For the full list of changes, check out the Webiny 6.4.4external link release on GitHub.

Infrastructure
anchor

Custom Production Environments Are Now Recognized During Deployment (#5371external link)
anchor

Marking an environment as a production environment via the Infra.ProductionEnvironments setting in webiny.config.tsx previously had no effect — only the built-in prod and production names were treated as production, so custom environments (like stage) never received production-grade infrastructure such as a VPC. Configured production environments are now correctly recognized and deployed with the appropriate production setup.

If an environment was already deployed before being marked as production, the next deploy will create the VPC, move existing Lambdas into it, add VPC endpoints, and enable resource protection. This is a disruptive infrastructure migration that may replace resources and cause downtime. Review pulumi preview carefully and deploy during a maintenance window.

Development
anchor

Faster Stack Output Reads via Local Caching (#5375external link)
anchor

Every stack output lookup previously ran a Pulumi command, which made repeated reads slow—especially during deploys, watch mode, and output lookups that query the same stack multiple times. Stack outputs are now cached locally (under .webiny/caches/stack-output) and reused on subsequent reads. The cache is automatically cleared when an app is destroyed, so results always stay accurate.

Admin
anchor

Cognito Federation and Multi-Factor Authentication Support (#5376external link)
anchor

Webiny now supports federated sign-in through Amazon Cognito, allowing users to authenticate via external identity providers such as Google, Facebook, Apple, Amazon, and any OIDC-compliant provider (e.g., Microsoft Entra ID). This eliminates the need for users to manage separate Webiny credentials when your organization already has an identity provider in place.

To enable federation, use the federation prop on the <Cognito /> extension:

Federated users are automatically detected via the identities claim in the JWT token and flagged as external, triggering the ExternalIdpUserSyncHandler for identity mapping and provisioning.

The login screen can be customized through the adminConfig extension point to control which providers appear, whether username/password credentials are shown, and to set custom titles or descriptions.

For new deployments, the custom:id attribute maximum length has been increased to 256 characters to accommodate longer OIDC sub values from some identity providers. Existing deployments retain the 36-character limit.