projen 0.81.17__py3-none-any.whl → 0.98.25__py3-none-any.whl

projen/web/__init__.py

@@ -11,7 +11,22 @@ import jsii
 import publication
 import typing_extensions
 
-from typeguard import check_type
+import typeguard
+from importlib.metadata import version as _metadata_package_version
+TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+
+def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
+    if TYPEGUARD_MAJOR_VERSION <= 2:
+        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
+    else:
+        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
+           pass
+        else:
+            if TYPEGUARD_MAJOR_VERSION == 3:
+                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
+                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
+            else:
+                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
 
 from .._jsii import *
 
@@ -46,6 +61,8 @@ from ..github.workflows import (
     JobStep as _JobStep_c3287c05, Triggers as _Triggers_e9ae7617
 )
 from ..javascript import (
+    AuditOptions as _AuditOptions_429c62df,
+    BiomeOptions as _BiomeOptions_452ab984,
     BuildWorkflowOptions as _BuildWorkflowOptions_b756f97f,
     BundlerOptions as _BundlerOptions_d60b85ed,
     CodeArtifactOptions as _CodeArtifactOptions_e4782b3e,
@@ -254,7 +271,11 @@ class NextJsProject(
         tailwind: typing.Optional[builtins.bool] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -318,6 +339,7 @@ class NextJsProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -334,6 +356,7 @@ class NextJsProject(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -345,9 +368,11 @@ class NextJsProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -355,12 +380,14 @@ class NextJsProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -387,14 +414,18 @@ class NextJsProject(
         :param tailwind: (experimental) Setup Tailwind CSS as a PostCSS plugin. Default: true
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -421,8 +452,8 @@ class NextJsProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -451,6 +482,7 @@ class NextJsProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -460,27 +492,30 @@ class NextJsProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -488,15 +523,17 @@ class NextJsProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -522,7 +559,11 @@ class NextJsProject(
             tailwind=tailwind,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
             build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
@@ -586,6 +627,7 @@ class NextJsProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -602,6 +644,7 @@ class NextJsProject(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -613,9 +656,11 @@ class NextJsProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -623,12 +668,14 @@ class NextJsProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -725,6 +772,7 @@ class NextJsProject(
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -741,6 +789,7 @@ class NextJsProject(
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -752,9 +801,11 @@ class NextJsProject(
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -762,12 +813,14 @@ class NextJsProject(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -776,7 +829,11 @@ class NextJsProject(
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
         "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
@@ -862,6 +919,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -878,6 +936,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -889,9 +948,11 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -899,12 +960,14 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -913,7 +976,11 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -995,6 +1062,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -1004,27 +1072,30 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -1032,28 +1103,34 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -1080,8 +1157,8 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param sample_code: (experimental) Generate one-time sample in ``pages/`` and ``public/`` if there are no files there. Default: true
         :param srcdir: (experimental) Typescript sources directory. Default: "src"
@@ -1118,6 +1195,10 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
         if isinstance(build_workflow_options, dict):
             build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
@@ -1183,6 +1264,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -1199,6 +1281,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -1210,9 +1293,11 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -1220,12 +1305,14 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -1234,7 +1321,11 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
             check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
@@ -1357,6 +1448,8 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -1389,6 +1482,8 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -1411,12 +1506,16 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -1431,6 +1530,8 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -1443,6 +1544,8 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -1457,8 +1560,16 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
         if build_workflow_options is not None:
@@ -2024,6 +2135,17 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -2158,9 +2280,15 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
 
-        :default: - no max
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
+
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -2169,9 +2297,19 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
 
-        :default: - no "engines" specified
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
+
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -2248,6 +2386,17 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -2311,7 +2460,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -2388,6 +2537,19 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -2429,6 +2591,36 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -2524,6 +2716,23 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -2601,6 +2810,19 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -2627,7 +2849,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -2696,6 +2918,32 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -2709,6 +2957,28 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -2766,7 +3036,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -2777,9 +3047,9 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -3092,7 +3362,7 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -3101,9 +3371,11 @@ class NextJsProjectOptions(NextJsCommonProjectOptions, _NodeProjectOptions_d12f6
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
 
-        :default: - same as ``minNodeVersion``
+        Always use this option if your GitHub Actions workflows require a specific to run.
+
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -3191,7 +3463,11 @@ class NextJsTypeScriptProject(
         typescript_version: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -3255,6 +3531,7 @@ class NextJsTypeScriptProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -3271,6 +3548,7 @@ class NextJsTypeScriptProject(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -3282,9 +3560,11 @@ class NextJsTypeScriptProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -3292,12 +3572,14 @@ class NextJsTypeScriptProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -3325,7 +3607,7 @@ class NextJsTypeScriptProject(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -3340,14 +3622,18 @@ class NextJsTypeScriptProject(
         :param typescript_version: (experimental) TypeScript version to use. NOTE: Typescript is not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~1.2.3``). Default: "latest"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -3374,8 +3660,8 @@ class NextJsTypeScriptProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -3404,6 +3690,7 @@ class NextJsTypeScriptProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -3413,27 +3700,30 @@ class NextJsTypeScriptProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -3441,15 +3731,17 @@ class NextJsTypeScriptProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -3491,7 +3783,11 @@ class NextJsTypeScriptProject(
             typescript_version=typescript_version,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
             build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
@@ -3555,6 +3851,7 @@ class NextJsTypeScriptProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -3571,6 +3868,7 @@ class NextJsTypeScriptProject(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -3582,9 +3880,11 @@ class NextJsTypeScriptProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -3592,12 +3892,14 @@ class NextJsTypeScriptProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -3694,6 +3996,7 @@ class NextJsTypeScriptProject(
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -3710,6 +4013,7 @@ class NextJsTypeScriptProject(
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -3721,9 +4025,11 @@ class NextJsTypeScriptProject(
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -3731,12 +4037,14 @@ class NextJsTypeScriptProject(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -3745,7 +4053,11 @@ class NextJsTypeScriptProject(
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
         "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
@@ -3850,6 +4162,7 @@ class NextJsTypeScriptProjectOptions(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -3866,6 +4179,7 @@ class NextJsTypeScriptProjectOptions(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -3877,9 +4191,11 @@ class NextJsTypeScriptProjectOptions(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -3887,12 +4203,14 @@ class NextJsTypeScriptProjectOptions(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -3901,7 +4219,11 @@ class NextJsTypeScriptProjectOptions(
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -3999,6 +4321,7 @@ class NextJsTypeScriptProjectOptions(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -4008,27 +4331,30 @@ class NextJsTypeScriptProjectOptions(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -4036,28 +4362,34 @@ class NextJsTypeScriptProjectOptions(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -4084,15 +4416,15 @@ class NextJsTypeScriptProjectOptions(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param disable_tsconfig: (experimental) Do not generate a ``tsconfig.json`` file (used by jsii projects since tsconfig.json is generated by the jsii compiler). Default: false
         :param disable_tsconfig_dev: (experimental) Do not generate a ``tsconfig.dev.json`` file. Default: false
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -4138,6 +4470,10 @@ class NextJsTypeScriptProjectOptions(
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
         if isinstance(build_workflow_options, dict):
             build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
@@ -4213,6 +4549,7 @@ class NextJsTypeScriptProjectOptions(
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -4229,6 +4566,7 @@ class NextJsTypeScriptProjectOptions(
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -4240,9 +4578,11 @@ class NextJsTypeScriptProjectOptions(
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -4250,12 +4590,14 @@ class NextJsTypeScriptProjectOptions(
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -4264,7 +4606,11 @@ class NextJsTypeScriptProjectOptions(
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
             check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
@@ -4403,6 +4749,8 @@ class NextJsTypeScriptProjectOptions(
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -4435,6 +4783,8 @@ class NextJsTypeScriptProjectOptions(
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -4457,12 +4807,16 @@ class NextJsTypeScriptProjectOptions(
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -4477,6 +4831,8 @@ class NextJsTypeScriptProjectOptions(
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -4489,6 +4845,8 @@ class NextJsTypeScriptProjectOptions(
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -4503,8 +4861,16 @@ class NextJsTypeScriptProjectOptions(
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
         if build_workflow_options is not None:
@@ -5102,6 +5468,17 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -5236,9 +5613,15 @@ class NextJsTypeScriptProjectOptions(
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
 
-        :default: - no max
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -5247,9 +5630,19 @@ class NextJsTypeScriptProjectOptions(
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
+
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
 
-        :default: - no "engines" specified
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -5326,6 +5719,17 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -5389,7 +5793,7 @@ class NextJsTypeScriptProjectOptions(
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -5466,6 +5870,19 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -5507,6 +5924,36 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -5602,6 +6049,23 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -5679,6 +6143,19 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -5705,7 +6182,7 @@ class NextJsTypeScriptProjectOptions(
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -5774,6 +6251,32 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -5787,6 +6290,28 @@ class NextJsTypeScriptProjectOptions(
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -5844,7 +6369,7 @@ class NextJsTypeScriptProjectOptions(
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -5855,9 +6380,9 @@ class NextJsTypeScriptProjectOptions(
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -6170,7 +6695,7 @@ class NextJsTypeScriptProjectOptions(
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -6179,9 +6704,11 @@ class NextJsTypeScriptProjectOptions(
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
 
-        :default: - same as ``minNodeVersion``
+        Always use this option if your GitHub Actions workflows require a specific to run.
+
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -6258,7 +6785,7 @@ class NextJsTypeScriptProjectOptions(
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -6600,7 +7127,11 @@ class ReactProject(
         srcdir: typing.Optional[builtins.str] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -6665,6 +7196,7 @@ class ReactProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -6681,6 +7213,7 @@ class ReactProject(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -6692,9 +7225,11 @@ class ReactProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -6702,12 +7237,14 @@ class ReactProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -6732,14 +7269,18 @@ class ReactProject(
         :param srcdir: (experimental) Source directory. Default: "src"
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -6766,8 +7307,8 @@ class ReactProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param rewire: (experimental) Rewire webpack configuration. Use this property to override webpack configuration properties provided by create-react-app, without needing to eject. This property will create a ``config-overrides.js`` file in your root directory, which will contain the desired rewiring code. To **override** the configuration, you can provide simple key value pairs. Keys take the form of js code directives that traverse to the desired property. Values should be JSON serializable objects. For example, the following config:: rewire: { "module.unknownContextCritical": false } Will translate to the following ``config-overrides.js`` file:: module.exports = function override(config, env) { config.module.unknownContextCritical = false; } Default: - No rewired config.
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
@@ -6797,6 +7338,7 @@ class ReactProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -6806,27 +7348,30 @@ class ReactProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -6834,15 +7379,17 @@ class ReactProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -6866,7 +7413,11 @@ class ReactProject(
             srcdir=srcdir,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
             build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
@@ -6931,6 +7482,7 @@ class ReactProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -6947,6 +7499,7 @@ class ReactProject(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -6958,9 +7511,11 @@ class ReactProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -6968,12 +7523,14 @@ class ReactProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -7296,7 +7853,11 @@ class ReactTypeScriptProject(
         rewire: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7360,6 +7921,7 @@ class ReactTypeScriptProject(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -7376,6 +7938,7 @@ class ReactTypeScriptProject(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7387,9 +7950,11 @@ class ReactTypeScriptProject(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -7397,12 +7962,14 @@ class ReactTypeScriptProject(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -7428,7 +7995,7 @@ class ReactTypeScriptProject(
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -7444,14 +8011,18 @@ class ReactTypeScriptProject(
         :param rewire: (experimental) Rewire webpack configuration. Use this property to override webpack configuration properties provided by create-react-app, without needing to eject. This property will create a ``config-overrides.js`` file in your root directory, which will contain the desired rewiring code. To **override** the configuration, you can provide simple key value pairs. Keys take the form of js code directives that traverse to the desired property. Values should be JSON serializable objects. For example, the following config:: rewire: { "module.unknownContextCritical": false } Will translate to the following ``config-overrides.js`` file:: module.exports = function override(config, env) { config.module.unknownContextCritical = false; } Default: - No rewired config.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -7478,8 +8049,8 @@ class ReactTypeScriptProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param auto_approve_options: (experimental) Enable and configure the 'auto approve' workflow. Default: - auto approve is disabled
         :param auto_merge: (experimental) Enable automatic merging on GitHub. Has no effect if ``github.mergify`` is set to false. Default: true
@@ -7508,6 +8079,7 @@ class ReactTypeScriptProject(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -7517,27 +8089,30 @@ class ReactTypeScriptProject(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -7545,15 +8120,17 @@ class ReactTypeScriptProject(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -7594,7 +8171,11 @@ class ReactTypeScriptProject(
             rewire=rewire,
             default_release_branch=default_release_branch,
             artifacts_directory=artifacts_directory,
+            audit_deps=audit_deps,
+            audit_deps_options=audit_deps_options,
             auto_approve_upgrades=auto_approve_upgrades,
+            biome=biome,
+            biome_options=biome_options,
             build_workflow=build_workflow,
             build_workflow_options=build_workflow_options,
             build_workflow_triggers=build_workflow_triggers,
@@ -7658,6 +8239,7 @@ class ReactTypeScriptProject(
             bugs_email=bugs_email,
             bugs_url=bugs_url,
             bundled_deps=bundled_deps,
+            bun_version=bun_version,
             code_artifact_options=code_artifact_options,
             deps=deps,
             description=description,
@@ -7674,6 +8256,7 @@ class ReactTypeScriptProject(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             package_manager=package_manager,
             package_name=package_name,
             peer_dependency_options=peer_dependency_options,
@@ -7685,9 +8268,11 @@ class ReactTypeScriptProject(
             scripts=scripts,
             stability=stability,
             yarn_berry_options=yarn_berry_options,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -7695,12 +8280,14 @@ class ReactTypeScriptProject(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -7776,6 +8363,7 @@ class ReactTypeScriptProject(
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -7792,6 +8380,7 @@ class ReactTypeScriptProject(
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -7803,9 +8392,11 @@ class ReactTypeScriptProject(
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -7813,12 +8404,14 @@ class ReactTypeScriptProject(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -7827,7 +8420,11 @@ class ReactTypeScriptProject(
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
         "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
@@ -7931,6 +8528,7 @@ class ReactTypeScriptProjectOptions(
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -7947,6 +8545,7 @@ class ReactTypeScriptProjectOptions(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7958,9 +8557,11 @@ class ReactTypeScriptProjectOptions(
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -7968,12 +8569,14 @@ class ReactTypeScriptProjectOptions(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -7982,7 +8585,11 @@ class ReactTypeScriptProjectOptions(
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -8079,6 +8686,7 @@ class ReactTypeScriptProjectOptions(
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -8088,27 +8696,30 @@ class ReactTypeScriptProjectOptions(
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -8116,28 +8727,34 @@ class ReactTypeScriptProjectOptions(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -8164,15 +8781,15 @@ class ReactTypeScriptProjectOptions(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param disable_tsconfig: (experimental) Do not generate a ``tsconfig.json`` file (used by jsii projects since tsconfig.json is generated by the jsii compiler). Default: false
         :param disable_tsconfig_dev: (experimental) Do not generate a ``tsconfig.dev.json`` file. Default: false
         :param docgen: (experimental) Docgen by Typedoc. Default: false
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param projenrc_ts: (experimental) Use TypeScript for your projenrc file (``.projenrc.ts``). Default: false
@@ -8219,6 +8836,10 @@ class ReactTypeScriptProjectOptions(
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
         if isinstance(build_workflow_options, dict):
             build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
@@ -8292,6 +8913,7 @@ class ReactTypeScriptProjectOptions(
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -8308,6 +8930,7 @@ class ReactTypeScriptProjectOptions(
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -8319,9 +8942,11 @@ class ReactTypeScriptProjectOptions(
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -8329,12 +8954,14 @@ class ReactTypeScriptProjectOptions(
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -8343,7 +8970,11 @@ class ReactTypeScriptProjectOptions(
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
             check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
@@ -8479,6 +9110,8 @@ class ReactTypeScriptProjectOptions(
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -8511,6 +9144,8 @@ class ReactTypeScriptProjectOptions(
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -8533,12 +9168,16 @@ class ReactTypeScriptProjectOptions(
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -8553,6 +9192,8 @@ class ReactTypeScriptProjectOptions(
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -8565,6 +9206,8 @@ class ReactTypeScriptProjectOptions(
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -8579,8 +9222,16 @@ class ReactTypeScriptProjectOptions(
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
         if build_workflow_options is not None:
@@ -9156,6 +9807,17 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -9290,9 +9952,15 @@ class ReactTypeScriptProjectOptions(
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
 
-        :default: - no max
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
+
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -9301,9 +9969,19 @@ class ReactTypeScriptProjectOptions(
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
 
-        :default: - no "engines" specified
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
+
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -9380,6 +10058,17 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -9443,7 +10132,7 @@ class ReactTypeScriptProjectOptions(
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -9520,6 +10209,19 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -9561,6 +10263,36 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -9656,6 +10388,23 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -9733,6 +10482,19 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -9759,7 +10521,7 @@ class ReactTypeScriptProjectOptions(
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -9828,6 +10590,32 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -9841,6 +10629,28 @@ class ReactTypeScriptProjectOptions(
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -9898,7 +10708,7 @@ class ReactTypeScriptProjectOptions(
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -9909,9 +10719,9 @@ class ReactTypeScriptProjectOptions(
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -10224,7 +11034,7 @@ class ReactTypeScriptProjectOptions(
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -10233,9 +11043,11 @@ class ReactTypeScriptProjectOptions(
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
 
-        :default: - same as ``minNodeVersion``
+        Always use this option if your GitHub Actions workflows require a specific to run.
+
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -10312,7 +11124,7 @@ class ReactTypeScriptProjectOptions(
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -10713,6 +11525,7 @@ class ReactComponentOptions(ReactRewireOptions):
         "bugs_email": "bugsEmail",
         "bugs_url": "bugsUrl",
         "bundled_deps": "bundledDeps",
+        "bun_version": "bunVersion",
         "code_artifact_options": "codeArtifactOptions",
         "deps": "deps",
         "description": "description",
@@ -10729,6 +11542,7 @@ class ReactComponentOptions(ReactRewireOptions):
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "package_manager": "packageManager",
         "package_name": "packageName",
         "peer_dependency_options": "peerDependencyOptions",
@@ -10740,9 +11554,11 @@ class ReactComponentOptions(ReactRewireOptions):
         "scripts": "scripts",
         "stability": "stability",
         "yarn_berry_options": "yarnBerryOptions",
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -10750,12 +11566,14 @@ class ReactComponentOptions(ReactRewireOptions):
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -10764,7 +11582,11 @@ class ReactComponentOptions(ReactRewireOptions):
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "default_release_branch": "defaultReleaseBranch",
         "artifacts_directory": "artifactsDirectory",
+        "audit_deps": "auditDeps",
+        "audit_deps_options": "auditDepsOptions",
         "auto_approve_upgrades": "autoApproveUpgrades",
+        "biome": "biome",
+        "biome_options": "biomeOptions",
         "build_workflow": "buildWorkflow",
         "build_workflow_options": "buildWorkflowOptions",
         "build_workflow_triggers": "buildWorkflowTriggers",
@@ -10849,6 +11671,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         bugs_email: typing.Optional[builtins.str] = None,
         bugs_url: typing.Optional[builtins.str] = None,
         bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+        bun_version: typing.Optional[builtins.str] = None,
         code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
         deps: typing.Optional[typing.Sequence[builtins.str]] = None,
         description: typing.Optional[builtins.str] = None,
@@ -10865,6 +11688,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
         package_name: typing.Optional[builtins.str] = None,
         peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -10876,9 +11700,11 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         stability: typing.Optional[builtins.str] = None,
         yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -10886,12 +11712,14 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -10900,7 +11728,11 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         default_release_branch: builtins.str,
         artifacts_directory: typing.Optional[builtins.str] = None,
+        audit_deps: typing.Optional[builtins.bool] = None,
+        audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
         auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+        biome: typing.Optional[builtins.bool] = None,
+        biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow: typing.Optional[builtins.bool] = None,
         build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
         build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -10981,6 +11813,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         :param bugs_email: (experimental) The email address to which issues should be reported.
         :param bugs_url: (experimental) The url to your project's issue tracker.
         :param bundled_deps: (experimental) List of dependencies to bundle into this module. These modules will be added both to the ``dependencies`` section and ``bundledDependencies`` section of your ``package.json``. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include.
+        :param bun_version: (experimental) The version of Bun to use if using Bun as a package manager. Default: "latest"
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
         :param deps: (experimental) Runtime dependencies of this module. The recommendation is to only specify the module name here (e.g. ``express``). This will behave similar to ``yarn add`` or ``npm install`` in the sense that it will add the module as a dependency to your ``package.json`` file with the latest version (``^``). You can specify semver requirements in the same syntax passed to ``npm i`` or ``yarn add`` (e.g. ``express@^2``) and this will be what you ``package.json`` will eventually include. Default: []
         :param description: (experimental) The description is just a string that helps people understand the purpose of the package. It can be used when searching for packages in a package manager as well. See https://classic.yarnpkg.com/en/docs/package-json/#toc-description
@@ -10990,27 +11823,30 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
         :param licensed: (experimental) Indicates if a license should be added. Default: true
-        :param max_node_version: (experimental) Minimum node.js version to require via ``engines`` (inclusive). Default: - no max
-        :param min_node_version: (experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive). Default: - no "engines" specified
+        :param max_node_version: (experimental) The maximum node version supported by this package. Most projects should not use this option. The value indicates that the package is incompatible with any newer versions of node. This requirement is enforced via the engines field. You will normally not need to set this option. Consider this option only if your package is known to not function with newer versions of node. Default: - no maximum version is enforced
+        :param min_node_version: (experimental) The minimum node version required by this package to function. Most projects should not use this option. The value indicates that the package is incompatible with any older versions of node. This requirement is enforced via the engines field. You will normally not need to set this option, even if your package is incompatible with EOL versions of node. Consider this option only if your package depends on a specific feature, that is not available in other LTS versions. Setting this option has very high impact on the consumers of your package, as package managers will actively prevent usage with node versions you have marked as incompatible. To change the node version of your CI/CD workflows, use ``workflowNodeVersion``. Default: - no minimum version is enforced
         :param npm_access: (experimental) Access level of the npm package. Default: - for scoped packages (e.g. ``foo@bar``), the default is ``NpmAccess.RESTRICTED``, for non-scoped packages, the default is ``NpmAccess.PUBLIC``.
         :param npm_provenance: (experimental) Should provenance statements be generated when the package is published. A supported package manager is required to publish a package with npm provenance statements and you will need to use a supported CI/CD provider. Note that the projen ``Release`` and ``Publisher`` components are using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - true for public packages, false otherwise
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
         :param package_name: (experimental) The "name" in package.json. Default: - defaults to project name
         :param peer_dependency_options: (experimental) Options for ``peerDeps``.
         :param peer_deps: (experimental) Peer dependencies for this module. Dependencies listed here are required to be installed (and satisfied) by the *consumer* of this library. Using peer dependencies allows you to ensure that only a single module of a certain library exists in the ``node_modules`` tree of your consumers. Note that prior to npm@7, peer dependencies are *not* automatically installed, which means that adding peer dependencies to a library will be a breaking change for your customers. Unless ``peerDependencyOptions.pinnedDevDependency`` is disabled (it is enabled by default), projen will automatically add a dev dependency with a pinned version for each peer dependency. This will ensure that you build & test your module against the lowest peer version required. Default: []
-        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "7"
+        :param pnpm_version: (experimental) The version of PNPM to use if using PNPM as a package manager. Default: "9"
         :param repository: (experimental) The repository is the location where the actual code for your package lives. See https://classic.yarnpkg.com/en/docs/package-json/#toc-repository
         :param repository_directory: (experimental) If the package.json for your package is not in the root directory (for example if it is part of a monorepo), you can specify the directory in which it lives.
         :param scoped_packages_options: (experimental) Options for privately hosted scoped packages. Default: - fetch all scoped packages from the public npm registry
         :param scripts: (deprecated) npm scripts to include. If a script has the same name as a standard script, the standard script will be overwritten. Also adds the script as a task. Default: {}
         :param stability: (experimental) Package's Stability.
         :param yarn_berry_options: (experimental) Options for Yarn Berry. Default: - Yarn Berry v4 with all default options
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -11018,28 +11854,34 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param default_release_branch: (experimental) The name of the main release branch. Default: "main"
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
+        :param audit_deps: (experimental) Run security audit on dependencies. When enabled, creates an "audit" task that checks for known security vulnerabilities in dependencies. By default, runs during every build and checks for "high" severity vulnerabilities or above in all dependencies (including dev dependencies). Default: false
+        :param audit_deps_options: (experimental) Security audit options. Default: - default options
         :param auto_approve_upgrades: (experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued). Throw if set to true but ``autoApproveOptions`` are not defined. Default: - true
+        :param biome: (experimental) Setup Biome. Default: false
+        :param biome_options: (experimental) Biome options. Default: - default options
         :param build_workflow: (experimental) Define a GitHub workflow for building PRs. Default: - true if not a subproject
         :param build_workflow_options: (experimental) Options for PR build workflow.
         :param build_workflow_triggers: (deprecated) Build workflow triggers. Default: "{ pullRequest: {}, workflowDispatch: {} }"
         :param bundler_options: (experimental) Options for ``Bundler``.
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
         :param dependabot: (experimental) Use dependabot to handle dependency upgrades. Cannot be used in conjunction with ``depsUpgrade``. Default: false
@@ -11066,8 +11908,8 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
-        :param workflow_node_version: (experimental) The node version to use in GitHub workflows. Default: - same as ``minNodeVersion``
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
+        :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param rewire: (experimental) Rewire webpack configuration. Use this property to override webpack configuration properties provided by create-react-app, without needing to eject. This property will create a ``config-overrides.js`` file in your root directory, which will contain the desired rewiring code. To **override** the configuration, you can provide simple key value pairs. Keys take the form of js code directives that traverse to the desired property. Values should be JSON serializable objects. For example, the following config:: rewire: { "module.unknownContextCritical": false } Will translate to the following ``config-overrides.js`` file:: module.exports = function override(config, env) { config.module.unknownContextCritical = false; } Default: - No rewired config.
         :param sample_code: (experimental) Generate one-time sample in ``src/`` and ``public/`` if there are no files there. Default: true
@@ -11105,6 +11947,10 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             yarn_berry_options = _YarnBerryOptions_b6942539(**yarn_berry_options)
         if isinstance(workflow_runs_on_group, dict):
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
+        if isinstance(audit_deps_options, dict):
+            audit_deps_options = _AuditOptions_429c62df(**audit_deps_options)
+        if isinstance(biome_options, dict):
+            biome_options = _BiomeOptions_452ab984(**biome_options)
         if isinstance(build_workflow_options, dict):
             build_workflow_options = _BuildWorkflowOptions_b756f97f(**build_workflow_options)
         if isinstance(build_workflow_triggers, dict):
@@ -11168,6 +12014,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             check_type(argname="argument bugs_email", value=bugs_email, expected_type=type_hints["bugs_email"])
             check_type(argname="argument bugs_url", value=bugs_url, expected_type=type_hints["bugs_url"])
             check_type(argname="argument bundled_deps", value=bundled_deps, expected_type=type_hints["bundled_deps"])
+            check_type(argname="argument bun_version", value=bun_version, expected_type=type_hints["bun_version"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
             check_type(argname="argument deps", value=deps, expected_type=type_hints["deps"])
             check_type(argname="argument description", value=description, expected_type=type_hints["description"])
@@ -11184,6 +12031,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
             check_type(argname="argument package_name", value=package_name, expected_type=type_hints["package_name"])
             check_type(argname="argument peer_dependency_options", value=peer_dependency_options, expected_type=type_hints["peer_dependency_options"])
@@ -11195,9 +12043,11 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             check_type(argname="argument scripts", value=scripts, expected_type=type_hints["scripts"])
             check_type(argname="argument stability", value=stability, expected_type=type_hints["stability"])
             check_type(argname="argument yarn_berry_options", value=yarn_berry_options, expected_type=type_hints["yarn_berry_options"])
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -11205,12 +12055,14 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -11219,7 +12071,11 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument default_release_branch", value=default_release_branch, expected_type=type_hints["default_release_branch"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
+            check_type(argname="argument audit_deps", value=audit_deps, expected_type=type_hints["audit_deps"])
+            check_type(argname="argument audit_deps_options", value=audit_deps_options, expected_type=type_hints["audit_deps_options"])
             check_type(argname="argument auto_approve_upgrades", value=auto_approve_upgrades, expected_type=type_hints["auto_approve_upgrades"])
+            check_type(argname="argument biome", value=biome, expected_type=type_hints["biome"])
+            check_type(argname="argument biome_options", value=biome_options, expected_type=type_hints["biome_options"])
             check_type(argname="argument build_workflow", value=build_workflow, expected_type=type_hints["build_workflow"])
             check_type(argname="argument build_workflow_options", value=build_workflow_options, expected_type=type_hints["build_workflow_options"])
             check_type(argname="argument build_workflow_triggers", value=build_workflow_triggers, expected_type=type_hints["build_workflow_triggers"])
@@ -11339,6 +12195,8 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             self._values["bugs_url"] = bugs_url
         if bundled_deps is not None:
             self._values["bundled_deps"] = bundled_deps
+        if bun_version is not None:
+            self._values["bun_version"] = bun_version
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
         if deps is not None:
@@ -11371,6 +12229,8 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if package_manager is not None:
             self._values["package_manager"] = package_manager
         if package_name is not None:
@@ -11393,12 +12253,16 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             self._values["stability"] = stability
         if yarn_berry_options is not None:
             self._values["yarn_berry_options"] = yarn_berry_options
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -11413,6 +12277,8 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -11425,6 +12291,8 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -11439,8 +12307,16 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if artifacts_directory is not None:
             self._values["artifacts_directory"] = artifacts_directory
+        if audit_deps is not None:
+            self._values["audit_deps"] = audit_deps
+        if audit_deps_options is not None:
+            self._values["audit_deps_options"] = audit_deps_options
         if auto_approve_upgrades is not None:
             self._values["auto_approve_upgrades"] = auto_approve_upgrades
+        if biome is not None:
+            self._values["biome"] = biome
+        if biome_options is not None:
+            self._values["biome_options"] = biome_options
         if build_workflow is not None:
             self._values["build_workflow"] = build_workflow
         if build_workflow_options is not None:
@@ -11984,6 +12860,17 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("bundled_deps")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def bun_version(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The version of Bun to use if using Bun as a package manager.
+
+        :default: "latest"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bun_version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[_CodeArtifactOptions_e4782b3e]:
         '''(experimental) Options for npm packages using AWS CodeArtifact.
@@ -12118,9 +13005,15 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
 
     @builtins.property
     def max_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum node.js version to require via ``engines`` (inclusive).
+        '''(experimental) The maximum node version supported by this package. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any newer versions of node.
+        This requirement is enforced via the engines field.
 
-        :default: - no max
+        You will normally not need to set this option.
+        Consider this option only if your package is known to not function with newer versions of node.
+
+        :default: - no maximum version is enforced
 
         :stability: experimental
         '''
@@ -12129,9 +13022,19 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
 
     @builtins.property
     def min_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Minimum Node.js version to require via package.json ``engines`` (inclusive).
+        '''(experimental) The minimum node version required by this package to function. Most projects should not use this option.
+
+        The value indicates that the package is incompatible with any older versions of node.
+        This requirement is enforced via the engines field.
+
+        You will normally not need to set this option, even if your package is incompatible with EOL versions of node.
+        Consider this option only if your package depends on a specific feature, that is not available in other LTS versions.
+        Setting this option has very high impact on the consumers of your package,
+        as package managers will actively prevent usage with node versions you have marked as incompatible.
 
-        :default: - no "engines" specified
+        To change the node version of your CI/CD workflows, use ``workflowNodeVersion``.
+
+        :default: - no minimum version is enforced
 
         :stability: experimental
         '''
@@ -12208,6 +13111,17 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def package_manager(self) -> typing.Optional[_NodePackageManager_3eb53bf6]:
         '''(experimental) The Node Package Manager used to execute scripts.
@@ -12271,7 +13185,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
     def pnpm_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) The version of PNPM to use if using PNPM as a package manager.
 
-        :default: "7"
+        :default: "9"
 
         :stability: experimental
         '''
@@ -12348,6 +13262,19 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("yarn_berry_options")
         return typing.cast(typing.Optional[_YarnBerryOptions_b6942539], result)
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -12389,6 +13316,36 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -12484,6 +13441,23 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _BranchOptions_13663d08]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -12561,6 +13535,19 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[_ReleaseTrigger_e4dc221f], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -12587,7 +13574,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -12656,6 +13643,32 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("artifacts_directory")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def audit_deps(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Run security audit on dependencies.
+
+        When enabled, creates an "audit" task that checks for known security vulnerabilities
+        in dependencies. By default, runs during every build and checks for "high" severity
+        vulnerabilities or above in all dependencies (including dev dependencies).
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def audit_deps_options(self) -> typing.Optional[_AuditOptions_429c62df]:
+        '''(experimental) Security audit options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("audit_deps_options")
+        return typing.cast(typing.Optional[_AuditOptions_429c62df], result)
+
     @builtins.property
     def auto_approve_upgrades(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Automatically approve deps upgrade PRs, allowing them to be merged by mergify (if configued).
@@ -12669,6 +13682,28 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
         result = self._values.get("auto_approve_upgrades")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def biome(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Setup Biome.
+
+        :default: false
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def biome_options(self) -> typing.Optional[_BiomeOptions_452ab984]:
+        '''(experimental) Biome options.
+
+        :default: - default options
+
+        :stability: experimental
+        '''
+        result = self._values.get("biome_options")
+        return typing.cast(typing.Optional[_BiomeOptions_452ab984], result)
+
     @builtins.property
     def build_workflow(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Define a GitHub workflow for building PRs.
@@ -12726,7 +13761,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -12737,9 +13772,9 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -13052,7 +14087,7 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
     def workflow_git_identity(self) -> typing.Optional[_GitIdentity_6effc3de]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -13061,9 +14096,11 @@ class ReactProjectOptions(_NodeProjectOptions_d12f6f3b, ReactRewireOptions):
 
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
-        '''(experimental) The node version to use in GitHub workflows.
+        '''(experimental) The node version used in GitHub Actions workflows.
+
+        Always use this option if your GitHub Actions workflows require a specific to run.
 
-        :default: - same as ``minNodeVersion``
+        :default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
 
         :stability: experimental
         '''
@@ -13240,6 +14277,7 @@ def _typecheckingstub__2068b6deaa762f0141179f4dddaab2fd95c220b31368afa8e4275bc0c
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -13256,6 +14294,7 @@ def _typecheckingstub__2068b6deaa762f0141179f4dddaab2fd95c220b31368afa8e4275bc0c
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13267,9 +14306,11 @@ def _typecheckingstub__2068b6deaa762f0141179f4dddaab2fd95c220b31368afa8e4275bc0c
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -13277,12 +14318,14 @@ def _typecheckingstub__2068b6deaa762f0141179f4dddaab2fd95c220b31368afa8e4275bc0c
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -13291,7 +14334,11 @@ def _typecheckingstub__2068b6deaa762f0141179f4dddaab2fd95c220b31368afa8e4275bc0c
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
     build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13377,6 +14424,7 @@ def _typecheckingstub__1625ee9ed48b5cb80b54d37b499e6e97e54a05364b23a4e4ec57f4bf3
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -13393,6 +14441,7 @@ def _typecheckingstub__1625ee9ed48b5cb80b54d37b499e6e97e54a05364b23a4e4ec57f4bf3
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13404,9 +14453,11 @@ def _typecheckingstub__1625ee9ed48b5cb80b54d37b499e6e97e54a05364b23a4e4ec57f4bf3
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -13414,12 +14465,14 @@ def _typecheckingstub__1625ee9ed48b5cb80b54d37b499e6e97e54a05364b23a4e4ec57f4bf3
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -13428,7 +14481,11 @@ def _typecheckingstub__1625ee9ed48b5cb80b54d37b499e6e97e54a05364b23a4e4ec57f4bf3
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
     build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13593,6 +14650,7 @@ def _typecheckingstub__6fe6b356cc73a5676618b27e8c5049b874449164943781f93c243772e
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -13609,6 +14667,7 @@ def _typecheckingstub__6fe6b356cc73a5676618b27e8c5049b874449164943781f93c243772e
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13620,9 +14679,11 @@ def _typecheckingstub__6fe6b356cc73a5676618b27e8c5049b874449164943781f93c243772e
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -13630,12 +14691,14 @@ def _typecheckingstub__6fe6b356cc73a5676618b27e8c5049b874449164943781f93c243772e
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -13644,7 +14707,11 @@ def _typecheckingstub__6fe6b356cc73a5676618b27e8c5049b874449164943781f93c243772e
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
     build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13768,6 +14835,7 @@ def _typecheckingstub__3fe2ab54a9ff384e98c4a85a960cf579b3a335a93d5b485eb74555345
     bugs_email: typing.Optional[builtins.str] = None,
     bugs_url: typing.Optional[builtins.str] = None,
     bundled_deps: typing.Optional[typing.Sequence[builtins.str]] = None,
+    bun_version: typing.Optional[builtins.str] = None,
     code_artifact_options: typing.Optional[typing.Union[_CodeArtifactOptions_e4782b3e, typing.Dict[builtins.str, typing.Any]]] = None,
     deps: typing.Optional[typing.Sequence[builtins.str]] = None,
     description: typing.Optional[builtins.str] = None,
@@ -13784,6 +14852,7 @@ def _typecheckingstub__3fe2ab54a9ff384e98c4a85a960cf579b3a335a93d5b485eb74555345
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_NodePackageManager_3eb53bf6] = None,
     package_name: typing.Optional[builtins.str] = None,
     peer_dependency_options: typing.Optional[typing.Union[_PeerDependencyOptions_99d7d493, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -13795,9 +14864,11 @@ def _typecheckingstub__3fe2ab54a9ff384e98c4a85a960cf579b3a335a93d5b485eb74555345
     scripts: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     stability: typing.Optional[builtins.str] = None,
     yarn_berry_options: typing.Optional[typing.Union[_YarnBerryOptions_b6942539, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -13805,12 +14876,14 @@ def _typecheckingstub__3fe2ab54a9ff384e98c4a85a960cf579b3a335a93d5b485eb74555345
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_BranchOptions_13663d08, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[_ReleaseTrigger_e4dc221f] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -13819,7 +14892,11 @@ def _typecheckingstub__3fe2ab54a9ff384e98c4a85a960cf579b3a335a93d5b485eb74555345
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     default_release_branch: builtins.str,
     artifacts_directory: typing.Optional[builtins.str] = None,
+    audit_deps: typing.Optional[builtins.bool] = None,
+    audit_deps_options: typing.Optional[typing.Union[_AuditOptions_429c62df, typing.Dict[builtins.str, typing.Any]]] = None,
     auto_approve_upgrades: typing.Optional[builtins.bool] = None,
+    biome: typing.Optional[builtins.bool] = None,
+    biome_options: typing.Optional[typing.Union[_BiomeOptions_452ab984, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow: typing.Optional[builtins.bool] = None,
     build_workflow_options: typing.Optional[typing.Union[_BuildWorkflowOptions_b756f97f, typing.Dict[builtins.str, typing.Any]]] = None,
     build_workflow_triggers: typing.Optional[typing.Union[_Triggers_e9ae7617, typing.Dict[builtins.str, typing.Any]]] = None,