chore(deps): update linters and formatters (major) - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
eslint (source)	^9.32.0 → ^10.0.0
eslint-plugin-react-hooks (source)	^5.2.0 → ^7.0.0

---

Release Notes

eslint/eslint (eslint)

v10.0.2

Compare Source

v10.0.1

Compare Source

Bug Fixes

• c87d5bd fix: update eslint (#​20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#​20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#​20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#​20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#​20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#​20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#​20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#​20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#​20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#​20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#​20467) (Milos Djermanovic)

v10.0.0

Compare Source

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

facebook/react (eslint-plugin-react-hooks)

v7.0.1

Compare Source

• Disallowed passing inline useEffectEvent values as JSX props to guard against accidental propagation. (#​34820 by @​jf-eirinha)
• Switch to export = so eslint-plugin-react-hooks emits correct types for consumers in Node16 ESM projects. (#​34949 by @​karlhorky)
• Tightened the typing of configs.flat so the configs export is always defined. (#​34950 by @​poteto)
• Fix named import runtime errors. (#​34951, #​34953 by @​karlhorky)

v7.0.0

Compare Source

This release slims down presets to just 2 configurations (recommended and recommended-latest), and all compiler rules are enabled by default.

• Breaking: Removed recommended-latest-legacy and flat/recommended configs. The plugin now provides recommended (legacy and flat configs with all recommended rules), and recommended-latest (legacy and flat configs with all recommended rules plus new bleeding edge experimental compiler rules). (@​poteto in #​34757)

v6.1.1

Compare Source

Note: 6.1.0 accidentally allowed use of recommended without flat config, causing errors when used with ESLint v9's defineConfig() helper. This has been fixed in 6.1.1.

• Fix recommended config for flat config compatibility. The recommended config has been converted to flat config format. Non-flat config users should use recommended-legacy instead. (@​poteto in #​34700)
• Add recommended-latest and recommended-latest-legacy configs that include React Compiler rules. (@​poteto in #​34675)
• Remove unused NoUnusedOptOutDirectives rule. (@​poteto in #​34703)
• Remove hermes-parser and dependency. (@​poteto in #​34719)
• Remove @babel/plugin-proposal-private-methods dependency. (@​ArnaudBarre and @​josephsavona in #​34715)
• Update for Zod v3/v4 compatibility. (@​kolian and @​josephsavona in #​34717)

v6.1.0

Compare Source

Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #​32458)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #​32457)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #​34040)
• New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #​33544)
• Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #​34076)
• Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #​34497

v6.0.0

Compare Source

Accidentally released. See 6.1.0 for the actual changes.

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: modules/api-server/demo-app/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: vite_react_shadcn_ts@0.0.0
npm error Found: eslint@10.1.0
npm error node_modules/eslint
npm error   dev eslint@"^10.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer eslint@"^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0" from eslint-plugin-react-hooks@7.0.1
npm error node_modules/eslint-plugin-react-hooks
npm error   dev eslint-plugin-react-hooks@"^7.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-03-24T22_20_30_486Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-03-24T22_20_30_486Z-debug-0.log

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ Terraform subscription resource (module.api_access[0].aws_sns_topic_subscription.oncall_email) showing only 2 events/week for the last 3 months, which is infrequent compared to typical patterns.

View signals ↗

---

🔥 Risks

Note

All 1 resource is being created

Blast radius analysis requires existing infrastructure to examine. Once these resources are applied, future changes will show their dependencies.

---

🧠 Reasoning · ✔ 0 · ✖ 1

External SNS email subscription for production alerts: data exposure and alert delivery reliability risk

Observations 4

Hypothesis

Adding an email subscription (alerts@example.com) to the production-api-alerts SNS topic introduces a new externally controlled notification path for production alerts. Because SNS email endpoints are not IAM-scoped and rely on manual subscription confirmation and external mailbox configuration, this can:

• Expose sensitive operational or security alert content (e.g., stack traces, hostnames, customer-impacting details) outside the intended AWS access boundary or incident-response team, especially if the mailbox is shared, vendor-managed, or has forwarding rules that broaden access.
• Violate security/network policies around public endpoints and access controls for production alert distribution (referencing SEC05-BP01, SEC05-BP03, SEC03-BP07, SEC01-BP01).
• Create an unreliable or opaque alerting path if the email subscription is unconfirmed, the mailbox is unmonitored/misconfigured, or email is filtered/throttled/dropped, while other parts of the alert pipeline appear healthy. This can silently degrade incident response and make production alerts fail to reach responders.
• Lack delivery and subscription-state observability if there are no CloudWatch alarms, synthetic checks, or monitoring around SNS delivery failures and subscription confirmation for this email endpoint.

Validate mailbox ownership and access model, confirm subscription state, ensure a durable automated on-call/pager path remains primary, and add monitoring for SNS delivery/subscription health if this email channel is retained.

Investigation

Evidence Gathered

• Reviewed organizational knowledge for security/access control and monitoring to see if email-based SNS endpoints are disallowed or require specific controls. No explicit prohibition found; relevant guidance focuses on resource policies, least privilege, and monitoring (SEC03-BP07 et al.).
• Examined the planned diff for github.com/overmindtech/terraform-example.aws_sns_topic_subscription.module.api_access[0].aws_sns_topic_subscription.oncall_email: protocol=email, endpoint=alerts@example.com, endpoint_auto_confirms=false, confirmation_timeout_in_minutes=1, topic_arn=arn:aws:sns:eu-west-2:540044833068:production-api-alerts. No filter policy or redrive set.
• Queried current SNS topic state: 540044833068.eu-west-2.sns-topic.arn:aws:sns:eu-west-2:540044833068:production-api-alerts. Policy is the AWS default with Principal "*" constrained by Condition StringEquals AWS:SourceOwner=540044833068; SubscriptionsConfirmed=0, Pending=0. This shows no public access via resource policy and no existing external subscribers.

Impact Assessment

• Scope: one SNS topic (production-api-alerts). The change adds an additional subscription endpoint; it does not alter the topic policy, existing subscriptions, or downstream delivery mechanisms.
• Data exposure claim: The risk depends on mailbox ownership/forwarding outside the intended boundary. We lack evidence about the ownership or access model for alerts@example.com. The topic policy remains constrained to the account owner, so there’s no broadening of publish/subscribe permissions. Without proof that the mailbox is shared/vendor-managed or that security policy forbids email endpoints, exposure is speculative.
• Reliability/observability claim: Email subscriptions require manual confirmation. Here, endpoint_auto_confirms=false and confirmation_timeout_in_minutes=1. Practically, if the mailbox is not confirmed immediately, terraform apply will fail fast rather than creating a silently failing alert path; if it succeeds, the subscription is necessarily confirmed. The hypothesis’s concern about “silent degradation” from an unconfirmed email endpoint is therefore not supported by the planned configuration. Existing alert pipelines are not shown as being removed or replaced.

Conclusion

Not a real risk based on available evidence. The change adds an email subscription without weakening resource policies or demonstrably exposing data. The configuration actually reduces the chance of an unobserved, unconfirmed subscription by failing apply quickly if not confirmed. Lacking concrete evidence of a policy violation, shared mailbox, or monitoring gap, the hypothesis is speculative.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 1

Edges 0

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 1 · Edges 0

---

View full analysis in Overmind ↗