chore(deps): update dependency renovate to v42.96.3 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
renovate (source)	42.70.2 → 42.96.3

GitHub Vulnerability Alerts

GHSA-8wc6-vgrq-x6cf

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.

Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.

Impact

Child processes spawned by Renovate (i.e. npm install, anything defined in postUpgradeTasks or postUpdateOptions) will have full access to the environment variables that the Renovate process has.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

Patches

This is patched in 42.96.3 and 43.4.4.

Workarounds

There are no workarounds, other than upgrading your Renovate version.

Why did this happen?

As part of work towards GHSA-pfq2-hh62-7m96, one of the preparatory changes we made was moving to execa.

One of the default behaviours of execa is to extend the process' environment variables with any new ones, rather than override them.

This was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with execa by Renovate.

This was discovered as part of an unrelated change.

---

Child processes spawned by Renovate incorrectly have full access to environment variables

GHSA-8wc6-vgrq-x6cf

More information

Details

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.

Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.

Impact

Child processes spawned by Renovate (i.e. npm install, anything defined in postUpgradeTasks or postUpdateOptions) will have full access to the environment variables that the Renovate process has.

This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

Patches

This is patched in 42.96.3 and 43.4.4.

Workarounds

There are no workarounds, other than upgrading your Renovate version.

Why did this happen?

As part of work towards GHSA-pfq2-hh62-7m96, one of the preparatory changes we made was moving to execa.

One of the default behaviours of execa is to extend the process' environment variables with any new ones, rather than override them.

This was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with execa by Renovate.

This was discovered as part of an unrelated change.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/renovatebot/renovate/security/advisories/GHSA-8wc6-vgrq-x6cf
• https://github.com/renovatebot/renovate
• https://github.com/renovatebot/renovate/releases/tag/42.96.3
• https://github.com/renovatebot/renovate/releases/tag/43.4.4

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

renovatebot/renovate (renovate)

v42.96.3

Compare Source

Bug Fixes

• exec: don't extend env (#​41024) (9b59ffd)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.0.12 (maint/42.x) (#​41015) (cde8272)
• deps: update containerbase/internal-tools action to v4.0.8 (maint/42.x) (#​41004) (72d5518)
• deps: update dependency @​containerbase/eslint-plugin to v1.1.31 (maint/42.x) (#​41016) (b6a2276)
• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.30 (maint/42.x) (#​41017) (5980353)
• deps: update dependency @​containerbase/semantic-release-pnpm to v1.3.20 (maint/42.x) (#​41018) (21264ea)
• deps: update dependency type-fest to v5.4.3 (maint/42.x) (#​40997) (6a86dd3)

v42.96.2

Compare Source

Build System

• deps: update dependency commander to v14.0.3 (maint/42.x) (#​40995) (8985476)

v42.96.1

Compare Source

Build System

• deps: update dependency semantic-release to v25.0.3 (maint/42.x) (#​40991) (198acf0)

v42.96.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.32.0 (maint/42.x) (#​40963) (2642e6b)

v42.95.11

Compare Source

Miscellaneous Chores

• deps: update github/codeql-action action to v4.32.2 (maint/42.x) (#​40959) (d31c905)

Build System

• deps: update dependency cronstrue to v3.11.0 (maint/42.x) (#​40949) (2d230f1)

v42.95.10

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.17 (maint/42.x) (#​40945) (4d00fd8)

v42.95.9

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.16 (maint/42.x) (#​40939) (de79c51)

v42.95.8

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.15 (maint/42.x) (#​40936) (c725317)

Miscellaneous Chores

• deps: update python docker tag to v3.14.3 (maint/42.x) (#​40932) (db7dc94)

v42.95.7

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.14 (maint/42.x) (#​40913) (61c791f)

Miscellaneous Chores

• deps: update dependency renovatebot/github-action to v46 (maint/42.x) (#​40917) (27a4e78)
• deps: update linters (maint/42.x) (#​40908) (cbbf32e)

v42.95.6

Compare Source

Build System

• deps: update dependency re2 to v1.23.2 (maint/42.x) (#​40907) (d0f5115)

v42.95.5

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.13 (maint/42.x) (#​40902) (257208b)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.0.7 (maint/42.x) (#​40888) (d88e3e0)
• deps: update dependency @​containerbase/eslint-plugin to v1.1.30 (maint/42.x) (#​40889) (28eff83)
• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.28 (maint/42.x) (#​40891) (f9bc0d9)
• deps: update dependency @​containerbase/semantic-release-pnpm to v1.3.18 (maint/42.x) (#​40892) (787ea42)
• deps: update dependency pnpm to v10.28.2 (maint/42.x) (#​40894) (48fd285)
• deps: update dependency type-fest to v5.4.2 (maint/42.x) (#​40895) (7735f14)
• deps: update github/codeql-action action to v4.32.1 (maint/42.x) (#​40900) (3b47b24)

v42.95.4

Compare Source

Build System

• deps: update dependency re2 to v1.23.1 (maint/42.x) (#​40886) (8e142c2)

v42.95.3

Compare Source

Bug Fixes

• set defaul docker user for sidecar (#​40869) (9cd752b)

Miscellaneous Chores

• onboardingAutoCloseAge: correct comment (#​40844) (45a4456)

v42.95.2

Compare Source

Bug Fixes

• onboardingAutoCloseAge: don't allow higher inherited value than global (#​40810) (ffb95ed)

Build System

• trim channel for docker builds (cd27b1d)

v42.95.1

Compare Source

Bug Fixes

• pnpm: don't update workspace when no pnpm-lock.yaml found (#​40780) (0c49124), closes #​40774

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.0.3 (main) (#​40783) (b2e1382)

Continuous Integration

• add auto reviewer (#​40782) (e55ad44)

v42.95.0

Compare Source

Features

• sidecar: use renovatebot/base-image instead of containerbase/sidecar (#​40772) (cd0426b)

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.2 (main) (#​40776) (dbe0cf7)

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​40775) (a94398b)

v42.94.7

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.2 (main) (#​40773) (f1790af)

v42.94.6

Compare Source

Bug Fixes

• gerrit: not cloning submodules (#​40089) (5db0218)

v42.94.5

Compare Source

Bug Fixes

• presets: dockerfile globs (#​40770) (ca446fb)

v42.94.4

Compare Source

Build System

• deps: update opentelemetry-js monorepo (main) (#​40769) (e95089a)
• deps: update opentelemetry-js monorepo to v2.5.0 (main) (#​40768) (7c43e8f)

v42.94.3

Compare Source

Bug Fixes

• override tar (#​40766) (ce12e9f)

Miscellaneous Chores

• add proper imports from azure-devops-node-api (#​40762) (e36d080)
• deps: update containerbase/internal-tools action to v4.0.2 (main) (#​40767) (5ad49c3)
• deps: update dependency tar to v7.5.7 [security] (main) (#​40764) (cd2b768)
• fix type import (#​40760) (eaed53a)

Code Refactoring

• use named simpleGit imports (#​40759) (17a1bba)

v42.94.2

Compare Source

Bug Fixes

• config/validation: show deprecationMsg as a warning if present (#​40753) (e049e56)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4 (main) (#​40750) (60d733a)

Code Refactoring

• Remove decorators for ESM compatibility (#​40736) (c07814c)

Tests

• validation: add tests for custom deprecation messages (#​40752) (0daf184)

v42.94.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.1 (main) (#​40749) (fa7e075)

Code Refactoring

• tools: reduce noise in generate-imports script (#​40186) (69fedef)

v42.94.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.0 (main) (#​40746) (ebfbcfd)

Bug Fixes

• deps: update ghcr.io/containerbase/sidecar docker tag to v13.26.7 (main) (#​40745) (592bf20)

Documentation

• correct references to binarySource=install for Mend-hosted (#​40740) (783002c)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v3.15.0 (main) (#​40732) (b0f4ec3)
• deps: update dependency tar to v7.5.6 (main) (#​40739) (f29e971)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.0.1 (main) (#​40741) (67964c8)

v42.93.1

Compare Source

Bug Fixes

• datasource/docker: treat empty string as no architecture (#​40715) (1db6be0)

v42.93.0

Compare Source

Features

• inherit support for onboardingAutoCloseAge (#​40086) (c58c16f)

Documentation

• json-schema: add separate documentation page (#​40722) (1edb6c3), closes #​40716

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v3.14.57 (main) (#​40727) (95958c6)
• replace URL.parse (#​40703) (e958373)

v42.92.14

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.4 (main) (#​40721) (33b0fcd)

Code Refactoring

• Extract decorator logic into standalone functions (#​40710) (ad47fd2)
• Remove constructor parameter properties (#​40712) (c5b0a74)

v42.92.13

Compare Source

Bug Fixes

• gradle-wrapper: don't execute when allowedUnsafeExecutions (#​40719) (3e70904)

v42.92.12

Compare Source

Bug Fixes

• workingDirTemplate must be relative to the repo root (#​40068) (bde55d5)

v42.92.11

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.3 (main) (#​40711) (c72d818)

Miscellaneous Chores

• deps: update dependency eslint-plugin-oxlint to v1.41.0 (main) (#​40707) (4d8e18a)

Code Refactoring

• Rewrite imports with .ts extensions (#​40700) (930cf66)

v42.92.10

Compare Source

Bug Fixes

• config/validation: handle platform-prefixed onboardingConfigFileName (#​40619) (1b6c63a)
• reconfigure: migrate before validating (#​40647) (7eb1ee9)

Documentation

• config-validation: note the behaviour of --no-global (#​40584) (30b7421)

Miscellaneous Chores

• deps: update dependency oxlint to v1.41.0 (main) (#​40704) (dff788f)
• deps: update github/codeql-action action to v4.32.0 (main) (#​40705) (e73c6aa)
• extract KubernetesResource schema for future broader usage (#​40264) (a7ddfcc)
• replace URL.resolve (#​40702) (18bd321)

v42.92.9

Compare Source

Bug Fixes

• sbt: consider html hrefs in absolute and root-relative format (#​39464) (e5c2caa)

v42.92.8

Compare Source

Miscellaneous Chores

• deps: update dependency typescript-eslint to v8.53.1 (main) (#​40698) (3106c46)

Code Refactoring

• replace nanoid with crypto.randomUUID (#​40695) (5c796e1)

Build System

• Switch to tsdown for .d.ts generation (#​40696) (98d0b0f)

v42.92.7

Compare Source

Bug Fixes

• json-schema: add a separate schema for Inherit Config (#​40683) (0b42055)

v42.92.6

Compare Source

Bug Fixes

• config: ensure that config options are immutable (#​40682) (13869dd)
• manager/bun: run bun from lock file directory (#​40274) (cd044ee)

Miscellaneous Chores

• deps: update linters to v1.40.0 (main) (#​40688) (e52ee4f)

Build System

• Switch to rolldown (#​40686) (42103c5)

v42.92.5

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.2 (main) (#​40687) (dfa3798)

Documentation

• update references to renovate/renovate (main) (#​40661) (3fe8d2c)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​40662) (3f74931)
• deps: switch to @renovatebot/good-enough-parser (#​40623) (ae49b7a)
• deps: update containerbase/internal-tools action to v3.14.56 (main) (#​40663) (9c6abec)
• deps: update dependency @​containerbase/eslint-plugin to v1.1.28 (main) (#​40664) (a8ccae6)
• deps: update dependency @​containerbase/eslint-plugin to v1.1.29 (main) (#​40668) (8fd01c9)
• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.27 (main) (#​40666) (6ed83ca)
• deps: update dependency @​containerbase/semantic-release-pnpm to v1.3.16 (main) (#​40667) (36fa3ea)
• deps: update dependency memfs to v4.53.0 (main) (#​40655) (22c7e88)
• deps: update dependency memfs to v4.54.0 (main) (#​40658) (fa2a2b9)
• deps: update dependency memfs to v4.55.0 (main) (#​40680) (acd533e)
• deps: update dependency pnpm to v10.28.1 (main) (#​40685) (d3e9ada)
• deps: update dependency renovatebot/github-action to v44.2.6 (main) (#​40671) (b5ef5ed)
• deps: update vitest monorepo to v4.0.18 (main) (#​40654) (c3c30bf)

v42.92.4

Compare Source

Miscellaneous Chores

• deps: update dependency @​types/cacache to v20 (main) (#​40652) (2bb4cbe)
• deps: update dependency vite to v8.0.0-beta.8 (main) (#​40649) (394c1f8)

Build System

• deps: update dependency glob to v13 (main) (#​40651) (4b28934)

v42.92.3

Compare Source

Tests

• add coverage (part2) (#​40643) (0785d0b)

Build System

• deps: update dependency better-sqlite3 to v12.6.2 (main) (#​40648) (da9b543)

v42.92.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.1 (main) (#​40644) (9a81b2c)

Documentation

• bot-comparison: drop the "monthly" qualifier for the GitHub Pulse (#​40265) (7063c1a)
• config-validation: clarify reconfigure branch works only on base repo (#​40452) (89db243)

Miscellaneous Chores

• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.25 (main) (#​40640) (2ffd3fc)
• types: document ProcessStatus (#​40637) (e799a4c)

Code Refactoring

• manager/gradle: rewrite reorderFiles() for performance (#​40318) (7440131)

Build System

• deps: update dependency @​opentelemetry/semantic-conventions to v1.39.0 (main) (#​40645) (0f863b0)

Continuous Integration

• use GitHub Actions annotations to log released version (#​40639) (166e870)

v42.92.1

Compare Source

Bug Fixes

• onboardingAutoCloseAge: mark repositories as "closed-onboarding" after close (#​40633) (0326bd6), closes #​40631

Miscellaneous Chores

• deps: update github/codeql-action action to v4.31.11 (main) (#​40634) (53eece5)

Tests

• add coverage (part1) (#​40636) (9fe353a)

v42.92.0

Compare Source

Features

• datasource/crate: use pubtime when available (#​40621) (69d80fd)
• versioning: Add rust-release-channel versioning scheme (#​39859) (b637846)

Bug Fixes

• datasource/cpan: Handle modules with missing version (#​40430) (b40c8f3)
• manager/mise: expand file patterns to match mise's config search (#​40094) (ace27f8)

Code Refactoring

• github-actions: Simplify line parsing (#​40096) (5e56e2a)

Continuous Integration

• never cancel in-progress release jobs (#​40630) (c7586ae)

v42.91.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.0 (main) (#​40622) (6b82b4d)
• flux: map Helm sourceRef names via registryAliases (#​40158) (2b6dbf4)

Bug Fixes

• onboardingAutoCloseAge: close PRs when onboarding cache is up-to-date (#​40629) (95efe12), closes #​40627

Tests

• onboarding: clarify that if cache is valid, no onboarding PR updates (#​40628) (8a9b119), closes #​40627

Continuous Integration

• Adjust coverage thresholds (#​40626) (aeb8bfc)

v42.90.2

Compare Source

Bug Fixes

• pnpm: de-duplicate version numbers in minimumReleaseAgeExclude (#​40613) (30eece1), closes #​40611

Documentation

• onboarding: mention what happens when closing the onboarding PR (#​40624) (3110c83)

v42.90.1

Compare Source

Bug Fixes

• onboardingAutoCloseAge: correctly handle partial days elapsed (#​40606) (9d5e9de), closes #​40604

Miscellaneous Chores

• tools: Add check script (#​40185) (015ce80)

v42.90.0

Compare Source

Features

• renovate-config-validator: detect global environment options (#​40534) (239b94f)

Miscellaneous Chores

• types: add missing ambient module setup (#​40546) (f20f74f)

v42.89.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.28.2 (main) (#​40618) (157018e)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v3.14.54 (main) (#​40617) (ae93155)

v42.89.3

Compare Source

Bug Fixes

• pnpm: use exact versions in minimumReleaseAgeExclude (#​40612) (8752c28), closes #​40610

Miscellaneous Chores

• deps: update actions/checkout action to v6.0.2 (main) (#​40614) (c812b72)
• deps: update dependency @​types/node to v22.19.7 (main) (#​40615) (4e64251)
• deps: update dependency memfs to v4.52.0 (main) (#​40603) (27d2b30)
• onboardingAutoCloseAge: log calculations (#​40600) (bab5935)

Tests

• onboardingAutoClose: add additional tests for isOnboarded (#​40602) (dcf8656)

v42.89.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-ima

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.66%. Comparing base (df7d348) to head (2e48654).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #100   +/-   ##
=======================================
  Coverage   66.66%   66.66%           
=======================================
  Files           2        2           
  Lines           3        3           
=======================================
  Hits            2        2           
  Misses          1        1           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.