chore(deps): update javascript

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@tanstack/react-query (source)	5.90.20 → 5.90.21
@types/node (source)	22.19.10 → 22.19.11
typescript-eslint (source)	8.54.0 → 8.55.0

---

Release Notes

TanStack/query (@​tanstack/react-query)

v5.90.21

Compare Source

Patch Changes

• refactor(react-query/useQueries): remove unreachable 'willFetch' branch in suspense promise collection (#​10082)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.55.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ AWS instance resources showing infrequent updates with only 1 event/week for the last 6 weeks, which is unusual compared to typical patterns.
Policies 🔴 ▃▂▁ S3 bucket resources are missing required tags and lack server-side encryption, while security groups allow SSH access from anywhere, which is a security risk and unusual compared to typical patterns.

View signals ↗

---

🔥 Risks

Tip

✔ All risks disproven

We investigated 3 potential risks across 23 resources and verified each was safe. See the investigation details below.

---

🧠 Reasoning · ✖ 3 · ✔ 0

Public/EIP address changes impacting external reachability and DNS

Observations 2

Hypothesis

Changes to public IP addresses and Elastic IP (EIP) associations can disrupt any external dependency on a stable public IP. Updating the public IP 13.134.236.98 or modifying the EIP association for ENI eni-020b762e197effb8a (AllocationId/AssociationId/PublicIp) may invalidate DNS records pointing at the old IP, break firewall or security rules that whitelist the previous IP, and impact external clients relying on fixed addressing. This can cause DNS resolution failures, loss of external connectivity, and security policy mismatches for services exposed on this address.

Investigation

The evidence does not show a change to the public IP itself. The EIP resource 540044833068.eu-west-2.ec2-address.13.134.236.98 is marked as updated but its diff is empty, and blast radius shows it retains AllocationId eipalloc-05a1609afb54e84ed and PublicIp 13.134.236.98 associated to ENI eni-020b762e197effb8a and instance i-06454595ec548264a. The AWS-provided DNS record ec2-13-134-236-98.eu-west-2.compute.amazonaws.com continues to resolve to 13.134.236.98 (TTL 20). The planned change that will replace the EC2 instance (i-06454595ec548264a) and the target group attachment implies the EIP association will be reattached to the new instance/ENI, but the public address itself remains 13.134.236.98. Therefore, the hypothesized failures—DNS records pointing at an old IP, external firewalls whitelisting a previous IP, and clients relying on a fixed public address—do not apply here because the fixed public IP is not changing. There may be brief re-association during replacement, but that is not the DNS/whitelist breakage described. No concrete evidence of public IP rotation or removal is present in the diffs.

✖ Hypothesis disproven

---

EBS DeleteOnTermination during instance replacement causing data loss

Observations 1

Hypothesis

Instance replacement where EBS volumes have DeleteOnTermination=true on their original attachment can lead to unintended volume deletion. For volume vol-0e2b4296b2bd81424, detaching and reattaching during replacement of its EC2 instance risks the volume being deleted when the original instance/attachment is terminated. This can cause permanent data loss and service disruption for any workload relying on data stored on this volume.

Investigation

What I checked:

• Current state shows volume vol-0e2b4296b2bd81424 attached to i-06454595ec548264a as the root device /dev/xvda with DeleteOnTermination=true on the attachment. The instance’s BlockDeviceMappings also show /dev/xvda with DeleteOnTermination=true. This indicates it is the instance’s root EBS volume, not a separate data disk. (Blast radius data)
• Planned changes replace the EC2 instance due to an AMI change. No planned diff indicates detaching and reattaching vol-0e2b4296b2bd81424 or preserving it; the volume is implicitly tied to the instance resource and will be handled according to its DeleteOnTermination flag. (Planned changes data)
• AWS documentation confirms that, by default, the root EBS volume has DeleteOnTermination=true and is deleted when the instance is terminated. This is expected behavior during instance replacement; only volumes with DeleteOnTermination=false are preserved. There is no detach/reattach step for a root volume in this workflow. (docs.aws.amazon.com)
  Why I decided false:
• The hypothesis assumes detaching and reattaching the same volume during replacement, which is not occurring here. The instance replacement will create a new instance (with a new root volume from the new AMI) and terminate the old one, which then deletes its root volume per the documented default behavior. (docs.aws.amazon.com)
• While deleting the old root volume would cause data loss if application data were incorrectly stored there, we have no evidence that persistent workload data resides on this root volume. Without concrete evidence of such reliance, this is a theoretical concern rather than a verified risk for this change.

✖ Hypothesis disproven

---

Instance replacement changing private IP/ENI affecting internal DNS and load balancers

Observations 5

Hypothesis

Replacing EC2 instance i-06454595ec548264a (including AMI changes) may alter or release its private IPs and ENI attachments, affecting both internal DNS and load balancer target registrations. If ENI eni-020b762e197effb8a or IPs 10.0.101.48, 10.50.102.66, and 10.50.101.182 are detached or reassigned, the internal DNS name ip-10-0-101-48.eu-west-2.compute.internal may point to an incorrect or unused address, and ELB/NLB targets using 10.0.101.48:9090 and other private IPs may become unhealthy or detached. This can break internal connectivity and cause traffic disruption or failed health checks for target groups such as api-health-terraform-example and monitoring/internal load balancers.

Investigation

What’s changing: the EC2 instance i-06454595ec548264a is being replaced due to an AMI change, and Terraform also plans to replace the aws_lb_target_group_attachment that registers this host with the Network Load Balancer target group. The EIP resource is updated as well. The current state shows the instance’s primary ENI eni-020b762e197effb8a with private IP 10.0.101.48 and DeleteOnTermination=true, and the NLB target group api-health-terraform-example (target type ip, port 9090) currently has target 10.0.101.48 healthy.

By AWS design, the primary ENI is deleted when an instance is terminated unless Delete on termination is cleared, which releases its private IP. So the replacement will indeed result in a new ENI and typically a new private IP. (repost.aws) However, the plan concurrently replaces the aws_lb_target_group_attachment, and for an IP-type target group that attachment’s target_id must be the IP address. This indicates Terraform will re-register whatever the new private IP becomes, keeping the load balancer in sync rather than leaving a stale 10.0.101.48 entry. (typeerror.org) The internal EC2-provided DNS name ip-10-0-101-48.eu-west-2.compute.internal is simply derived from that IP and not referenced by the NLB; without evidence of any consumers depending on that specific hostname, there’s no concrete failure mechanism tied to DNS here. The current target remains healthy and there’s no sign of hard-coded IPs outside Terraform.

Net: while the instance’s private IP will change on replacement, the plan already updates the load balancer target attachment to follow the new IP, so the claimed risk of long-lived stale IPs/ENI causing broken internal DNS or NLB registrations is not supported. (There could still be brief disruption if there’s only one target and no create-before-destroy, but that’s a different concern than the hypothesis.)

✖ Hypothesis disproven

---

💥 Blast Radius

Items 23

Edges 56

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🟢 +4

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 55 · Edges 92

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +2

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 22 · Edges 63

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +2

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 32 · Edges 72

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +5

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 18 · Edges 44

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 23 · Edges 56

---

View full analysis in Overmind ↗