projen 0.79.4__py3-none-any.whl → 0.98.25__py3-none-any.whl

projen/cdk/__init__.py

@@ -1,3 +1,6 @@
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
+
 import abc
 import builtins
 import datetime
@@ -8,10 +11,26 @@ import jsii
 import publication
 import typing_extensions
 
-from typeguard import check_type
+import typeguard
+from importlib.metadata import version as _metadata_package_version
+TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+
+def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
+    if TYPEGUARD_MAJOR_VERSION <= 2:
+        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
+    else:
+        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
+           pass
+        else:
+            if TYPEGUARD_MAJOR_VERSION == 3:
+                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
+                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
+            else:
+                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
 
 from .._jsii import *
 
+import constructs as _constructs_77d1e7e8
 from .. import (
     Component as _Component_2b0ad27f,
     GitOptions as _GitOptions_a65916a3,
@@ -42,9 +61,11 @@ from ..github.workflows import (
     Triggers as _Triggers_e9ae7617,
 )
 from ..javascript import (
+    AuditOptions as _AuditOptions_429c62df,
+    BiomeOptions as _BiomeOptions_452ab984,
+    BuildWorkflowOptions as _BuildWorkflowOptions_b756f97f,
     BundlerOptions as _BundlerOptions_d60b85ed,
     CodeArtifactOptions as _CodeArtifactOptions_e4782b3e,
-    Eslint as _Eslint_b3991f7f,
     EslintOptions as _EslintOptions_824f60bb,
     JestOptions as _JestOptions_a085f64e,
     LicenseCheckerOptions as _LicenseCheckerOptions_80bcd362,
@@ -60,6 +81,7 @@ from ..javascript import (
 )
 from ..release import (
     BranchOptions as _BranchOptions_13663d08,
+    CodeArtifactOptions as _CodeArtifactOptions_7236977a,
     GoPublishOptions as _GoPublishOptions_d6430d61,
     MavenPublishOptions as _MavenPublishOptions_43a9e42a,
     NugetPublishOptions as _NugetPublishOptions_32e8bf09,
@@ -495,7 +517,11 @@ class IntegrationTestBaseOptions:
         )
 
 
-class JsiiDocgen(metaclass=jsii.JSIIMeta, jsii_type="projen.cdk.JsiiDocgen"):
+class JsiiDocgen(
+    _Component_2b0ad27f,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="projen.cdk.JsiiDocgen",
+):
     '''(experimental) Creates a markdown file based on the jsii manifest: - Adds a ``docgen`` script to package.json - Runs ``jsii-docgen`` after compilation - Enforces that markdown file is checked in.
 
     :stability: experimental
@@ -503,43 +529,54 @@ class JsiiDocgen(metaclass=jsii.JSIIMeta, jsii_type="projen.cdk.JsiiDocgen"):
 
     def __init__(
         self,
-        project: "JsiiProject",
+        scope: _constructs_77d1e7e8.IConstruct,
         *,
         file_path: typing.Optional[builtins.str] = None,
+        version: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
-        :param project: -
+        :param scope: -
         :param file_path: (experimental) File path for generated docs. Default: "API.md"
+        :param version: (experimental) A semver version string to install a specific version of jsii-docgen. Default: '*'
 
         :stability: experimental
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f43e86fe0c2ba3f9132dc6d6f6592f6259d782833b3aee12cbd3d41e8d3a035a)
-            check_type(argname="argument project", value=project, expected_type=type_hints["project"])
-        options = JsiiDocgenOptions(file_path=file_path)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+        options = JsiiDocgenOptions(file_path=file_path, version=version)
 
-        jsii.create(self.__class__, self, [project, options])
+        jsii.create(self.__class__, self, [scope, options])
 
 
 @jsii.data_type(
     jsii_type="projen.cdk.JsiiDocgenOptions",
     jsii_struct_bases=[],
-    name_mapping={"file_path": "filePath"},
+    name_mapping={"file_path": "filePath", "version": "version"},
 )
 class JsiiDocgenOptions:
-    def __init__(self, *, file_path: typing.Optional[builtins.str] = None) -> None:
+    def __init__(
+        self,
+        *,
+        file_path: typing.Optional[builtins.str] = None,
+        version: typing.Optional[builtins.str] = None,
+    ) -> None:
         '''(experimental) Options for ``JsiiDocgen``.
 
         :param file_path: (experimental) File path for generated docs. Default: "API.md"
+        :param version: (experimental) A semver version string to install a specific version of jsii-docgen. Default: '*'
 
         :stability: experimental
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__2f3fb088da3cc3de21fe4de98d7c818b3cbd2a2139fba0682367f39bd3af95be)
             check_type(argname="argument file_path", value=file_path, expected_type=type_hints["file_path"])
+            check_type(argname="argument version", value=version, expected_type=type_hints["version"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if file_path is not None:
             self._values["file_path"] = file_path
+        if version is not None:
+            self._values["version"] = version
 
     @builtins.property
     def file_path(self) -> typing.Optional[builtins.str]:
@@ -552,6 +589,17 @@ class JsiiDocgenOptions:
         result = self._values.get("file_path")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A semver version string to install a specific version of jsii-docgen.
+
+        :default: '*'
+
+        :stability: experimental
+        '''
+        result = self._values.get("version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -568,11 +616,14 @@ class JsiiDocgenOptions:
     jsii_type="projen.cdk.JsiiDotNetTarget",
     jsii_struct_bases=[_NugetPublishOptions_32e8bf09],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
         "nuget_api_key_secret": "nugetApiKeySecret",
         "nuget_server": "nugetServer",
+        "nuget_username_secret": "nugetUsernameSecret",
+        "trusted_publishing": "trustedPublishing",
         "dot_net_namespace": "dotNetNamespace",
         "package_id": "packageId",
         "icon_url": "iconUrl",
@@ -582,21 +633,27 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
         nuget_api_key_secret: typing.Optional[builtins.str] = None,
         nuget_server: typing.Optional[builtins.str] = None,
+        nuget_username_secret: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
         dot_net_namespace: builtins.str,
         package_id: builtins.str,
         icon_url: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param nuget_api_key_secret: (experimental) GitHub secret which contains the API key for NuGet. Default: "NUGET_API_KEY"
         :param nuget_server: (experimental) NuGet Server URL (defaults to nuget.org).
+        :param nuget_username_secret: (experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication. Required when using trusted publishing. Default: "NUGET_USERNAME"
+        :param trusted_publishing: (experimental) Use NuGet trusted publishing instead of API keys. Needs to be setup in NuGet.org.
         :param dot_net_namespace: 
         :param package_id: 
         :param icon_url: 
@@ -607,11 +664,14 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e809c6916d6d93bf1e91d05e4a79f49eb72f74bccaceeb6a508a3005bb5ec7b5)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
             check_type(argname="argument nuget_api_key_secret", value=nuget_api_key_secret, expected_type=type_hints["nuget_api_key_secret"])
             check_type(argname="argument nuget_server", value=nuget_server, expected_type=type_hints["nuget_server"])
+            check_type(argname="argument nuget_username_secret", value=nuget_username_secret, expected_type=type_hints["nuget_username_secret"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
             check_type(argname="argument dot_net_namespace", value=dot_net_namespace, expected_type=type_hints["dot_net_namespace"])
             check_type(argname="argument package_id", value=package_id, expected_type=type_hints["package_id"])
             check_type(argname="argument icon_url", value=icon_url, expected_type=type_hints["icon_url"])
@@ -619,6 +679,8 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
             "dot_net_namespace": dot_net_namespace,
             "package_id": package_id,
         }
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -629,9 +691,29 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
             self._values["nuget_api_key_secret"] = nuget_api_key_secret
         if nuget_server is not None:
             self._values["nuget_server"] = nuget_server
+        if nuget_username_secret is not None:
+            self._values["nuget_username_secret"] = nuget_username_secret
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
         if icon_url is not None:
             self._values["icon_url"] = icon_url
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -648,7 +730,7 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -691,6 +773,31 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
         result = self._values.get("nuget_server")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def nuget_username_secret(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication.
+
+        Required when using trusted publishing.
+
+        :default: "NUGET_USERNAME"
+
+        :stability: experimental
+        '''
+        result = self._values.get("nuget_username_secret")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use NuGet trusted publishing instead of API keys.
+
+        Needs to be setup in NuGet.org.
+
+        :see: https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def dot_net_namespace(self) -> builtins.str:
         '''
@@ -733,54 +840,57 @@ class JsiiDotNetTarget(_NugetPublishOptions_32e8bf09):
     jsii_type="projen.cdk.JsiiGoTarget",
     jsii_struct_bases=[_GoPublishOptions_d6430d61],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
         "git_branch": "gitBranch",
         "git_commit_message": "gitCommitMessage",
         "github_deploy_key_secret": "githubDeployKeySecret",
-        "github_repo": "githubRepo",
         "github_token_secret": "githubTokenSecret",
         "github_use_ssh": "githubUseSsh",
         "git_user_email": "gitUserEmail",
         "git_user_name": "gitUserName",
         "module_name": "moduleName",
         "package_name": "packageName",
+        "version_suffix": "versionSuffix",
     },
 )
 class JsiiGoTarget(_GoPublishOptions_d6430d61):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
         git_branch: typing.Optional[builtins.str] = None,
         git_commit_message: typing.Optional[builtins.str] = None,
         github_deploy_key_secret: typing.Optional[builtins.str] = None,
-        github_repo: typing.Optional[builtins.str] = None,
         github_token_secret: typing.Optional[builtins.str] = None,
         github_use_ssh: typing.Optional[builtins.bool] = None,
         git_user_email: typing.Optional[builtins.str] = None,
         git_user_name: typing.Optional[builtins.str] = None,
         module_name: builtins.str,
         package_name: typing.Optional[builtins.str] = None,
+        version_suffix: typing.Optional[builtins.str] = None,
     ) -> None:
         '''(experimental) Go target configuration.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param git_branch: (experimental) Branch to push to. Default: "main"
         :param git_commit_message: (experimental) The commit message. Default: "chore(release): $VERSION"
         :param github_deploy_key_secret: (experimental) The name of the secret that includes a GitHub deploy key used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``false``. Default: "GO_GITHUB_DEPLOY_KEY"
-        :param github_repo: (experimental) GitHub repository to push to. Default: - derived from ``moduleName``
         :param github_token_secret: (experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``true``. Default: "GO_GITHUB_TOKEN"
         :param github_use_ssh: (experimental) Use SSH to push to GitHub instead of a personal accses token. Default: false
-        :param git_user_email: (experimental) The email to use in the release git commit. Default: "github-actions@github.com"
-        :param git_user_name: (experimental) The user name to use for the release git commit. Default: "github-actions"
-        :param module_name: (experimental) The name of the target go module.
-        :param package_name: (experimental) The name of the go package. Default: - derived from the module name
+        :param git_user_email: (experimental) The email to use in the release git commit. Default: - default GitHub Actions user email
+        :param git_user_name: (experimental) The user name to use for the release git commit. Default: - default GitHub Actions user name
+        :param module_name: (experimental) The name of the target repository in which this module will be published (e.g. github.com/owner/repo). The module itself will always be published under a subdirectory named according to the ``packageName`` of the module (e.g. github.com/foo/bar/pkg).
+        :param package_name: (experimental) The name of the Go package name. If not specified, package name will be derived from the JavaScript module name by removing non-alphanumeric characters (e.g. Default: - derived from the JavaScript module name
+        :param version_suffix: (experimental) A suffix appended at the end of the module version (e.g ``"-devprefix"``). Default: - none
 
         :stability: experimental
         '''
@@ -788,22 +898,25 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b0ea0b1537651364353b8d1546fea1d78af2aaded6dded156ab976119354df9a)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
             check_type(argname="argument git_branch", value=git_branch, expected_type=type_hints["git_branch"])
             check_type(argname="argument git_commit_message", value=git_commit_message, expected_type=type_hints["git_commit_message"])
             check_type(argname="argument github_deploy_key_secret", value=github_deploy_key_secret, expected_type=type_hints["github_deploy_key_secret"])
-            check_type(argname="argument github_repo", value=github_repo, expected_type=type_hints["github_repo"])
             check_type(argname="argument github_token_secret", value=github_token_secret, expected_type=type_hints["github_token_secret"])
             check_type(argname="argument github_use_ssh", value=github_use_ssh, expected_type=type_hints["github_use_ssh"])
             check_type(argname="argument git_user_email", value=git_user_email, expected_type=type_hints["git_user_email"])
             check_type(argname="argument git_user_name", value=git_user_name, expected_type=type_hints["git_user_name"])
             check_type(argname="argument module_name", value=module_name, expected_type=type_hints["module_name"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
+            check_type(argname="argument version_suffix", value=version_suffix, expected_type=type_hints["version_suffix"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "module_name": module_name,
         }
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -816,8 +929,6 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
             self._values["git_commit_message"] = git_commit_message
         if github_deploy_key_secret is not None:
             self._values["github_deploy_key_secret"] = github_deploy_key_secret
-        if github_repo is not None:
-            self._values["github_repo"] = github_repo
         if github_token_secret is not None:
             self._values["github_token_secret"] = github_token_secret
         if github_use_ssh is not None:
@@ -828,6 +939,24 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
             self._values["git_user_name"] = git_user_name
         if package_name is not None:
             self._values["package_name"] = package_name
+        if version_suffix is not None:
+            self._values["version_suffix"] = version_suffix
+
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
@@ -845,7 +974,7 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -903,17 +1032,6 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
         result = self._values.get("github_deploy_key_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
-    @builtins.property
-    def github_repo(self) -> typing.Optional[builtins.str]:
-        '''(experimental) GitHub repository to push to.
-
-        :default: - derived from ``moduleName``
-
-        :stability: experimental
-        '''
-        result = self._values.get("github_repo")
-        return typing.cast(typing.Optional[builtins.str], result)
-
     @builtins.property
     def github_token_secret(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository.
@@ -942,7 +1060,7 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
     def git_user_email(self) -> typing.Optional[builtins.str]:
         '''(experimental) The email to use in the release git commit.
 
-        :default: "github-actions@github.com"
+        :default: - default GitHub Actions user email
 
         :stability: experimental
         '''
@@ -953,7 +1071,7 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
     def git_user_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The user name to use for the release git commit.
 
-        :default: "github-actions"
+        :default: - default GitHub Actions user name
 
         :stability: experimental
         '''
@@ -962,13 +1080,16 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
 
     @builtins.property
     def module_name(self) -> builtins.str:
-        '''(experimental) The name of the target go module.
+        '''(experimental) The name of the target repository in which this module will be published (e.g. github.com/owner/repo).
+
+        The module itself will always be published under a subdirectory named according
+        to the ``packageName`` of the module (e.g. github.com/foo/bar/pkg).
 
         :stability: experimental
 
         Example::
 
-            github.com/owner/repo/subdir
+            github.com/owner/repo
         '''
         result = self._values.get("module_name")
         assert result is not None, "Required property 'module_name' is missing"
@@ -976,15 +1097,30 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
 
     @builtins.property
     def package_name(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The name of the go package.
+        '''(experimental) The name of the Go package name.
+
+        If not specified, package name will be derived from the JavaScript module name
+        by removing non-alphanumeric characters (e.g.
 
-        :default: - derived from the module name
+        :default: - derived from the JavaScript module name
 
         :stability: experimental
+        :projen: /foo-bar will be projenfoobar).
         '''
         result = self._values.get("package_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def version_suffix(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A suffix appended at the end of the module version (e.g ``"-devprefix"``).
+
+        :default: - none
+
+        :stability: experimental
+        '''
+        result = self._values.get("version_suffix")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -1001,6 +1137,7 @@ class JsiiGoTarget(_GoPublishOptions_d6430d61):
     jsii_type="projen.cdk.JsiiJavaTarget",
     jsii_struct_bases=[_MavenPublishOptions_43a9e42a],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -1021,6 +1158,7 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1037,15 +1175,16 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
         maven_group_id: builtins.str,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
-        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: "https://oss.sonatype.org"
+        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: - "https://oss.sonatype.org" or none when publishing to Maven Central
         :param maven_gpg_private_key_passphrase: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
         :param maven_gpg_private_key_secret: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
         :param maven_password: (experimental) GitHub secret name which contains the Password for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
         :param maven_repository_url: (experimental) Deployment repository when not deploying to Maven Central. Default: - not set
-        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Set to ``central-ossrh`` to publish to Maven Central. Default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
         :param maven_staging_profile_id: (experimental) GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521). Default: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
         :param maven_username: (experimental) GitHub secret name which contains the Username for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
         :param java_package: 
@@ -1058,6 +1197,7 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__365483a000ed61cc1587d7ada435961b86f33fb0718cd001430497c2290e0820)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
@@ -1077,6 +1217,8 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
             "maven_artifact_id": maven_artifact_id,
             "maven_group_id": maven_group_id,
         }
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -1100,6 +1242,22 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
         if maven_username is not None:
             self._values["maven_username"] = maven_username
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -1116,7 +1274,7 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -1145,7 +1303,7 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
 
         if not set, defaults to https://oss.sonatype.org
 
-        :default: "https://oss.sonatype.org"
+        :default: - "https://oss.sonatype.org" or none when publishing to Maven Central
 
         :stability: experimental
         '''
@@ -1211,7 +1369,9 @@ class JsiiJavaTarget(_MavenPublishOptions_43a9e42a):
     def maven_server_id(self) -> typing.Optional[builtins.str]:
         '''(experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).
 
-        :default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        Set to ``central-ossrh`` to publish to Maven Central.
+
+        :default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
 
         :stability: experimental
         '''
@@ -1333,8 +1493,13 @@ class JsiiProject(
         typescript_version: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1396,6 +1561,7 @@ class JsiiProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -1408,9 +1574,11 @@ class JsiiProject(
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1422,9 +1590,11 @@ class JsiiProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -1432,12 +1602,14 @@ class JsiiProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -1467,7 +1639,7 @@ class JsiiProject(
         :param docgen_file_path: (experimental) File path for generated docs. Default: "API.md"
         :param dotnet: 
         :param exclude_typescript: (experimental) Accepts a list of glob patterns. Files matching any of those patterns will be excluded from the TypeScript compiler input. By default, jsii will include all *.ts files (except .d.ts files) in the TypeScript compiler input. This can be problematic for example when the package's build or test procedure generates .ts files that cannot be compiled with jsii's compiler settings.
-        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "1.x"
+        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.8.0"
         :param publish_to_go: (experimental) Publish Go bindings to a git repository. Default: - no publishing
         :param publish_to_maven: (experimental) Publish to maven. Default: - no publishing
         :param publish_to_nuget: (experimental) Publish to NuGet. Default: - no publishing
@@ -1479,7 +1651,7 @@ class JsiiProject(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -1494,13 +1666,18 @@ class JsiiProject(
         :param typescript_version: (experimental) TypeScript version to use. NOTE: Typescript is not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~1.2.3``). Default: "latest"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -1510,14 +1687,14 @@ class JsiiProject(
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -1527,8 +1704,8 @@ class JsiiProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -1557,6 +1734,7 @@ class JsiiProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -1566,26 +1744,30 @@ class JsiiProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -1593,15 +1775,17 @@ class JsiiProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -1657,8 +1841,13 @@ class JsiiProject(
             typescript_version=typescript_version,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
+            build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
             bundler_options=bundler_options,
             check_licenses=check_licenses,
@@ -1720,6 +1909,7 @@ class JsiiProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -1732,9 +1922,11 @@ class JsiiProject(
             max_node_version=max_node_version,
             min_node_version=min_node_version,
             npm_access=npm_access,
+            npm_provenance=npm_provenance,
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -1746,9 +1938,11 @@ class JsiiProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -1756,12 +1950,14 @@ class JsiiProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -1784,14 +1980,6 @@ class JsiiProject(
 
         jsii.create(self.__class__, self, [options])
 
-    @builtins.property
-    @jsii.member(jsii_name="eslint")
-    def eslint(self) -> typing.Optional[_Eslint_b3991f7f]:
-        '''
-        :stability: experimental
-        '''
-        return typing.cast(typing.Optional[_Eslint_b3991f7f], jsii.get(self, "eslint"))
-
 
 @jsii.data_type(
     jsii_type="projen.cdk.JsiiProjectOptions",
@@ -1836,6 +2024,7 @@ class JsiiProject(
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -1848,9 +2037,11 @@ class JsiiProject(
         "max_node_version": "maxNodeVersion",
         "min_node_version": "minNodeVersion",
         "npm_access": "npmAccess",
+        "npm_provenance": "npmProvenance",
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -1862,9 +2053,11 @@ class JsiiProject(
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -1872,12 +2065,14 @@ class JsiiProject(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -1886,8 +2081,13 @@ class JsiiProject(
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
+        "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
         "bundler_options": "bundlerOptions",
         "check_licenses": "checkLicenses",
@@ -2001,6 +2201,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -2013,9 +2214,11 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -2027,9 +2230,11 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -2037,12 +2242,14 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -2051,8 +2258,13 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -2162,6 +2374,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -2171,26 +2384,30 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -2198,27 +2415,34 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -2228,14 +2452,14 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -2245,15 +2469,15 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param disable_tsconfig: (experimental) Do not generate a ``tsconfig.json`` file (used by jsii projects since tsconfig.json is generated by the jsii compiler). Default: false
         :param disable_tsconfig_dev: (experimental) Do not generate a ``tsconfig.dev.json`` file. Default: false
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -2275,7 +2499,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         :param docgen_file_path: (experimental) File path for generated docs. Default: "API.md"
         :param dotnet: 
         :param exclude_typescript: (experimental) Accepts a list of glob patterns. Files matching any of those patterns will be excluded from the TypeScript compiler input. By default, jsii will include all *.ts files (except .d.ts files) in the TypeScript compiler input. This can be problematic for example when the package's build or test procedure generates .ts files that cannot be compiled with jsii's compiler settings.
-        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "1.x"
+        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.8.0"
         :param publish_to_go: (experimental) Publish Go bindings to a git repository. Default: - no publishing
         :param publish_to_maven: (experimental) Publish to maven. Default: - no publishing
         :param publish_to_nuget: (experimental) Publish to NuGet. Default: - no publishing
@@ -2315,6 +2539,12 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
+        if isinstance(build_workflow_options, dict):
+            build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
             build_workflow_triggers = _Triggers_e9ae7617(**build_workflow_triggers)
         if isinstance(bundler_options, dict):
@@ -2398,6 +2628,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -2410,9 +2641,11 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             check_type(argname="argument max_node_version", value=max_node_version, expected_type=type_hints["max_node_version"])
             check_type(argname="argument min_node_version", value=min_node_version, expected_type=type_hints["min_node_version"])
             check_type(argname="argument npm_access", value=npm_access, expected_type=type_hints["npm_access"])
+            check_type(argname="argument npm_provenance", value=npm_provenance, expected_type=type_hints["npm_provenance"])
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -2424,9 +2657,11 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -2434,12 +2669,14 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -2448,8 +2685,13 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
+            check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
             check_type(argname="argument bundler_options", value=bundler_options, expected_type=type_hints["bundler_options"])
             check_type(argname="argument check_licenses", value=check_licenses, expected_type=type_hints["check_licenses"])
@@ -2601,6 +2843,8 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -2625,12 +2869,16 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             self._values["min_node_version"] = min_node_version
         if npm_access is not None:
             self._values["npm_access"] = npm_access
+        if npm_provenance is not None:
+            self._values["npm_provenance"] = npm_provenance
         if npm_registry is not None:
             self._values["npm_registry"] = npm_registry
         if npm_registry_url is not None:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -2653,12 +2901,16 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -2673,6 +2925,8 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -2685,6 +2939,8 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -2699,10 +2955,20 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
+        if build_workflow_options is not None:
+            self._values["build_workflow_options"] = build_workflow_options
         if build_workflow_triggers is not None:
             self._values["build_workflow_triggers"] = build_workflow_triggers
         if bundler_options is not None:
@@ -3298,6 +3564,17 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -3432,9 +3709,15 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
 
-        :default: - no max
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -3443,9 +3726,19 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
 
-        :default: - no "engines" specified
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
+
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
+
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -3467,6 +3760,24 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("npm_access")
         return typing.cast(typing.Optional[_NpmAccess_134fa228], result)
 
+    @builtins.property
+    def npm_provenance(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Should provenance statements be generated when the package is published.
+
+        A supported package manager is required to publish a package with npm provenance statements and
+        you will need to use a supported CI/CD provider.
+
+        Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages,
+        which is using npm internally and supports provenance statements independently of the package manager used.
+
+        :default: - true for public packages, false otherwise
+
+        :see: https://docs.npmjs.com/generating-provenance-statements
+        :stability: experimental
+        '''
+        result = self._values.get("npm_provenance")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def npm_registry(self) -> typing.Optional[builtins.str]:
         '''(deprecated) The host name of the npm registry to publish to.
@@ -3504,6 +3815,17 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -3567,7 +3889,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -3644,6 +3966,19 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -3685,6 +4020,36 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -3780,6 +4145,23 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -3857,6 +4239,19 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -3883,7 +4278,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -3952,6 +4347,32 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -3965,6 +4386,28 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -3976,13 +4419,24 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         result = self._values.get("build_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def build_workflow_options(self) -> typing.Optional[_BuildWorkflowOptions_b756f97f]:
+        '''(experimental) Options for PR build workflow.
+
+        :stability: experimental
+        '''
+        result = self._values.get("build_workflow_options")
+        return typing.cast(typing.Optional[_BuildWorkflowOptions_b756f97f], result)
+
     @builtins.property
     def build_workflow_triggers(self) -> typing.Optional[_Triggers_e9ae7617]:
-        '''(experimental) Build workflow triggers.
+        '''(deprecated) Build workflow triggers.
 
         :default: "{ pullRequest: {}, workflowDispatch: {} }"
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.workflowTriggers``
+
+        :stability: deprecated
         '''
         result = self._values.get("build_workflow_triggers")
         return typing.cast(typing.Optional[_Triggers_e9ae7617], result)
@@ -4011,7 +4465,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -4022,9 +4476,9 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -4136,7 +4590,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
     @builtins.property
     def mutable_build(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Automatically update files modified during builds to pull-request branches.
+        '''(deprecated) Automatically update files modified during builds to pull-request branches.
 
         This means
         that any files synthesized by projen or e.g. test snapshots will always be up-to-date
@@ -4146,7 +4600,9 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
         :default: true
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.mutableBuild``
+
+        :stability: deprecated
         '''
         result = self._values.get("mutable_build")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -4219,7 +4675,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
     def projen_dev_dependency(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Indicates of "projen" should be installed as a devDependency.
 
-        :default: true
+        :default: - true if not a subproject
 
         :stability: experimental
         '''
@@ -4335,7 +4791,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -4344,9 +4800,11 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
+
+        Always use this option if your GitHub Actions workflows require a specific to run.
 
-        :default: - same as ``minNodeVersion``
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -4423,7 +4881,7 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -4686,10 +5144,10 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
         and should remain on the same minor, so we recommend using a ``~`` dependency
         (e.g. ``~5.0.0``).
 
-        :default: "1.x"
+        :default: "~5.8.0"
 
         :stability: experimental
-        :pjnew: "~5.0.0"
+        :pjnew: "~5.9.0"
         '''
         result = self._values.get("jsii_version")
         return typing.cast(typing.Optional[builtins.str], result)
@@ -4774,9 +5232,13 @@ class JsiiProjectOptions(_TypeScriptProjectOptions_d10c83f7):
     jsii_type="projen.cdk.JsiiPythonTarget",
     jsii_struct_bases=[_PyPiPublishOptions_99154bcd],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
+        "attestations": "attestations",
+        "code_artifact_options": "codeArtifactOptions",
+        "trusted_publishing": "trustedPublishing",
         "twine_password_secret": "twinePasswordSecret",
         "twine_registry_url": "twineRegistryUrl",
         "twine_username_secret": "twineUsernameSecret",
@@ -4788,9 +5250,13 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
+        attestations: typing.Optional[builtins.bool] = None,
+        code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_7236977a, typing.Dict[builtins.str, typing.Any]]] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
         twine_password_secret: typing.Optional[builtins.str] = None,
         twine_registry_url: typing.Optional[builtins.str] = None,
         twine_username_secret: typing.Optional[builtins.str] = None,
@@ -4798,9 +5264,13 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
         module: builtins.str,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
+        :param attestations: (experimental) Generate and publish cryptographic attestations for files uploaded to PyPI. Attestations provide package provenance and integrity an can be viewed on PyPI. They are only available when using a Trusted Publisher for publishing. Default: - enabled when using trusted publishing, otherwise not applicable
+        :param code_artifact_options: (experimental) Options for publishing to AWS CodeArtifact. Default: - undefined
+        :param trusted_publishing: (experimental) Use PyPI trusted publishing instead of tokens or username & password. Needs to be setup in PyPI.
         :param twine_password_secret: (experimental) The GitHub secret which contains PyPI password. Default: "TWINE_PASSWORD"
         :param twine_registry_url: (experimental) The registry url to use when releasing packages. Default: - twine default
         :param twine_username_secret: (experimental) The GitHub secret which contains PyPI user name. Default: "TWINE_USERNAME"
@@ -4811,11 +5281,17 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
         '''
         if isinstance(publish_tools, dict):
             publish_tools = _Tools_75b93a2a(**publish_tools)
+        if isinstance(code_artifact_options, dict):
+            code_artifact_options = _CodeArtifactOptions_7236977a(**code_artifact_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b9ccf41e184eae5eabcd38be0ea0cb88c9d6eb3d4f60d6bb85e4a73763bfb94a)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
+            check_type(argname="argument attestations", value=attestations, expected_type=type_hints["attestations"])
+            check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
             check_type(argname="argument twine_password_secret", value=twine_password_secret, expected_type=type_hints["twine_password_secret"])
             check_type(argname="argument twine_registry_url", value=twine_registry_url, expected_type=type_hints["twine_registry_url"])
             check_type(argname="argument twine_username_secret", value=twine_username_secret, expected_type=type_hints["twine_username_secret"])
@@ -4825,12 +5301,20 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
             "dist_name": dist_name,
             "module": module,
         }
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
             self._values["pre_publish_steps"] = pre_publish_steps
         if publish_tools is not None:
             self._values["publish_tools"] = publish_tools
+        if attestations is not None:
+            self._values["attestations"] = attestations
+        if code_artifact_options is not None:
+            self._values["code_artifact_options"] = code_artifact_options
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
         if twine_password_secret is not None:
             self._values["twine_password_secret"] = twine_password_secret
         if twine_registry_url is not None:
@@ -4838,6 +5322,22 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
         if twine_username_secret is not None:
             self._values["twine_username_secret"] = twine_username_secret
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -4854,7 +5354,7 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -4877,6 +5377,44 @@ class JsiiPythonTarget(_PyPiPublishOptions_99154bcd):
         result = self._values.get("publish_tools")
         return typing.cast(typing.Optional[_Tools_75b93a2a], result)
 
+    @builtins.property
+    def attestations(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Generate and publish cryptographic attestations for files uploaded to PyPI.
+
+        Attestations provide package provenance and integrity an can be viewed on PyPI.
+        They are only available when using a Trusted Publisher for publishing.
+
+        :default: - enabled when using trusted publishing, otherwise not applicable
+
+        :see: https://docs.pypi.org/attestations/producing-attestations/
+        :stability: experimental
+        '''
+        result = self._values.get("attestations")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_7236977a]:
+        '''(experimental) Options for publishing to AWS CodeArtifact.
+
+        :default: - undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("code_artifact_options")
+        return typing.cast(typing.Optional[_CodeArtifactOptions_7236977a], result)
+
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use PyPI trusted publishing instead of tokens or username & password.
+
+        Needs to be setup in PyPI.
+
+        :see: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def twine_password_secret(self) -> typing.Optional[builtins.str]:
         '''(experimental) The GitHub secret which contains PyPI password.
@@ -5010,8 +5548,13 @@ class ConstructLibrary(
         typescript_version: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5073,6 +5616,7 @@ class ConstructLibrary(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -5085,9 +5629,11 @@ class ConstructLibrary(
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5099,9 +5645,11 @@ class ConstructLibrary(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -5109,12 +5657,14 @@ class ConstructLibrary(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -5145,7 +5695,7 @@ class ConstructLibrary(
         :param docgen_file_path: (experimental) File path for generated docs. Default: "API.md"
         :param dotnet: 
         :param exclude_typescript: (experimental) Accepts a list of glob patterns. Files matching any of those patterns will be excluded from the TypeScript compiler input. By default, jsii will include all *.ts files (except .d.ts files) in the TypeScript compiler input. This can be problematic for example when the package's build or test procedure generates .ts files that cannot be compiled with jsii's compiler settings.
-        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "1.x"
+        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.8.0"
         :param publish_to_go: (experimental) Publish Go bindings to a git repository. Default: - no publishing
         :param publish_to_maven: (experimental) Publish to maven. Default: - no publishing
         :param publish_to_nuget: (experimental) Publish to NuGet. Default: - no publishing
@@ -5157,7 +5707,7 @@ class ConstructLibrary(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -5172,13 +5722,18 @@ class ConstructLibrary(
         :param typescript_version: (experimental) TypeScript version to use. NOTE: Typescript is not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~1.2.3``). Default: "latest"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -5188,14 +5743,14 @@ class ConstructLibrary(
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -5205,8 +5760,8 @@ class ConstructLibrary(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -5235,6 +5790,7 @@ class ConstructLibrary(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -5244,26 +5800,30 @@ class ConstructLibrary(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -5271,15 +5831,17 @@ class ConstructLibrary(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -5336,8 +5898,13 @@ class ConstructLibrary(
             typescript_version=typescript_version,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
+            build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
             bundler_options=bundler_options,
             check_licenses=check_licenses,
@@ -5399,6 +5966,7 @@ class ConstructLibrary(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -5411,9 +5979,11 @@ class ConstructLibrary(
             max_node_version=max_node_version,
             min_node_version=min_node_version,
             npm_access=npm_access,
+            npm_provenance=npm_provenance,
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -5425,9 +5995,11 @@ class ConstructLibrary(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -5435,12 +6007,14 @@ class ConstructLibrary(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -5514,6 +6088,7 @@ typing.cast(typing.Any, ConstructLibrary).__jsii_proxy_class__ = lambda : _Const
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -5526,9 +6101,11 @@ typing.cast(typing.Any, ConstructLibrary).__jsii_proxy_class__ = lambda : _Const
         "max_node_version": "maxNodeVersion",
         "min_node_version": "minNodeVersion",
         "npm_access": "npmAccess",
+        "npm_provenance": "npmProvenance",
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -5540,9 +6117,11 @@ typing.cast(typing.Any, ConstructLibrary).__jsii_proxy_class__ = lambda : _Const
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -5550,12 +6129,14 @@ typing.cast(typing.Any, ConstructLibrary).__jsii_proxy_class__ = lambda : _Const
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -5564,8 +6145,13 @@ typing.cast(typing.Any, ConstructLibrary).__jsii_proxy_class__ = lambda : _Const
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
+        "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
         "bundler_options": "bundlerOptions",
         "check_licenses": "checkLicenses",
@@ -5680,6 +6266,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -5692,9 +6279,11 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         max_node_version: typing.Optional[builtins.str] = None,
         min_node_version: typing.Optional[builtins.str] = None,
         npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+        npm_provenance: typing.Optional[builtins.bool] = None,
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5706,9 +6295,11 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -5716,12 +6307,14 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -5730,8 +6323,13 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
+        build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
         bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
         check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5842,6 +6440,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -5851,26 +6450,30 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -5878,27 +6481,34 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
-        :param build_workflow_triggers: (experimental) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
+        :param build_workflow_options: (experimental) Options for PR build workflow.
+        :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -5908,14 +6518,14 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         :param gitignore: (experimental) Additional entries to .gitignore.
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
-        :param mutable_build: (experimental) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
+        :param mutable_build: (deprecated) Automatically update files modified during builds to pull-request branches. This means that any files synthesized by projen or e.g. test snapshots will always be up-to-date before a PR is merged. Implies that PR builds do not have anti-tamper checks. Default: true
         :param npmignore: (deprecated) Additional entries to .npmignore.
         :param npmignore_enabled: (experimental) Defines an .npmignore file. Normally this is only needed for libraries that are packaged as tarballs. Default: true
         :param npm_ignore_options: (experimental) Configuration options for .npmignore file.
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param prettier: (experimental) Setup prettier. Default: false
         :param prettier_options: (experimental) Prettier options. Default: - default options
-        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: true
+        :param projen_dev_dependency: (experimental) Indicates of "projen" should be installed as a devDependency. Default: - true if not a subproject
         :param projenrc_js: (experimental) Generate (once) .projenrc.js (in JavaScript). Set to ``false`` in order to disable .projenrc.js generation. Default: - true if projenrcJson is false
         :param projenrc_js_options: (experimental) Options for .projenrc.js. Default: - default options
         :param projen_version: (experimental) Version of projen to install. Default: - Defaults to the latest version.
@@ -5925,15 +6535,15 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param disable_tsconfig: (experimental) Do not generate a ``tsconfig.json`` file (used by jsii projects since tsconfig.json is generated by the jsii compiler). Default: false
         :param disable_tsconfig_dev: (experimental) Do not generate a ``tsconfig.dev.json`` file. Default: false
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -5955,7 +6565,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         :param docgen_file_path: (experimental) File path for generated docs. Default: "API.md"
         :param dotnet: 
         :param exclude_typescript: (experimental) Accepts a list of glob patterns. Files matching any of those patterns will be excluded from the TypeScript compiler input. By default, jsii will include all *.ts files (except .d.ts files) in the TypeScript compiler input. This can be problematic for example when the package's build or test procedure generates .ts files that cannot be compiled with jsii's compiler settings.
-        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "1.x"
+        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.8.0"
         :param publish_to_go: (experimental) Publish Go bindings to a git repository. Default: - no publishing
         :param publish_to_maven: (experimental) Publish to maven. Default: - no publishing
         :param publish_to_nuget: (experimental) Publish to NuGet. Default: - no publishing
@@ -5996,6 +6606,12 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
+        if isinstance(build_workflow_options, dict):
+            build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
             build_workflow_triggers = _Triggers_e9ae7617(**build_workflow_triggers)
         if isinstance(bundler_options, dict):
@@ -6081,6 +6697,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -6093,9 +6710,11 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             check_type(argname="argument max_node_version", value=max_node_version, expected_type=type_hints["max_node_version"])
             check_type(argname="argument min_node_version", value=min_node_version, expected_type=type_hints["min_node_version"])
             check_type(argname="argument npm_access", value=npm_access, expected_type=type_hints["npm_access"])
+            check_type(argname="argument npm_provenance", value=npm_provenance, expected_type=type_hints["npm_provenance"])
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -6107,9 +6726,11 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -6117,12 +6738,14 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -6131,8 +6754,13 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
+            check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
             check_type(argname="argument bundler_options", value=bundler_options, expected_type=type_hints["bundler_options"])
             check_type(argname="argument check_licenses", value=check_licenses, expected_type=type_hints["check_licenses"])
@@ -6285,6 +6913,8 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -6309,12 +6939,16 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             self._values["min_node_version"] = min_node_version
         if npm_access is not None:
             self._values["npm_access"] = npm_access
+        if npm_provenance is not None:
+            self._values["npm_provenance"] = npm_provenance
         if npm_registry is not None:
             self._values["npm_registry"] = npm_registry
         if npm_registry_url is not None:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -6337,12 +6971,16 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -6357,6 +6995,8 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -6369,6 +7009,8 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -6383,10 +7025,20 @@ class ConstructLibraryOptions(JsiiProjectOptions):
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
+        if build_workflow_options is not None:
+            self._values["build_workflow_options"] = build_workflow_options
         if build_workflow_triggers is not None:
             self._values["build_workflow_triggers"] = build_workflow_triggers
         if bundler_options is not None:
@@ -6984,6 +7636,17 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -7118,9 +7781,15 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
 
-        :default: - no max
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
+
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -7129,9 +7798,19 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
 
-        :default: - no "engines" specified
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
+
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -7153,6 +7832,24 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("npm_access")
         return typing.cast(typing.Optional[_NpmAccess_134fa228], result)
 
+    @builtins.property
+    def npm_provenance(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Should provenance statements be generated when the package is published.
+
+        A supported package manager is required to publish a package with npm provenance statements and
+        you will need to use a supported CI/CD provider.
+
+        Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages,
+        which is using npm internally and supports provenance statements independently of the package manager used.
+
+        :default: - true for public packages, false otherwise
+
+        :see: https://docs.npmjs.com/generating-provenance-statements
+        :stability: experimental
+        '''
+        result = self._values.get("npm_provenance")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def npm_registry(self) -> typing.Optional[builtins.str]:
         '''(deprecated) The host name of the npm registry to publish to.
@@ -7190,6 +7887,17 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -7253,7 +7961,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -7330,6 +8038,19 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -7371,6 +8092,36 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -7466,6 +8217,23 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -7543,6 +8311,19 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -7569,7 +8350,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -7638,6 +8419,32 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -7651,6 +8458,28 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -7662,13 +8491,24 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         result = self._values.get("build_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def build_workflow_options(self) -> typing.Optional[_BuildWorkflowOptions_b756f97f]:
+        '''(experimental) Options for PR build workflow.
+
+        :stability: experimental
+        '''
+        result = self._values.get("build_workflow_options")
+        return typing.cast(typing.Optional[_BuildWorkflowOptions_b756f97f], result)
+
     @builtins.property
     def build_workflow_triggers(self) -> typing.Optional[_Triggers_e9ae7617]:
-        '''(experimental) Build workflow triggers.
+        '''(deprecated) Build workflow triggers.
 
         :default: "{ pullRequest: {}, workflowDispatch: {} }"
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.workflowTriggers``
+
+        :stability: deprecated
         '''
         result = self._values.get("build_workflow_triggers")
         return typing.cast(typing.Optional[_Triggers_e9ae7617], result)
@@ -7697,7 +8537,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v3 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -7708,9 +8548,9 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -7822,7 +8662,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
     @builtins.property
     def mutable_build(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Automatically update files modified during builds to pull-request branches.
+        '''(deprecated) Automatically update files modified during builds to pull-request branches.
 
         This means
         that any files synthesized by projen or e.g. test snapshots will always be up-to-date
@@ -7832,7 +8672,9 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
         :default: true
 
-        :stability: experimental
+        :deprecated: - Use ``buildWorkflowOptions.mutableBuild``
+
+        :stability: deprecated
         '''
         result = self._values.get("mutable_build")
         return typing.cast(typing.Optional[builtins.bool], result)
@@ -7905,7 +8747,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
     def projen_dev_dependency(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Indicates of "projen" should be installed as a devDependency.
 
-        :default: true
+        :default: - true if not a subproject
 
         :stability: experimental
         '''
@@ -8021,7 +8863,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -8030,9 +8872,11 @@ class ConstructLibraryOptions(JsiiProjectOptions):
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
 
-        :default: - same as ``minNodeVersion``
+        Always use this option if your GitHub Actions workflows require a specific to run.
+
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -8109,7 +8953,7 @@ class ConstructLibraryOptions(JsiiProjectOptions):
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -8372,10 +9216,10 @@ class ConstructLibraryOptions(JsiiProjectOptions):
         and should remain on the same minor, so we recommend using a ``~`` dependency
         (e.g. ``~5.0.0``).
 
-        :default: "1.x"
+        :default: "~5.8.0"
 
         :stability: experimental
-        :pjnew: "~5.0.0"
+        :pjnew: "~5.9.0"
         '''
         result = self._values.get("jsii_version")
         return typing.cast(typing.Optional[builtins.str], result)
@@ -8560,9 +9404,10 @@ def _typecheckingstub__7dcdca80859bf80cb9fb647de7e6170902c312a88763e116e53ea6ea8
     pass
 
 def _typecheckingstub__f43e86fe0c2ba3f9132dc6d6f6592f6259d782833b3aee12cbd3d41e8d3a035a(
-    project: JsiiProject,
+    scope: _constructs_77d1e7e8.IConstruct,
     *,
     file_path: typing.Optional[builtins.str] = None,
+    version: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -8570,17 +9415,21 @@ def _typecheckingstub__f43e86fe0c2ba3f9132dc6d6f6592f6259d782833b3aee12cbd3d41e8
 def _typecheckingstub__2f3fb088da3cc3de21fe4de98d7c818b3cbd2a2139fba0682367f39bd3af95be(
     *,
     file_path: typing.Optional[builtins.str] = None,
+    version: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
 def _typecheckingstub__e809c6916d6d93bf1e91d05e4a79f49eb72f74bccaceeb6a508a3005bb5ec7b5(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     nuget_api_key_secret: typing.Optional[builtins.str] = None,
     nuget_server: typing.Optional[builtins.str] = None,
+    nuget_username_secret: typing.Optional[builtins.str] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
     dot_net_namespace: builtins.str,
     package_id: builtins.str,
     icon_url: typing.Optional[builtins.str] = None,
@@ -8590,25 +9439,27 @@ def _typecheckingstub__e809c6916d6d93bf1e91d05e4a79f49eb72f74bccaceeb6a508a3005b
 
 def _typecheckingstub__b0ea0b1537651364353b8d1546fea1d78af2aaded6dded156ab976119354df9a(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     git_branch: typing.Optional[builtins.str] = None,
     git_commit_message: typing.Optional[builtins.str] = None,
     github_deploy_key_secret: typing.Optional[builtins.str] = None,
-    github_repo: typing.Optional[builtins.str] = None,
     github_token_secret: typing.Optional[builtins.str] = None,
     github_use_ssh: typing.Optional[builtins.bool] = None,
     git_user_email: typing.Optional[builtins.str] = None,
     git_user_name: typing.Optional[builtins.str] = None,
     module_name: builtins.str,
     package_name: typing.Optional[builtins.str] = None,
+    version_suffix: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
 def _typecheckingstub__365483a000ed61cc1587d7ada435961b86f33fb0718cd001430497c2290e0820(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8668,6 +9519,7 @@ def _typecheckingstub__c8323b2edac3105e05d346954d0050d635763ca6b27825b5452fa3d2b
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -8680,9 +9532,11 @@ def _typecheckingstub__c8323b2edac3105e05d346954d0050d635763ca6b27825b5452fa3d2b
     max_node_version: typing.Optional[builtins.str] = None,
     min_node_version: typing.Optional[builtins.str] = None,
     npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+    npm_provenance: typing.Optional[builtins.bool] = None,
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8694,9 +9548,11 @@ def _typecheckingstub__c8323b2edac3105e05d346954d0050d635763ca6b27825b5452fa3d2b
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -8704,12 +9560,14 @@ def _typecheckingstub__c8323b2edac3105e05d346954d0050d635763ca6b27825b5452fa3d2b
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -8718,8 +9576,13 @@ def _typecheckingstub__c8323b2edac3105e05d346954d0050d635763ca6b27825b5452fa3d2b
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
+    build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
     bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
     check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8794,9 +9657,13 @@ def _typecheckingstub__c8323b2edac3105e05d346954d0050d635763ca6b27825b5452fa3d2b
 
 def _typecheckingstub__b9ccf41e184eae5eabcd38be0ea0cb88c9d6eb3d4f60d6bb85e4a73763bfb94a(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
+    attestations: typing.Optional[builtins.bool] = None,
+    code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_7236977a, typing.Dict[builtins.str, typing.Any]]] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
     twine_password_secret: typing.Optional[builtins.str] = None,
     twine_registry_url: typing.Optional[builtins.str] = None,
     twine_username_secret: typing.Optional[builtins.str] = None,
@@ -8847,6 +9714,7 @@ def _typecheckingstub__0faec4221ab7163e96a5287d81c7e28c1c8f831e5f79f595bd4a88cdd
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -8859,9 +9727,11 @@ def _typecheckingstub__0faec4221ab7163e96a5287d81c7e28c1c8f831e5f79f595bd4a88cdd
     max_node_version: typing.Optional[builtins.str] = None,
     min_node_version: typing.Optional[builtins.str] = None,
     npm_access: typing.Optional[_NpmAccess_134fa228] = None,
+    npm_provenance: typing.Optional[builtins.bool] = None,
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8873,9 +9743,11 @@ def _typecheckingstub__0faec4221ab7163e96a5287d81c7e28c1c8f831e5f79f595bd4a88cdd
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -8883,12 +9755,14 @@ def _typecheckingstub__0faec4221ab7163e96a5287d81c7e28c1c8f831e5f79f595bd4a88cdd
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -8897,8 +9771,13 @@ def _typecheckingstub__0faec4221ab7163e96a5287d81c7e28c1c8f831e5f79f595bd4a88cdd
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
+    build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
     bundler_options: typing.Optional[typing.Union[_BundlerOptions_d60b85ed, typing.Dict[builtins.str, typing.Any]]] = None,
     check_licenses: typing.Optional[typing.Union[_LicenseCheckerOptions_80bcd362, typing.Dict[builtins.str, typing.Any]]] = None,