chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "before 4am on monday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Caution

[High Risk] New production API server will be directly reachable due to public-subnet placement and attached access security groups

The change creates a new production EC2 instance, github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server, in subnet-07b5b1fb2ba02f964, which is a public workload subnet in vpc-02901bcbb89561298. That instance will attach sg-03cf38efd953aa056, a customer access security group that permits inbound 443 from many external CIDRs, alongside sg-089e5107637083db5 for internal access. This violates the organization’s requirement that EC2 instances must not be directly reachable from the internet and should live in private subnets.

The hypothesis’s specific claim about an ARM/x86 AMI mismatch is not supported: the planned AMI ami-094a672d31f16d3f8 is Amazon Linux 2023 arm64, which is compatible with t4g.nano, and there is no evidence the instance will reuse vol-0ba7f3490f8618b04. The real failure mode is a security exposure: this change introduces a new production API instance with external network reachability and without any shown hardening controls that would keep it behind only the load balancer. If the instance receives a public address at launch, it will be directly accessible from customer networks, expanding the attack surface and bypassing the intended private-instance model.
_{View reasoning tree here.}

Caution

[High Risk] New production API instance launches without a confirmed IAM role and exposes a new network service on port 9090

The change creates github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server, a production-tagged EC2 instance in subnet-07b5b1fb2ba02f964, without an explicit IAM instance profile while its user_data starts an HTTP service on 0.0.0.0:9090. That violates the organization’s EC2 hardening standard for role-based machine access and introduces a new service bound on all interfaces instead of being limited to localhost or a tightly scoped listener. An existing instance profile already exists in the environment, so this is not just an unavoidable unknown; the change is launching a new instance without showing that least-privilege identity is attached.

The instance is also attached to security groups that permit inbound 9090 from 10.0.0.0/8, and the same plan creates a target group attachment on port 9090 to register it behind api-health-terraform-example. Even though the subnet currently has MapPublicIpOnLaunch = false, the service will still be reachable across a very broad internal address space and through load-balancer plumbing, creating unnecessary attack surface and bypassing the org requirement that EC2 instances not be directly exposed. This is a real security risk under SEC06-BP03, SEC05-BP01, and REL02-BP01.
_{View reasoning tree here.}

Signals

Routine → Multiple AWS compute and access resources showing unusual configuration activity at 1 event/week for the last 3 months, with related resources at 2 events/week for the last 3 months, which is infrequent compared to typical patterns.
Policies → Multiple infrastructure resources showing unusual policy violations that may need review: an S3 bucket does not have server-side encryption configured and is missing required tags, while a security group allows SSH port 22 access from anywhere 0.0.0.0/0.

_{Additional Change Details:} Items 64 Edges 196 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 7 · Edges 23

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 83 · Edges 189

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 1 · Low 0

---

💥 Blast Radius

Items 92 · Edges 260

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 57 · Edges 126

---

View full analysis in Overmind ↗