chore(deps): update javascript

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@tailwindcss/postcss (source)	4.2.2 → 4.3.0
@tanstack/react-query (source)	5.95.2 → 5.100.10
@types/node (source)	24.12.0 → 24.12.3
autoprefixer	10.4.27 → 10.5.0
eslint (source)	10.1.0 → 10.3.0
eslint-plugin-react-hooks (source)	7.0.1 → 7.1.1
globals	17.4.0 → 17.6.0
lovable-tagger	1.1.13 → 1.3.0
lucide-react (source)	1.6.0 → 1.14.0
postcss (source)	8.5.8 → 8.5.14
react (source)	19.2.4 → 19.2.6
react-dom (source)	19.2.4 → 19.2.6
react-hook-form (source)	7.72.0 → 7.75.0
react-resizable-panels (source)	4.7.5 → 4.11.0
react-router-dom (source)	7.13.2 → 7.15.0
recharts	3.8.0 → 3.8.1
tailwind-merge	3.5.0 → 3.6.0
tailwindcss (source)	4.2.2 → 4.3.0
typescript (source)	6.0.2 → 6.0.3
typescript-eslint (source)	8.57.2 → 8.59.2
vite (source)	8.0.2 → 8.0.12
zod (source)	4.3.6 → 4.4.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

TanStack/query (@​tanstack/react-query)

v5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

v5.100.9

Compare Source

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

v5.100.8

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

v5.100.7

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.7

v5.100.6

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

v5.100.5

Compare Source

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

v5.100.4

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

v5.100.3

Compare Source

Patch Changes

• fix(suspense): skip calling combine when queries would suspend (#​10576)

• Updated dependencies [f85d825]:

  • @​tanstack/query-core@​5.100.3

v5.100.2

Patch Changes

• Updated dependencies [ea4497e, d6a7bf3, 645d5d1]:
  • @​tanstack/query-core@​5.100.2

v5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

v5.100.0

Compare Source

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

v5.99.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.2

v5.99.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

v5.99.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.0

v5.98.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.98.0

v5.97.0

Compare Source

Patch Changes

• Updated dependencies [2bfb12c]:
  • @​tanstack/query-core@​5.97.0

v5.96.2

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.2

v5.96.1

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.1

v5.96.0

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.96.0

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

eslint/eslint (eslint)

v10.3.0

Compare Source

v10.2.1

Compare Source

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

facebook/react (eslint-plugin-react-hooks)

v7.1.1

Compare Source

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #​36307)

v7.1.0

Compare Source

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​nicolo-ribaudo in #​35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #​35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #​35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #​35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #​35134, @​josephsavona in #​35147, @​jackpope in #​35214, @​chesnokov-tony in #​35419, @​jsleitor in #​36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #​35893, @​kolvian in #​35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #​35873–#​35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #​35348, @​josephsavona in #​34963)

sindresorhus/globals (globals)

v17.6.0

Compare Source

v17.5.0

Compare Source

lucide-icons/lucide (lucide-react)

v1.14.0: Version 1.14.0

Compare Source

What's Changed

• feat(icons): added repeat-off icon by @​jguddas in #​3102

Full Changelog: lucide-icons/lucide@1.13.0...1.14.0

v1.13.0: Version 1.13.0

Compare Source

What's Changed

• fix(docs): sync URL params with UI state on categories page by @​taimar in #​4111
• feat(icons): add waves-vertical icon by @​jamiemlaw in #​3867

Full Changelog: lucide-icons/lucide@1.12.0...1.13.0

v1.12.0: Version 1.12.0

Compare Source

What's Changed

• feat(icon): add folder-bookmark icon by @​swastik7805 in #​4262
• docs(readme): Update readme files by @​ericfennis in #​4320
• feat(icons): added astroid icon by @​whoisBugsbunny in #​4217

Full Changelog: lucide-icons/lucide@1.10.0...1.12.0

v1.11.0: Version 1.11.0

Compare Source

What's Changed

• docs: add missing period to TypeScript Support description by @​jglu in #​4309
• fix(@​lucide/svelte): proper doc comments for svelte components by @​blt-r in #​4267
• chore(deps): bump svgo from 3.3.2 to 3.3.3 by @​dependabot[bot] in #​4119
• chore(deps-dev): bump astro from 6.0.8 to 6.1.6 by @​dependabot[bot] in #​4310
• feat(icons): add power and quick tags to zap and zap-off by @​swastik7805 in #​4268
• test(build-font): added comprehensive unit tests on build-font tool by @​karsa-mistmere in #​4315
• feat(docs): blur background of framework-select by @​Spleefies in #​4238
• feat(icon): add heart-x icon by @​swastik7805 in #​4264
• fix(icons): optimised rotate-3d icon by @​jamiemlaw in #​4299
• feat(icons): added layers-minus icon by @​Spleefies in #​4005
• feat(icons): added bell-check icon by @​pettelau in #​4152

New Contributors

• @​jglu made their first contribution in #​4309
• @​pettelau made their first contribution in #​4152

Full Changelog: lucide-icons/lucide@1.9.0...1.11.0

v1.10.0: Version 1.10.0

Compare Source

What's Changed

• docs: add missing period to TypeScript Support description by @​jglu in #​4309
• fix(@​lucide/svelte): proper doc comments for svelte components by @​blt-r in #​4267
• chore(deps): bump svgo from 3.3.2 to 3.3.3 by @​dependabot[bot] in #​4119
• chore(deps-dev): bump astro from 6.0.8 to 6.1.6 by @​dependabot[bot] in #​4310
• feat(icons): add power and quick tags to zap and zap-off by @​swastik7805 in #​4268
• test(build-font): added comprehensive unit tests on build-font tool by @​karsa-mistmere in #​4315
• feat(docs): blur background of framework-select by @​Spleefies in #​4238
• feat(icon): add heart-x icon by @​swastik7805 in #​4264
• fix(icons): optimised rotate-3d icon by @​jamiemlaw in #​4299
• feat(icons): added layers-minus icon by @​Spleefies in #​4005
• feat(icons): added bell-check icon by @​pettelau in #​4152

New Contributors

• @​jglu made their first contribution in #​4309
• @​pettelau made their first contribution in #​4152

Full Changelog: lucide-icons/lucide@1.9.0...1.10.0

v1.9.0: Version 1.9.0

Compare Source

What's Changed

• fix(packages/angular): allow string inputs for size by @​swastik7805 in #​4253
• fix(gh-icon): update colors for ColoredPath component by @​jguddas in #​4233
• feat(packages): use .mjs for ESM bundles by @​karsa-mistmere in #​4285
• fix(build-font): add collision detection to font codepoints by @​karsa-mistmere in #​4300
• feat(icons): added timeline icon by @​jguddas in #​4270

New Contributors

• @​swastik7805 made their first contribution in #​4253

Full Changelog: lucide-icons/lucide@1.8.0...1.9.0

v1.8.0: Version 1.8.0

Compare Source

What's Changed

• docs(packages/angular): add packageDirname for @​lucide/angular by @​rhutchison in #​4211
• chore(icons): Username change knarlix to RajnishKMehta by @​RajnishKMehta in #​4208
• ci(@​lucide/angular): Fix publishing problem by @​ericfennis in #​4213
• docs: fix broken links in pull_request_template.md (got 404 page) by @​whoisBugsbunny in #​4224
• fix(lucide-static): add viewBox to sprite symbol elements by @​TomaTV in #​4223
• docs: Fix link to icon design principles in statement by @​whoisBugsbunny in #​4225
• feat(docs): add Zephyr Cloud to Hero Backers tier by @​karsa-mistmere in #​4226
• fix(icons): fixes gap issues in radio-off.svg by @​karsa-mistmere in #​4227
• fix(icons): renamed text-select to square-dashed-text by @​jguddas in #​3943
• fix(docs): improve mobile layout of v1 banner by @​karsa-mistmere in #​4254
• fix(@​lucide/svelte): aria-hidden="true" was never set by @​blt-r in #​4234
• fix(icons): remove ui/ux tag from heart-minus, add delete instead by @​karsa-mistmere in #​4266
• chore(deps-dev): bump vite from 7.3.1 to 7.3.2 by @​dependabot[bot] in #​4276
• chore(deps): bump lodash-es from 4.17.23 to 4.18.1 by @​dependabot[bot] in #​4251
• chore(deps): bump vite from 5.4.21 to 6.4.2 by @​dependabot[bot] in #​4286
• feat(docs): use initOnMounted: true for useSessionStorage in CarbonAdOverlay by @​karsa-mistmere in #​4275
• feat(icons): added bookmark-off icon by @​ZeenatLawal in #​4283

New Contributors

• @​rhutchison made their first contribution in #​4211
• @​whoisBugsbunny made their first contribution in #​4224
• @​TomaTV made their first contribution in #​4223
• @​blt-r made their first contribution in #​4234
• @​ZeenatLawal made their first contribution in #​4283

Full Changelog: lucide-icons/lucide@1.7.0...1.8.0

v1.7.0: Version 1.7.0

Compare Source

What's Changed

• fix(lucide-react): Fix dynamic imports by @​ericfennis in #​4210
• feat(icons): added map-pin-search icon by @​TonySullivan in #​4125

New Contributors

• @​TonySullivan made their first contribution in #​4125

Full Changelog: lucide-icons/lucide@1.6.0...1.7.0

postcss/postcss (postcss)

v8.5.14

Compare Source

• Fixed custom syntax regression (by @​43081j).

v8.5.13

Compare Source

• Fixed postcss-scss commend regression.

v8.5.12

Compare Source

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

v8.5.11

Compare Source

• Fixed nested brackets parsing performance (by @​offset).

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

facebook/react (react)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (by @​eps1lon and @​unstubbable)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

react-hook-form/react-hook-form (react-hook-form)

v7.75.0: Version 7.75.0

Compare Source

🦧 feat: improve get dirty fields prune empty fields (#​13363)

+ dirtyFields: { test: [{ data: false }] }
- dirtyFields: {} // removed the empty node with false value

🎹 typescript 6.0 (#​13330)
🌡️ chore: minor improvement on setValue & reset (#​13366)
🐞 fix #​13403: include setValues in FormProvider context value (#​13404)
🐞 fix: recompute isDirty after re-registering a previously unregistered field (#​13399)
🐞 fix: preserve watch updates on field array unmount fixes #​13375 (#​13385)
🐞 fix: prevent useWatch re-render when unrelated field validation is … (#​13398)

thanks to @​dfedoryshchev, @​cyky & @​gkarabelos

v7.74.0: Version 7.74.0

Compare Source

🪇 feat: setValues (#​13201)

setValues((data) => {
  return {
    ...data,
    name: 'test'
  }
})

setValues(formValues);

🐞 fix: preserve previous field value when useController name changes (#​13395)
🐞 fix: handle null parent when unregistering nested field (#​13396)
🐞 fix: treat NaN as empty when valueAsNumber is true in validateField (#​13388)
🪢 fix build to exclude test files (#​13387)

thanks to @​Yihao-G & @​mixelburg

v7.73.1

Compare Source

v7.72.1

Compare Source

bvaughn/react-resizable-panels (react-r

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • "before 10am on friday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Caution

[High Risk] Target group replacement shifts backend traffic to port 9090 without matching ALB-to-target access

The change is replacing the target groups behind api-207c90ee-alb and mon-internal-terraform-example, and the replacement is not just an ARN churn. The current public ALB target group 540044833068.eu-west-2.elbv2-target-group.api-207c90ee-tg uses HTTP instance targets on port 80, while the same plan creates a new target attachment for 540044833068.eu-west-2.elbv2-target-group.api-health-terraform-example on port 9090 and a new EC2 instance whose user data only serves a simple health endpoint on 9090.

The current API backend security group 540044833068.eu-west-2.ec2-security-group.sg-0b35287bf0a8a338c allows ingress from the ALB security group only on port 80, and I found no matching planned security-group update to permit 9090 for the ALB path. That means the replacement introduces a backend/health-check model that diverges from the existing listener-to-target connectivity. When Terraform swaps the target groups, the ALB will lose healthy registered targets and requests through 540044833068.eu-west-2.elbv2-load-balancer.api-207c90ee-alb will fail, driving UnHealthyHostCount on 540044833068.eu-west-2.cloudwatch-alarm.api-207c90ee-unhealthy-targets and causing application downtime.
_{View reasoning tree here.}

Warning

[Medium Risk] New public-facing EC2 instance is being launched without an IAM instance profile

The change creates a new production EC2 host for module.api_access[0].aws_instance.api_server as a t4g.nano without an IAM instance profile, and the current matching deployment pattern already exists on 540044833068.eu-west-2.ec2-instance.i-025efedc46bef3be1, which is an arm64 t4g.nano with IamInstanceProfile: null and public EIP 18.133.94.23. That means this change is extending an already non-compliant design instead of fixing it: the instance will be directly internet-addressable and will have no role-based temporary credentials available for least-privilege access.

This does not prove an immediate architecture or AMI failure, but it does create a real security risk. Organizational policy says EC2 instances must not be directly reachable from the internet, and AWS Well-Architected guidance flags EC2 instances without IAM instance profiles as a risk because they push teams toward unmanaged access patterns and weaken instance hardening. If this host needs AWS API access later, the lack of an instance profile will force out-of-band credentials or manual exceptions, and the public endpoint increases the attack surface of a production instance that should be behind managed ingress only.
_{View reasoning tree here.}

Warning

[Medium Risk] New production EC2 health endpoint bypasses managed service boundaries and weakens network segmentation

The change creates a new production EC2 instance, github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server, that starts a Python HTTP server bound to 0.0.0.0:9090 and then registers that instance directly into the api-health-terraform-example target group on port 9090. This introduces a standalone instance-level endpoint for API health traffic instead of keeping the path on the existing managed service boundary.

The attached security groups give the instance effective inbound access on 9090 from 10.0.0.0/8, and AWS evaluates the union of all attached security-group rules. That means the new host is reachable from a very large internal address space while serving traffic directly from the instance itself. This weakens segmentation and bypasses the organization’s requirement that EC2 instances not be directly reachable endpoints, creating a real exposure path and a single-instance service surface in production contrary to SEC05-BP01, SEC05-BP02, and REL02-BP01.
_{View reasoning tree here.}

Signals

Routine → Multiple AWS infrastructure resources showing unusual and infrequent routine changes at 1-2 events/week for the last 3 months, led by the api server instance changing only 1 event/week for the last 3 months.
Policies → Multiple infrastructure resources showing unusual policy violations that may need review: an S3 bucket is missing required tags and does not have server-side encryption configured, while a security group allows SSH (port 22) access from anywhere (0.0.0.0/0).

_{Additional Change Details:} Items 282 Edges 507 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 97 · Edges 246

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 27 · Edges 66

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 8 · Edges 30

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 11 · Edges 25

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 8 · Edges 30

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 12 · Edges 38

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 4 · Edges 20

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 2 · Edges 20

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 16 · Edges 45

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 21 · Edges 63

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2); Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 49 · Edges 141

---

View full analysis in Overmind ↗