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -5177,8 +5776,13 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5272,6 +5876,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -5281,26 +5886,30 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -5308,27 +5917,34 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -5338,14 +5954,14 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -5355,15 +5971,15 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param disable_tsconfig: (experimental) Do not generate a ``tsconfig.json`` file (used by jsii projects since tsconfig.json is generated by the jsii compiler). Default: false
         :param disable_tsconfig_dev: (experimental) Do not generate a ``tsconfig.dev.json`` file. Default: false
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -5411,6 +6027,12 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
+        if isinstance(build_workflow_options, dict):
+            build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
             build_workflow_triggers = _Triggers_e9ae7617(**build_workflow_triggers)
         if isinstance(bundler_options, dict):
@@ -5482,6 +6104,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -5494,9 +6117,11 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             check_type(argname="argument max_node_version", value=max_node_version, expected_type=type_hints["max_node_version"])
             check_type(argname="argument min_node_version", value=min_node_version, expected_type=type_hints["min_node_version"])
             check_type(argname="argument npm_access", value=npm_access, expected_type=type_hints["npm_access"])
+            check_type(argname="argument npm_provenance", value=npm_provenance, expected_type=type_hints["npm_provenance"])
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -5508,9 +6133,11 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -5518,12 +6145,14 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -5532,8 +6161,13 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
+            check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
             check_type(argname="argument bundler_options", value=bundler_options, expected_type=type_hints["bundler_options"])
             check_type(argname="argument check_licenses", value=check_licenses, expected_type=type_hints["check_licenses"])
@@ -5666,6 +6300,8 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -5690,12 +6326,16 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             self._values["min_node_version"] = min_node_version
         if npm_access is not None:
             self._values["npm_access"] = npm_access
+        if npm_provenance is not None:
+            self._values["npm_provenance"] = npm_provenance
         if npm_registry is not None:
             self._values["npm_registry"] = npm_registry
         if npm_registry_url is not None:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -5718,12 +6358,16 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -5738,6 +6382,8 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -5750,6 +6396,8 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -5764,10 +6412,20 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
+        if build_workflow_options is not None:
+            self._values["build_workflow_options"] = build_workflow_options
         if build_workflow_triggers is not None:
             self._values["build_workflow_triggers"] = build_workflow_triggers
         if bundler_options is not None:
@@ -6337,6 +6995,17 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -6471,9 +7140,15 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
 
-        :default: - no max
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -6482,9 +7157,19 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
 
-        :default: - no "engines" specified
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
+
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
+
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -6506,6 +7191,24 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("npm_access")
         return typing.cast(typing.Optional[_NpmAccess_134fa228], result)
 
+    @builtins.property
+    def npm_provenance(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Should provenance statements be generated when the package is published.
+
+        A supported package manager is required to publish a package with npm provenance statements and
+        you will need to use a supported CI/CD provider.
+
+        Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages,
+        which is using npm internally and supports provenance statements independently of the package manager used.
+
+        :default: - true for public packages, false otherwise
+
+        :see: https://docs.npmjs.com/generating-provenance-statements
+        :stability: experimental
+        '''
+        result = self._values.get("npm_provenance")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def npm_registry(self) -> typing.Optional[builtins.str]:
         '''(deprecated) The host name of the npm registry to publish to.
@@ -6543,6 +7246,17 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -6606,7 +7320,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -6683,6 +7397,19 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -6724,6 +7451,36 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -6819,6 +7576,23 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -6896,6 +7670,19 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -6922,7 +7709,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -6991,6 +7778,32 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -7004,6 +7817,28 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -7015,13 +7850,24 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
         result = self._values.get("build_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def build_workflow_options(self) -> typing.Optional[_BuildWorkflowOptions_b756f97f]:
+        '''(experimental) Options for PR build workflow.
+
+        :stability: experimental
+        '''
+        result = self._values.get("build_workflow_options")
+        return typing.cast(typing.Optional[_BuildWorkflowOptions_b756f97f], result)
+
     @builtins.property
     def build_workflow_triggers(self) -> typing.Optional[_Triggers_e9ae7617]:
-        '''(experimental) Build workflow triggers.
+        '''(deprecated) Build workflow triggers.
 
         :default: "{ pullRequest: {}, workflowDispatch: {} }"
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.workflowTriggers``
+
+        :stability: deprecated
         '''
         result = self._values.get("build_workflow_triggers")
         return typing.cast(typing.Optional[_Triggers_e9ae7617], result)
@@ -7050,7 +7896,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -7061,9 +7907,9 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -7175,7 +8021,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
     @builtins.property
     def mutable_build(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Automatically update files modified during builds to pull-request branches.
+        '''(deprecated) Automatically update files modified during builds to pull-request branches.
 
         This means
         that any files synthesized by projen or e.g. test snapshots will always be up-to-date
@@ -7185,7 +8031,9 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
         :default: true
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.mutableBuild``
+
+        :stability: deprecated
         '''
         result = self._values.get("mutable_build")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -7258,7 +8106,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
     def projen_dev_dependency(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Indicates of "projen" should be installed as a devDependency.
 
-        :default: true
+        :default: - true if not a subproject
 
         :stability: experimental
         '''
@@ -7374,7 +8222,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -7383,9 +8231,11 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
+
+        Always use this option if your GitHub Actions workflows require a specific to run.
 
-        :default: - same as ``minNodeVersion``
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -7462,7 +8312,7 @@ class TypeScriptLibraryProjectOptions(TypeScriptProjectOptions):
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -7763,6 +8613,7 @@ def _typecheckingstub__a914f27f5d915b07b8847d407b03b08cab2aad7b213973084a9026526
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -7775,9 +8626,11 @@ def _typecheckingstub__a914f27f5d915b07b8847d407b03b08cab2aad7b213973084a9026526
     max_node_version: typing.Optional[builtins.str] = None,
     min_node_version: typing.Optional[builtins.str] = None,
     npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+    npm_provenance: typing.Optional[builtins.bool] = None,
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7789,9 +8642,11 @@ def _typecheckingstub__a914f27f5d915b07b8847d407b03b08cab2aad7b213973084a9026526
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -7799,12 +8654,14 @@ def _typecheckingstub__a914f27f5d915b07b8847d407b03b08cab2aad7b213973084a9026526
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -7813,8 +8670,13 @@ def _typecheckingstub__a914f27f5d915b07b8847d407b03b08cab2aad7b213973084a9026526
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
+    build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
     bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
     check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7918,6 +8780,7 @@ def _typecheckingstub__ac162883b4ecfe9863890d69bffa76d7f9ce16e619c94b9b2a4b7b8f2
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -7930,9 +8793,11 @@ def _typecheckingstub__ac162883b4ecfe9863890d69bffa76d7f9ce16e619c94b9b2a4b7b8f2
     max_node_version: typing.Optional[builtins.str] = None,
     min_node_version: typing.Optional[builtins.str] = None,
     npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+    npm_provenance: typing.Optional[builtins.bool] = None,
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7944,9 +8809,11 @@ def _typecheckingstub__ac162883b4ecfe9863890d69bffa76d7f9ce16e619c94b9b2a4b7b8f2
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -7954,12 +8821,14 @@ def _typecheckingstub__ac162883b4ecfe9863890d69bffa76d7f9ce16e619c94b9b2a4b7b8f2
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -7968,8 +8837,13 @@ def _typecheckingstub__ac162883b4ecfe9863890d69bffa76d7f9ce16e619c94b9b2a4b7b8f2
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
+    build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
     bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
     check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,