chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "before 4am on monday" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ AWS SNS topic subscriptions showing unusual infrequent updates at 2 events/week for the last 2 months, which may need review.

View signals ↗

---

🔥 Risks

Note

All 1 resource is being created

Blast radius analysis requires existing infrastructure to examine. Once these resources are applied, future changes will show their dependencies.

---

🧠 Reasoning · ✖ 1 · ✔ 0

SNS production alert emails to external or unverified address: data leakage and alert delivery risk

Observations 1

Hypothesis

An SNS email subscription (protocol=email) is being created on the production-api-alerts topic to send alerts to alerts@example.com. If this email address is external, misconfigured, or not properly verified, production alert contents may be exposed outside the organization, leading to potential data exfiltration of sensitive operational information. Additionally, if this endpoint is incorrect or undeliverable, critical production alerts may fail to reach on-call recipients, degrading incident detection and response. The risk depends on the correctness and ownership of alerts@example.com and on SNS topic access controls governing who can publish to production-api-alerts.

Investigation

I loaded our monitoring and IAM standards; neither defines a blanket prohibition on SNS email subscriptions, so organizational policy does not in itself make this a risk. I inspected the blast radius state of the production topic; its resource policy uses the default constraint with Principal "*" but Condition AWS:SourceOwner = 540044833068, which restricts publish/manage actions to the owning account and does not expose the topic publicly. This addresses the hypothesis’ concern about permissive topic access controls.

The planned change adds a new SNS subscription with protocol email to alerts@example.com. By AWS design, email subscriptions receive no messages until the recipient explicitly confirms via the link sent by SNS; unconfirmed subscriptions remain in PendingConfirmation and do not deliver notifications. Therefore, no alert content will be sent anywhere unless that mailbox owner confirms. (docs.aws.amazon.com)

Regarding apply behavior: Terraform’s aws_sns_topic_subscription does not wait for confirmation for the email protocol, and confirmation_timeout_in_minutes only applies to HTTP/HTTPS endpoints. So this change will not block on confirmation; it will create a pending subscription that is inert unless manually confirmed. Unconfirmed subscriptions are automatically deleted by SNS after 48 hours, further limiting lingering exposure. (man.hubwiz.com)

Given the above, there is no concrete evidence that sensitive production alerts will be delivered to an external party as a result of this change, nor that alerting efficacy will degrade (this is an additional subscription, not a replacement). Any leakage would require an out‑of‑band confirmation by whoever controls alerts@example.com, which is not part of the planned apply. Therefore, the stated risk is speculative and not a real, actionable risk tied to this change.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 1

Edges 0

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Routine score (-5) is below minimum (-1)

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 1 · Edges 0

---

View full analysis in Overmind ↗