chore(deps): update dependency typescript-eslint to v8.53.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
typescript-eslint (source)	8.53.0 → 8.53.1

---

Release Notes

typescript-eslint/typescript-eslint (typescript-eslint)

v8.53.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

---

Configuration

📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Frontend Team Review

🔴 Change Signals

Policies 🔴 ▃▂▁ Multiple S3 buckets and security groups are showing unusual policy violations, including missing required tags and lack of server-side encryption, which may need review.
Routine 🟢 ▁▂ Multiple AWS instance resources are showing regular updates at 1 event/week for the last 4 weeks, indicating routine maintenance.

View signals ↗

---

🧠 Reasoning · ✖ 1 · ✔ 2

EC2 AMI replacement impacting instance behavior and EBS volumes (downtime/data loss risk)

Observations 4

Hypothesis

Multiple EC2 instances (e.g., i-0d4957e1774fa2916, i-09ecaa289b376d0f4) are being replaced with different AMIs (such as ami-0b7e71... → ami-0e16f3...), which can alter OS packages, boot/hibernation configuration (hibernation set to null), root_block_device tags, and delete_on_termination semantics. During replacement the original instance is terminated and a new instance is created, which can change root and non-root EBS volume attachment behavior, including detachment, recreation, or deletion of volumes with DeleteOnTermination=true (e.g., vol-0f3f42a83b33dde6a, vol-0ca36dafa78b8485a). This process can cause downtime while the new instance is provisioned and until applications are fully initialized, and may result in data loss or service outage if volumes are deleted or recreated unexpectedly.

Investigation

I inspected the diffs and the current state of the affected resources. Both EC2 instances are marked for replacement due to an AMI change (ami-0b7e71fcee9d196a9 → ami-0e16f30ef82e4dedc). The api server instance i-09ecaa289b376d0f4 is currently the only registered target in the ALB target group api-207c90ee-tg and is healthy on port 80. Replacing this instance will terminate it before the new instance comes up and passes health checks, leaving the target group with zero healthy targets and causing outage. Current CloudWatch shows the instance is actively serving (CPU ~70%), reinforcing that it carries live traffic. On storage, both instances’ root EBS volumes are attached with DeleteOnTermination=true; replacement will destroy these root volumes and create new ones from the new AMI. There are no additional (non-root) volumes attached, so the data-loss risk is limited to any state kept on the root disk. The “hibernation: null” change does not alter that the instances are not configured for hibernation today. Given the single-target ALB configuration and forced instance replacement, downtime is a certainty during rollout; root volume data will be discarded if any app state resides there.

✔ Hypothesis proven

---

ALB target registration and IAM instance-profile disruption during EC2 replacement

Observations 7

Hypothesis

EC2 instance replacement for instances behind an ALB and using IAM instance profiles (e.g., i-09ecaa289b376d0f4, profile api-207c90ee-api-profile, ovm-scale-eu-west-1-p32ws0nl-ec2-profile, role api-207c90ee-api-role) can temporarily deregister or change ALB targets (target group api-207c90ee-tg) and briefly remove the IAM instance profile from the running node. During replacement, the old instance is removed from the target group, causing traffic disruption until the new instance registers and passes health checks; health status may be unknown or unhealthy while agents and application services start. Simultaneously, instance-profile reattachment windows can leave the instance without IAM permissions needed for API calls, SSM access, or CloudWatch/other agents, interrupting management, automation, and application calls until the new instance successfully assumes the profile and all required agents are available in the AMI.

Investigation

I inspected the diff and blast radius. The EC2 instance i-09ecaa289b376d0f4 is planned to be replaced due to an AMI change (ami-0b7e71fcee9d196a9 -> ami-0e16f30ef82e4dedc). The current state shows this instance is the only target surfaced in the api-207c90ee-tg target group and is currently healthy. The target group is HTTP on port 80 with health checks on path /health, interval 30s, healthy threshold 2, meaning a new target will take at least ~60s of successful checks after boot to become healthy. Because there is no evidence of a second registered target or an Auto Scaling Group, replacing the only healthy instance risks a window with zero healthy targets if the old instance is deregistered/terminated before the new one passes health checks, causing a traffic outage via api-207c90ee-alb. For IAM, the running instance has an associated instance profile (api-207c90ee-api-profile) and the diff keeps the same profile; while the new instance will attach the profile at launch, there is no concrete evidence of a problematic detach/reattach on a running node. Thus, the ALB/target registration downtime risk is real; the IAM disruption portion is speculative and not evidenced. Evidence from blast radius: single healthy target entry for i-09ecaa289b376d0f4 in the target group, target group health check settings, ALB listener forwarding to that target group, and active instance-profile association.

✔ Hypothesis proven

---

EC2 replacement affecting ENIs, IP addresses, and DNS mappings (connectivity disruption risk)

Observations 4

Hypothesis

Replacing EC2 instances (e.g., i-0d4957e1774fa2916, i-09ecaa289b376d0f4) can detach, reattach, or recreate associated ENIs (eni-0ab2b96a64146cf5d, eni-04984dae4991bf08b). This may change or temporarily remove private and public IPs (e.g., 10.0.101.239, 10.0.101.90, 35.176.18.132) and their DNS mappings (e.g., ip-10-0-101-90.eu-west-2.compute.internal). If ENIs or IPs are reassigned or not preserved, DNS A records and clients targeting these addresses can point to stale or unreachable endpoints, causing connectivity loss during or after replacement. Network attributes (public/private IPs, ENIs) being moved between instances or recreated also impacts instance-specific CloudWatch metrics and any DNS records or external dependencies bound to those IPs.

Investigation

The hypothesis assumes clients depend on the instances’ specific ENIs/IPs/DNS names. Current state shows the service is fronted by an ALB with DNS api-207c90ee-alb-592661235.eu-west-2.elb.amazonaws.com, and the target group is instance‑targeted; instance i-09ecaa289b376d0f4 is registered healthy on port 80. Clients should resolve and reach the ALB, not the instances directly. Replacing the EC2 instances due to the AMI change will indeed create new ENIs and new private/public IPs (both current primary ENIs have DeleteOnTermination=true), but there is no evidence of Elastic IPs, static ENIs, or Route53 records bound to the instance addresses that would cause stale DNS for clients. The only DNS records tied to instance IPs are AWS-provided ephemeral names (e.g., ec2-35-176-18-132.eu-west-2.compute.amazonaws.com, ip-10-0-101-239.eu-west-2.compute.internal), which are not referenced by any other blast-radius resources for client access. Therefore, connectivity via the ALB will not depend on preserving these instance-specific addresses. A potential downtime risk here would be improper/serial replacement or failure to re-register the new instance with the target group, but that is a different mechanism than ENI/IP/DNS staleness described by the hypothesis. Evidence used: i-09ecaa289b376d0f4 with eni-04984dae4991bf08b (10.0.101.90/13.40.53.1) and target health healthy; i-0d4957e1774fa2916 with eni-0ab2b96a64146cf5d (10.0.101.239/35.176.18.132); both ENIs DeleteOnTermination=true; ALB DNS and target group configuration present.

✖ Hypothesis disproven

---

🔥 Risks

Replacing the only ALB target instance will cause outage; root EBS volumes with DeleteOnTermination will be destroyed during AMI swap ‼️High Open Risk ↗
The api server instance behind the load balancer is being replaced due to an AMI update. The target group api-207c90ee-tg currently has only one healthy registered target, i-09ecaa289b376d0f4, on port 80. When this instance is terminated for replacement, the ALB will have zero healthy targets until the new instance launches and passes health checks, resulting in a service outage.

Both instances use root EBS volumes with DeleteOnTermination=true (e.g., vol-0f3f42a83b33dde6a, vol-0ca36dafa78b8485a). During replacement these root volumes will be destroyed and recreated from the new AMI, discarding any state stored on the root filesystem. If the application or system relies on root-disk state, this will result in data loss alongside downtime.

Single-target ALB replacement will cause downtime during EC2 instance swap ‼️High Open Risk ↗
The api server EC2 instance behind the application load balancer (api-207c90ee-alb) is being replaced due to an AMI change. The current target group (api-207c90ee-tg) shows only one registered, healthy target: the existing instance. With health checks on /health and a 30s interval with 2 healthy thresholds on port 80, the new instance will take at least ~60 seconds after boot to become healthy.

During replacement, if the old instance is deregistered or terminated before the new instance passes target group health checks, the target group will have zero healthy targets and the ALB will serve errors, resulting in a production outage. The IAM instance profile remains consistent and attached at launch; no specific evidence indicates a permissions gap on a running node, so the primary risk is the single-target cutover causing lost traffic.

---

🟣 Expected Changes

~ cloudwatch-alarm › api-207c90ee-high-cpu

--- current
+++ proposed
@@ -10,6 +10,5 @@
   comparison_operator: GreaterThanThreshold
   datapoints_to_alarm: 0
-  dimensions:
-    InstanceId: i-09ecaa289b376d0f4
+  dimensions: (known after apply)
   evaluation_periods: 2
   id: api-207c90ee-high-cpu

+/- ec2-instance › i-09ecaa289b376d0f4

--- current
+++ proposed
@@ -2,54 +2,53 @@
 id: github.com/overmindtech/terraform-example.ec2-instance.module.api_server.aws_instance.api_server[0]
 attributes:
-  ami: ami-0b7e71fcee9d196a9
-  arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-09ecaa289b376d0f4
+  ami: ami-0e16f30ef82e4dedc
+  arn: (known after apply)
   associate_public_ip_address: true
-  availability_zone: eu-west-2a
-  capacity_reservation_specification:
-    - capacity_reservation_preference: open
-  cpu_core_count: 1
-  cpu_options:
-    - core_count: 1
-      threads_per_core: 2
-  cpu_threads_per_core: 2
-  disable_api_stop: false
-  disable_api_termination: false
-  ebs_optimized: false
-  enable_primary_ipv6: null
-  enclave_options:
-    - enabled: false
+  availability_zone: (known after apply)
+  capacity_reservation_specification: (known after apply)
+  cpu_core_count: (known after apply)
+  cpu_options: (known after apply)
+  cpu_threads_per_core: (known after apply)
+  disable_api_stop: (known after apply)
+  disable_api_termination: (known after apply)
+  ebs_block_device: (known after apply)
+  ebs_optimized: (known after apply)
+  enable_primary_ipv6: (known after apply)
+  enclave_options: (known after apply)
+  ephemeral_block_device: (known after apply)
   get_password_data: false
-  hibernation: false
-  host_resource_group_arn: null
+  hibernation: null
+  host_id: (known after apply)
+  host_resource_group_arn: (known after apply)
   iam_instance_profile: api-207c90ee-api-profile
-  id: i-09ecaa289b376d0f4
-  instance_initiated_shutdown_behavior: stop
-  instance_state: running
+  id: (known after apply)
+  instance_initiated_shutdown_behavior: (known after apply)
+  instance_lifecycle: (known after apply)
+  instance_market_options: (known after apply)
+  instance_state: (known after apply)
   instance_type: c5.large
-  ipv6_address_count: 0
-  maintenance_options:
-    - auto_recovery: default
-  metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 1
-      http_tokens: optional
-      instance_metadata_tags: disabled
-  monitoring: false
-  placement_partition_number: 0
-  primary_network_interface_id: eni-04984dae4991bf08b
-  private_dns: ip-10-0-101-90.eu-west-2.compute.internal
-  private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-  private_ip: 10.0.101.90
-  public_dns: ec2-13-40-53-1.eu-west-2.compute.amazonaws.com
-  public_ip: 13.40.53.1
+  ipv6_address_count: (known after apply)
+  ipv6_addresses: (known after apply)
+  key_name: (known after apply)
+  maintenance_options: (known after apply)
+  metadata_options: (known after apply)
+  monitoring: (known after apply)
+  network_interface: (known after apply)
+  outpost_arn: (known after apply)
+  password_data: (known after apply)
+  placement_group: (known after apply)
+  placement_partition_number: (known after apply)
+  primary_network_interface_id: (known after apply)
+  private_dns: (known after apply)
+  private_dns_name_options: (known after apply)
+  private_ip: (known after apply)
+  public_dns: (known after apply)
+  public_ip: (known after apply)
   root_block_device:
     - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 3000
+      device_name: (known after apply)
+      encrypted: (known after apply)
+      iops: (known after apply)
+      kms_key_id: (known after apply)
       tags:
         CostCenter: engineering
@@ -59,16 +52,13 @@
         Project: api-platform
         Workload: cpu-intensive
-      tags_all:
-        CostCenter: engineering
-        Environment: production
-        ManagedBy: terraform
-        Name: api-207c90ee-root-volume
-        Project: api-platform
-        Workload: cpu-intensive
-      throughput: 125
-      volume_id: vol-0f3f42a83b33dde6a
+      tags_all: (known after apply)
+      throughput: (known after apply)
+      volume_id: (known after apply)
       volume_size: 8
       volume_type: gp3
+  secondary_private_ips: (known after apply)
+  security_groups: (known after apply)
   source_dest_check: true
+  spot_instance_request_id: (known after apply)
   subnet_id: subnet-07b5b1fb2ba02f964
   tags:
@@ -86,10 +73,10 @@
     Project: api-platform
     Workload: cpu-intensive
-  tenancy: default
+  tenancy: (known after apply)
   terraform_address: module.api_server.aws_instance.api_server[0]
   terraform_name: module.api_server.aws_instance.api_server[0]
   timeouts: null
   user_data: acf40314e678f506b36da3c78022132136664591
-  user_data_base64: null
+  user_data_base64: (known after apply)
   user_data_replace_on_change: false
   volume_tags: null

+/- ec2-instance › i-0d4957e1774fa2916

--- current
+++ proposed
@@ -2,60 +2,63 @@
 id: github.com/overmindtech/terraform-example.ec2-instance.module.shared_security_group.aws_instance.api_server[0]
 attributes:
-  ami: ami-0b7e71fcee9d196a9
-  arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-0d4957e1774fa2916
+  ami: ami-0e16f30ef82e4dedc
+  arn: (known after apply)
   associate_public_ip_address: true
-  availability_zone: eu-west-2a
-  capacity_reservation_specification:
-    - capacity_reservation_preference: open
-  cpu_core_count: 1
-  cpu_options:
-    - core_count: 1
-      threads_per_core: 2
-  cpu_threads_per_core: 2
-  credit_specification:
-    - cpu_credits: unlimited
-  disable_api_stop: false
-  disable_api_termination: false
-  ebs_optimized: false
-  enable_primary_ipv6: null
-  enclave_options:
-    - enabled: false
+  availability_zone: (known after apply)
+  capacity_reservation_specification: (known after apply)
+  cpu_core_count: (known after apply)
+  cpu_options: (known after apply)
+  cpu_threads_per_core: (known after apply)
+  disable_api_stop: (known after apply)
+  disable_api_termination: (known after apply)
+  ebs_block_device: (known after apply)
+  ebs_optimized: (known after apply)
+  enable_primary_ipv6: (known after apply)
+  enclave_options: (known after apply)
+  ephemeral_block_device: (known after apply)
   get_password_data: false
-  hibernation: false
-  host_resource_group_arn: null
-  id: i-0d4957e1774fa2916
-  instance_initiated_shutdown_behavior: stop
-  instance_state: running
+  hibernation: null
+  host_id: (known after apply)
+  host_resource_group_arn: (known after apply)
+  iam_instance_profile: (known after apply)
+  id: (known after apply)
+  instance_initiated_shutdown_behavior: (known after apply)
+  instance_lifecycle: (known after apply)
+  instance_market_options: (known after apply)
+  instance_state: (known after apply)
   instance_type: t3.nano
-  ipv6_address_count: 0
-  maintenance_options:
-    - auto_recovery: default
-  metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 1
-      http_tokens: optional
-      instance_metadata_tags: disabled
-  monitoring: false
-  placement_partition_number: 0
-  primary_network_interface_id: eni-0ab2b96a64146cf5d
-  private_dns: ip-10-0-101-239.eu-west-2.compute.internal
-  private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-  private_ip: 10.0.101.239
-  public_dns: ec2-35-176-18-132.eu-west-2.compute.amazonaws.com
-  public_ip: 35.176.18.132
+  ipv6_address_count: (known after apply)
+  ipv6_addresses: (known after apply)
+  key_name: (known after apply)
+  maintenance_options: (known after apply)
+  metadata_options: (known after apply)
+  monitoring: (known after apply)
+  network_interface: (known after apply)
+  outpost_arn: (known after apply)
+  password_data: (known after apply)
+  placement_group: (known after apply)
+  placement_partition_number: (known after apply)
+  primary_network_interface_id: (known after apply)
+  private_dns: (known after apply)
+  private_dns_name_options: (known after apply)
+  private_ip: (known after apply)
+  public_dns: (known after apply)
+  public_ip: (known after apply)
   root_block_device:
     - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 3000
-      throughput: 125
-      volume_id: vol-0ca36dafa78b8485a
+      device_name: (known after apply)
+      encrypted: (known after apply)
+      iops: (known after apply)
+      kms_key_id: (known after apply)
+      tags: null
+      tags_all: (known after apply)
+      throughput: (known after apply)
+      volume_id: (known after apply)
       volume_size: 8
       volume_type: gp3
+  secondary_private_ips: (known after apply)
+  security_groups: (known after apply)
   source_dest_check: true
+  spot_instance_request_id: (known after apply)
   subnet_id: subnet-07b5b1fb2ba02f964
   tags:
@@ -71,10 +66,10 @@
     Project: platform-services
     Team: platform
-  tenancy: default
+  tenancy: (known after apply)
   terraform_address: module.shared_security_group.aws_instance.api_server[0]
   terraform_name: module.shared_security_group.aws_instance.api_server[0]
   timeouts: null
   user_data: 146523b0a5c60264146991ccc0576cc1b24e25c3
-  user_data_base64: null
+  user_data_base64: (known after apply)
   user_data_replace_on_change: false
   volume_tags: null

---

🟠 Unmapped Changes

+/- aws_lb_target_group_attachment › module.api_server.aws_lb_target_group_attachment.api[0]

--- current
+++ proposed
@@ -3,8 +3,8 @@
 attributes:
   availability_zone: null
-  id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-207c90ee-tg/443ea3af7659a1be-20260114024428718000000002
+  id: (known after apply)
   port: 80
   target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-207c90ee-tg/443ea3af7659a1be
-  target_id: i-09ecaa289b376d0f4
+  target_id: (known after apply)
   terraform_address: module.api_server.aws_lb_target_group_attachment.api[0]
   terraform_name: module.api_server.aws_lb_target_group_attachment.api[0]

---

💥 Blast Radius

Items 32

Edges 72

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🟢 +4

---

🔥 Risks Summary

High 1 · Medium 0 · Low 0

---

💥 Blast Radius

Items 55 · Edges 92

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +2

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 22 · Edges 63

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 2 high risks requiring review

---

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +2

---

🔥 Risks Summary

High 2 · Medium 0 · Low 0

---

💥 Blast Radius

Items 32 · Edges 72

---

View full analysis in Overmind ↗