diff --git a/renovate.yaml b/renovate.yaml
index cdd297f2e24..0cf35c6dbe8 100644
--- a/renovate.yaml
+++ b/renovate.yaml
@@ -1,7 +1,7 @@
 package:
   name: renovate
-  version: "42.19.2"
-  epoch: 0 # CVE-2025-64118
+  version: "42.21.3"
+  epoch: 1 # CVE-2025-64118
   description: "Automated dependency updates. Multi-platform and multi-language."
   copyright:
     - license: AGPL-3.0-only
@@ -29,11 +29,16 @@ pipeline:
     with:
       repository: https://github.com/renovatebot/renovate
       tag: ${{package.version}}
-      expected-commit: a750348897defdb1a6aa78f16f535cb4c39618cf
+      expected-commit: 4a9947f103218ae22c67a31d9a815b15f2b04533
 
   - runs: |
       sed -i 's/"version": "0.0.0-semantic-release"/"version": "${{package.version}}"/' package.json
 
+  - runs: |
+      # Fix GHSA-5j98-mcp5-4vw2, GHSA-mh29-5h37-fv8m
+      overrides='{"glob": "10.5.0", "js-yaml": "4.1.1"}'
+      jq --argjson overrides "$overrides" '.pnpm.overrides += $overrides' package.json > temp.json && mv temp.json package.json
+
   - runs: |
       corepack enable
       corepack install