chore(deps): update javascript

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@tanstack/react-query (source)	5.90.19 → 5.90.20
typescript-eslint (source)	8.53.0 → 8.53.1

---

Release Notes

TanStack/query (@​tanstack/react-query)

v5.90.20

Compare Source

Patch Changes

• Updated dependencies [e7258c5]:
  • @​tanstack/query-core@​5.90.20

typescript-eslint/typescript-eslint (typescript-eslint)

v8.53.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Frontend Team Review

🔴 Change Signals

Policies 🔴 ▃▂▁ Multiple S3 buckets are missing required tags and server-side encryption, and security groups allow SSH access from anywhere, which is unusual compared to typical patterns.
Routine 🟢 ▁▂▃▅▇ AWS SNS topic subscriptions showing regular activity with 3 events/week for the last 5 weeks.

View signals ↗

---

🧠 Reasoning · ✖ 0 · ✔ 2

EC2 instance replacement impacting attached storage and network bindings

Observations 2

Hypothesis

Replacement of EC2 instance i-08da37b2839126955 with new AMI ami-091198e2f5f70f409 will terminate and recreate the instance, which may alter instance-level attributes and attachments. During the replacement window, the instance’s ImageId and instance ID will change, and associated resources such as ENIs, EIPs, private IPs, DNS entries, CloudWatch metrics associations, and attached EBS volumes may be detached and reattached or reassociated. EBS volume vol-095ec3866f55d1547 has DeleteOnTermination=true, so it may be deleted when the old instance is terminated, causing potential data loss and downtime for workloads relying on that volume. Overall, there is risk of temporary unavailability, configuration drift in network bindings, and permanent data loss if the volume is not preserved or reattached correctly.

Investigation

The plan replaces EC2 instance i-08da37b2839126955 due to an AMI change (ami-03322ac39441c49ae -> ami-091198e2f5f70f409). The current instance’s root EBS volume vol-095ec3866f55d1547 is attached at /dev/xvda with DeleteOnTermination=true, and the primary ENI eni-05ba243f7cdbf6015 is also attached with DeleteOnTermination=true. On termination, both the root volume and ENI will be deleted. The instance’s private IP is 10.0.101.120, which is statically registered as an IP target in the NLB target group api-health-terraform-example on port 9090 and currently healthy. Because the ENI will be deleted, the replacement instance will get a different ENI and likely a different private IP; there is no corresponding planned change to update the target group registration. This will leave the NLB still targeting 10.0.101.120, resulting in loss of connectivity. Separately, deleting the root volume is guaranteed; any data not baked into the AMI will be lost. Evidence: instance replacement in diff; DeleteOnTermination=true on both the EBS attachment and ENI attachment; EIP shows an update (re-association) but target group and target health show no planned changes while referencing 10.0.101.120.

✔ Hypothesis proven

---

Instance replacement causing ENI, DNS, and ELB target health disruption

Observations 5

Hypothesis

EC2 instance i-08da37b2839126955 replacement (AMI and instance ID change) may disrupt load-balanced and IP/DNS-based traffic because the primary private IP 10.0.101.120 and ENI eni-05ba243f7cdbf6015 can be detached and reattached or reassigned during the rollout. Services and clients that depend on the stable private IP 10.0.101.120 or its DNS mapping may observe connection failures or DNS inconsistencies while the ENI is moved or re-associated. The ELB/ALB target group that routes to 10.0.101.120:9090 may see the target briefly deregistered or marked unhealthy during this process, leading to failed load balancer routing and temporary service interruption until the replacement instance is fully attached, registered, and passes health checks.

Investigation

I reviewed the diff and the current state of the impacted resources. The EC2 instance i-08da37b2839126955 is planned for replacement due to an AMI change. Its primary ENI is eni-05ba243f7cdbf6015 with private IP 10.0.101.120 and EIP 13.134.236.98; the ENI attachment has DeleteOnTermination=true, meaning the ENI and its private IP will be removed when the instance is terminated. The internal NLB listener on TCP 9090 forwards to target group api-health-terraform-example, which is TargetType=ip and currently has a single registered target 10.0.101.120:9090 in healthy state. Because the target group is pinned to an IP, terminating the instance will remove 10.0.101.120 and the target will go unhealthy/deregistered. There is no evidence in the change that preserves or reuses the ENI or guarantees the same private IP; the diff only changes the AMI and triggers replacement. The internal DNS A record ip-10-0-101-120.eu-west-2.compute.internal (TTL 60) and the EIP association will also flap during the cutover. Together this provides strong, concrete evidence of load balancer and DNS disruption during the rollout.

✔ Hypothesis proven

---

🔥 Risks

EC2 replacement will delete the root EBS and ENI, changing the private IP and breaking NLB targeting 10.0.101.120, causing outage and potential data loss ‼️High Open Risk ↗
Replacing the production api-server EC2 instance will terminate the current instance, which deletes its root EBS volume (DeleteOnTermination=true) and its primary ENI (DeleteOnTermination=true). The service is fronted by an internal NLB whose target group is registered to the instance’s current private IP 10.0.101.120 on port 9090 and is presently healthy. When the ENI is deleted during replacement, the new instance will receive a different private IP, but the target group will still point to 10.0.101.120, causing the target to become unhealthy and traffic to fail. Any data stored on the root volume that isn’t part of the AMI will be irretrievably lost when the old instance is terminated.

This will result in immediate outage behind the NLB until the target registration is updated to the new private IP or the original ENI/IP is preserved, and permanent loss of any state kept on the root disk.

Instance replacement will remove ENI and private IP 10.0.101.120, dropping the only NLB target on 9090 and breaking routing ‼️High Open Risk ↗
Replacing the production API server instance switches AMI and causes i-08da37b2839126955 to be terminated along with its primary ENI (DeleteOnTermination=true). That ENI currently holds private IP 10.0.101.120, which is the only registered target in the api-health-terraform-example target group on port 9090.

When the instance is replaced, 10.0.101.120 will be removed and the NLB target 10.0.101.120:9090 will immediately become unhealthy, leaving the listener with zero healthy targets and breaking routing. The internal DNS record ip-10-0-101-120.eu-west-2.compute.internal (TTL 60) and the EIP bound to the ENI will also change during the move, causing additional client connection failures until the new instance is up and re-registered.

---

🟣 Expected Changes

~ ec2-address › 13.134.236.98

--- current
+++ proposed
@@ -9,5 +9,5 @@
   domain: vpc
   id: eipalloc-05a1609afb54e84ed
-  instance: i-08da37b2839126955
+  instance: (known after apply)
   ipam_pool_id: null
   network_border_group: eu-west-2

+/- ec2-instance › i-08da37b2839126955

--- current
+++ proposed
@@ -2,60 +2,52 @@
 id: github.com/overmindtech/terraform-example.ec2-instance.module.api_access[0].aws_instance.api_server
 attributes:
-  ami: ami-03322ac39441c49ae
-  arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-08da37b2839126955
-  associate_public_ip_address: true
-  availability_zone: eu-west-2a
-  capacity_reservation_specification:
-    - capacity_reservation_preference: open
-  cpu_core_count: 2
-  cpu_options:
-    - core_count: 2
-      threads_per_core: 1
-  cpu_threads_per_core: 1
-  credit_specification:
-    - cpu_credits: unlimited
-  disable_api_stop: false
-  disable_api_termination: false
-  ebs_optimized: false
-  enable_primary_ipv6: null
-  enclave_options:
-    - enabled: false
+  ami: ami-091198e2f5f70f409
+  arn: (known after apply)
+  associate_public_ip_address: (known after apply)
+  availability_zone: (known after apply)
+  capacity_reservation_specification: (known after apply)
+  cpu_core_count: (known after apply)
+  cpu_options: (known after apply)
+  cpu_threads_per_core: (known after apply)
+  disable_api_stop: (known after apply)
+  disable_api_termination: (known after apply)
+  ebs_block_device: (known after apply)
+  ebs_optimized: (known after apply)
+  enable_primary_ipv6: (known after apply)
+  enclave_options: (known after apply)
+  ephemeral_block_device: (known after apply)
   get_password_data: false
-  hibernation: false
-  host_resource_group_arn: null
-  id: i-08da37b2839126955
-  instance_initiated_shutdown_behavior: stop
-  instance_state: running
+  hibernation: null
+  host_id: (known after apply)
+  host_resource_group_arn: (known after apply)
+  iam_instance_profile: (known after apply)
+  id: (known after apply)
+  instance_initiated_shutdown_behavior: (known after apply)
+  instance_lifecycle: (known after apply)
+  instance_market_options: (known after apply)
+  instance_state: (known after apply)
   instance_type: t4g.nano
-  ipv6_address_count: 0
-  maintenance_options:
-    - auto_recovery: default
-  metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 2
-      http_tokens: required
-      instance_metadata_tags: disabled
-  monitoring: false
-  placement_partition_number: 0
-  primary_network_interface_id: eni-05ba243f7cdbf6015
-  private_dns: ip-10-0-101-120.eu-west-2.compute.internal
-  private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-  private_ip: 10.0.101.120
-  public_dns: ec2-13-134-236-98.eu-west-2.compute.amazonaws.com
-  public_ip: 13.134.236.98
-  root_block_device:
-    - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 3000
-      throughput: 125
-      volume_id: vol-095ec3866f55d1547
-      volume_size: 30
-      volume_type: gp3
+  ipv6_address_count: (known after apply)
+  ipv6_addresses: (known after apply)
+  key_name: (known after apply)
+  maintenance_options: (known after apply)
+  metadata_options: (known after apply)
+  monitoring: (known after apply)
+  network_interface: (known after apply)
+  outpost_arn: (known after apply)
+  password_data: (known after apply)
+  placement_group: (known after apply)
+  placement_partition_number: (known after apply)
+  primary_network_interface_id: (known after apply)
+  private_dns: (known after apply)
+  private_dns_name_options: (known after apply)
+  private_ip: (known after apply)
+  public_dns: (known after apply)
+  public_ip: (known after apply)
+  root_block_device: (known after apply)
+  secondary_private_ips: (known after apply)
+  security_groups: (known after apply)
   source_dest_check: true
+  spot_instance_request_id: (known after apply)
   subnet_id: subnet-07b5b1fb2ba02f964
   tags:
@@ -73,10 +62,10 @@
     Service: core-api
     Team: platform
-  tenancy: default
+  tenancy: (known after apply)
   terraform_address: module.api_access[0].aws_instance.api_server
   terraform_name: module.api_access[0].aws_instance.api_server
   timeouts: null
   user_data: 81da62125f9a922120a56e2408e5798a6cdef634
-  user_data_base64: null
+  user_data_base64: (known after apply)
   user_data_replace_on_change: true
   volume_tags: null

---

🟠 Unmapped Changes

+/- aws_lb_target_group_attachment › module.api_access[0].aws_lb_target_group_attachment.api_server_ip

--- current
+++ proposed
@@ -3,8 +3,8 @@
 attributes:
   availability_zone: all
-  id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/b062866b5f0bf0e0-20260122024423351300000002
+  id: (known after apply)
   port: 9090
   target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/b062866b5f0bf0e0
-  target_id: 10.0.101.120
+  target_id: (known after apply)
   terraform_address: module.api_access[0].aws_lb_target_group_attachment.api_server_ip
   terraform_name: module.api_access[0].aws_lb_target_group_attachment.api_server_ip

+ aws_sns_topic_subscription › module.api_access[0].aws_sns_topic_subscription.oncall_email

--- current
+++ proposed
@@ -0,0 +1,22 @@
+type: aws_sns_topic_subscription
+id: github.com/overmindtech/terraform-example.aws_sns_topic_subscription.module.api_access[0].aws_sns_topic_subscription.oncall_email
+attributes:
+  arn: (known after apply)
+  confirmation_timeout_in_minutes: 1
+  confirmation_was_authenticated: (known after apply)
+  delivery_policy: null
+  endpoint: alerts@example.com
+  endpoint_auto_confirms: false
+  filter_policy: null
+  filter_policy_scope: (known after apply)
+  id: (known after apply)
+  owner_id: (known after apply)
+  pending_confirmation: (known after apply)
+  protocol: email
+  raw_message_delivery: false
+  redrive_policy: null
+  replay_policy: null
+  subscription_role_arn: null
+  terraform_address: module.api_access[0].aws_sns_topic_subscription.oncall_email
+  terraform_name: module.api_access[0].aws_sns_topic_subscription.oncall_email
+  topic_arn: arn:aws:sns:eu-west-2:540044833068:production-api-alerts

---

💥 Blast Radius

Items 18

Edges 44

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🟢 +4

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 55 · Edges 92

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +2

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 22 · Edges 63

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +2

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 32 · Edges 72

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +5

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 18 · Edges 44

---

View full analysis in Overmind ↗