chore(deps): update linters and formatters

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
eslint-plugin-react-refresh	0.5.2 → 0.5.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

ArnaudBarre/eslint-plugin-react-refresh (eslint-plugin-react-refresh)

v0.5.3

Compare Source

• Fix check for non component class exported via export { } #​110 (fixes #​109)

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • "before 10am on friday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Caution

[High Risk] New NLB backend is added from a public single-AZ subnet and can be marked healthy without representing a real production service

The change creates a new production-tagged EC2 instance in subnet subnet-07b5b1fb2ba02f964 and immediately registers it on port 9090 in the existing internal NLB target group api-health-terraform-example. Blast-radius data shows that subnet is being used for internet-reachable instances and is tagged as a public workload subnet, which conflicts with the organization’s requirement that backend EC2 instances stay in private subnets. The attached security group sg-089e5107637083db5 also allows inbound 9090 from the broad 10.0.0.0/8 range, so this change expands the reachable backend surface instead of keeping the target tightly segmented.

This backend will also be a single-AZ dependency in eu-west-2a, while the load balancer spans two AZs, and its health is only a trivial Python server that returns ok on port 9090. The NLB will therefore mark the target healthy based on a simple TCP listener and route traffic to it even if it is not a real, resilient application endpoint. That creates a real risk of misleading health, uneven traffic distribution, and production traffic being sent to an improperly segmented, non-redundant backend.
_{View reasoning tree here.}

Caution

[High Risk] Single public API instance and shared world-open SSH exposure create production outage and remote-access risk

The change introduces a new production API path built around a single t4g.nano EC2 instance in subnet-07b5b1fb2ba02f964, then makes that one host do double duty as both a direct public EIP endpoint and the sole backend attached to the api-health-terraform-example target group on port 9090. Because there is no second instance, no autoscaling group, and no second AZ target, any failure of that host or its AZ will take out both access paths at once. This violates the organization’s high-availability baseline for production workloads and creates an immediate single-instance critical path.

Separately, the existing shared security group sg-0437857de45b640ce allows SSH on port 22 from 0.0.0.0/0 and is attached to public instance 540044833068.eu-west-2.ec2-instance.i-04396f56092e8e088, with the same group also attached to i-060c5af731ee54cc9. That is a confirmed compute hardening exposure under the organization’s security requirements: a public EC2 instance with world-open SSH is directly reachable from the internet, and the shared group broadens the blast radius beyond a single host.
_{View reasoning tree here.}

Warning

[Medium Risk] New production EC2 instance exposes its 9090 health service broadly across internal and peered networks

The change creates a new production EC2 instance, github.com/overmindtech/terraform-example.aws_instance.module.api_access[0].aws_instance.api_server, that starts an unauthenticated HTTP server bound to 0.0.0.0:9090 and then attaches the shared security group 540044833068.eu-west-2.ec2-security-group.sg-089e5107637083db5. That security group already allows TCP 9090 from 10.0.0.0/8, so the new endpoint becomes reachable from a very large internal address space instead of only from a tightly scoped monitoring source. Because the VPC is actively peered with 540044833068.eu-west-2.ec2-vpc.vpc-096b686376892bb49 through pcx-0598813728de2846f, this broad reachability can extend beyond the local VPC boundary as well.

This is a real segmentation drift issue even though the instance is not shown to auto-receive a public IP. The plan also registers the instance on port 9090 with the internal NLB target group 540044833068.eu-west-2.elbv2-target-group.api-health-terraform-example, confirming that the new listener is intended to be live. The result is a wider lateral-movement and reconnaissance surface inside production than the organization’s network-access rules allow for EC2 workloads, violating least-privilege network design under SEC05-BP02 and weakening endpoint isolation in production.
_{View reasoning tree here.}

Signals

Routine → Multiple AWS compute and networking resources are showing unusual infrequent routine changes, with the main instance resource changing only 1 event/month for the last 3 months and related attachment and IP resources changing only 1 event/week for the last 4-5 months, which is rare compared to typical patterns.

_{Additional Change Details:} Items 109 Edges 234 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation