chore(deps): update dependency npm:renovate to v43.102.11 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
npm:renovate (source)	43.92.1 → 43.102.11

---

Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance

GHSA-5vjq-5jmg-39xq

More information

Details

When using lockFileMaintenance using the bazel-module or bazelisk managers between Renovate 43.65.0 (2026-03-12) and 43.102.11 (2026-04-02), there was the opportunity for remote code execution from a malicious dependency, if the Bazel module executes code that relies on a dependency.

As this is an "unsafe" execution path, we have disabled this by default, and self-hosted administrators must add it to the allowedUnsafeExecutions allowlist.

It is recommended to review whether you have enabled this functionality for these managers, and if so, whether any dependency updates may have led to remote code execution.

Impact

If Renovate suggested an update to a malicious dependency, and that dependency is referenced as part of the bazel mod deps call - for instance as part of a ctx.execute call - this would call attacker-controlled code.

This could lead to insider attackers and outside attackers, executing code that is distributed as part of the package.

Patches

This is patched in 43.102.11.

This does not affect any versions of Mend Renovate Self-Hosted.

Workarounds

• Upgrade your Renovate version
• Disable lockFileMaintenance for these managers

Why did this happen?

This was missed in code review (as part of https://github.com/renovatebot/renovate/pull/41507).

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

References

• https://github.com/renovatebot/renovate/security/advisories/GHSA-5vjq-5jmg-39xq
• https://github.com/renovatebot/renovate
• https://github.com/renovatebot/renovate/releases/tag/43.102.11

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

renovatebot/renovate (npm:renovate)

v43.102.11

Compare Source

Bug Fixes

• bazel-module,bazelisk: add allowedUnsafeExecutions for bazel mod deps (#​42323) (4d2d86f)

Build System

• bump lodash to v4.18.1 (#​42327) (3fa1256)

v43.102.10

Compare Source

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​42320) (3c895dc)

v43.102.9

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.3 (main) (#​42318) (aa2e7bf)

Miscellaneous Chores

• deps: update dependency oxlint-tsgolint to v0.17.4 (main) (#​42316) (9535323)

v43.102.8

Compare Source

Build System

• deps: update opentelemetry-js monorepo (main) (#​42315) (a2ab6f9)

v43.102.7

Compare Source

Bug Fixes

• correctly warn when an attestation is missing (#​42311) (0b74302), closes #​37258

v43.102.6

Compare Source

Miscellaneous Chores

• deps: update dependency tsdown to v0.21.5 (main) (#​42306) (8869926)

Build System

• deps: update dependency @​renovatebot/detect-tools to v3 (main) (#​42304) (644fd81)

v43.102.5

Compare Source

Bug Fixes

• swift: don't write from: range to Package.resolved (#​42303) (35dbc3b)

v43.102.4

Compare Source

Documentation

• fix typo in installing-onboarding (#​42293) (1cf23b9)

Miscellaneous Chores

• use ts extension (#​42300) (440e353)

Build System

• deps: update dependency @​renovatebot/detect-tools to v2.0.1 (main) (#​42302) (28b1152)

v43.102.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.2 (main) (#​42299) (059db63)

Miscellaneous Chores

• deps: update pdm-project/setup-pdm action to v4.5 (main) (#​42298) (21d4a04)

v43.102.2

Compare Source

Build System

• deps: update aws-sdk-js-v3 monorepo to v3.1021.0 (main) (#​42295) (a482aac)

v43.102.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.1 (main) (#​42294) (3883fc8)

v43.102.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.0 (main) (#​42292) (e914a5f)

Bug Fixes

• presets: revert oxlint grouping (#​42272) (d4162b2), closes #​42268

Miscellaneous Chores

• deps: update dependency pnpm to v10.33.0 (main) (#​42291) (08e7bd0)
• types: export additional types for downstream log consumers (#​40930) (eda8c59)

Code Refactoring

• extract applyHostRules and applyNpmrc to functions (#​41528) (e7f55d7)

v43.101.7

Compare Source

Bug Fixes

• http: fallback to github hostType for GHE platform endpoint (#​42287) (b8809ce)

v43.101.6

Compare Source

Miscellaneous Chores

• deps: update docker/dockerfile docker tag to v1.23.0 (main) (#​42290) (5a77836)

Build System

• deps: update dependency @​pnpm/parse-overrides to v1001.0.4 (main) (#​42289) (cfdff36)

v43.101.5

Compare Source

Bug Fixes

• type: pattern groups (#​42288) (e0daef7)

v43.101.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.32.2 (main) (#​42282) (37f8206)
• presets: allow Aspire's organization move (#​42281) (502d11f)

Documentation

• inter-link presets' extends (#​42270) (c8adab2)

Miscellaneous Chores

• deps: update linters to v1.57.0 (main) (#​42278) (5cf0aac)

v43.101.3

Compare Source

Bug Fixes

• presets: follow Aspire's organization move (#​42273) (5f68d3d)

Documentation

• explicitly document depTypes each manager supports (#​42142) (2d239d2)
• minimum-release-age: add Nuget to list of supported registries (#​42279) (c252a0d)

Miscellaneous Chores

• azure: remove JSON.stringify'd message (#​42241) (c04e7b1)
• deps: update dependency graphql to v16.13.2 (main) (#​42280) (7e28021)
• deps: update dependency oxlint-tsgolint to v0.17.2 (main) (#​42266) (70b497e)
• deps: update dependency oxlint-tsgolint to v0.17.3 (main) (#​42271) (0913a78)
• deps: update rhysd/actionlint docker tag to v1.7.12 (main) (#​42262) (5281173)

Continuous Integration

• skip issues when not enabled (#​42274) (de777a2)

v43.101.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.32.1 (main) (#​42265) (b0f453d)

Miscellaneous Chores

• deps: update dependency tar to v7.5.13 (main) (#​42256) (5cfbba3)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.6.9 (main) (#​42261) (d54e8da)

v43.101.1

Compare Source

Documentation

• mend-hosted: how to perform config validation (#​40441) (107fcfd)

Miscellaneous Chores

• azure: log more context when updating PRs (#​42242) (450e086)
• deps: update dependency typescript-eslint to v8.57.2 (main) (#​42255) (2ed3103)

Code Refactoring

• lint: move option-dependent rules from ESLint to oxlint (#​42215) (e0c9bc1)
• pass packageFile to updateDependency (#​42253) (3953a78)
• tools/sync-module-labels: move shared code into a shared helper (#​42249) (e31dfd7), closes #​42012

Build System

• deps: update dependency @​renovatebot/good-enough-parser to v2 (main) (#​42248) (5b8447b)

v43.101.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.32.0 (main) (#​42252) (d1f917f)
• dry-run: log commit contents (#​41718) (3951723)
• report: add reportFormatting option to format JSON reports with Prettier (#​42162) (1b58cd6)

v43.100.2

Compare Source

Miscellaneous Chores

• deps: update vitest monorepo to v4.1.1 (main) (#​42246) (f03acbe)

Build System

• deps: update dependency @​renovatebot/detect-tools to v2 (main) (#​42243) (3f94069)

v43.100.1

Compare Source

Documentation

• config: clarify commitMessagePrefix affects Dependency Dashboard (#​42236) (9a76a15)

Build System

• deps: update dependency diff to v8.0.4 (main) (#​42244) (4cc9819)

v43.100.0

Compare Source

Features

• manager/mise: add npm upgrade tooling (#​42235) (c5e1b14)

Bug Fixes

• swift: Parse pins without version key in Package.resolved (#​42220) (8ed5d0f)

Documentation

• update references to renovate/renovate (main) (#​42228) (30d346b)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​42229) (f8a752e)
• deps: update containerbase/internal-tools action to v4.5.8 (main) (#​42230) (4d23825)
• deps: update containerbase/internal-tools action to v4.5.9 (main) (#​42232) (5e3680b)
• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.38 (main) (#​42231) (7ae0c34)
• deps: update dependency @​containerbase/semantic-release-pnpm to v1.3.28 (main) (#​42233) (a569c4e)

v43.99.1

Compare Source

Bug Fixes

• datasource/dart: Use npm versioning to make rangeStrategy=bump work again (#​42115) (ef9662a)
• deps: update ghcr.io/renovatebot/base-image docker tag to v13.31.1 (main) (#​42226) (fa018c4)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.5.6 (main) (#​42219) (d850027)
• deps: update dependency markdownlint-cli2 to v0.22.0 (main) (#​42222) (8ae44af)

Code Refactoring

• lint: Enable oxlint correctness category (#​42218) (b79ea93)
• lint: Move style rules to oxlint (#​42221) (0a6c86f)
• lint: Switch custom rules from eslint to oxlint (#​42212) (3201eee)

v43.99.0

Compare Source

Features

• manager/kubernetes: extract image volume references from manifests (#​42038) (b438e57)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​42217) (81e6582)
• deps: update dependency memfs to v4.57.0 (main) (#​42214) (dffce08)
• deps: update dependency memfs to v4.57.1 (main) (#​42216) (9dd6f5e)

Code Refactoring

• lint: remove ESLint rules already covered by oxlint (#​42213) (072e008)

v43.98.0

Compare Source

Features

• datasource: add elm-package datasource (#​41000) (f340b1a)

v43.97.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.31.0 (main) (#​42211) (91049f0)

Miscellaneous Chores

• tools: handle additional errors (#​42205) (f31aec3)

v43.96.0

Compare Source

Features

• gradle: use Java 25 with gradle >= 9.1 (#​42206) (fe7ab7e)

Miscellaneous Chores

• deps: update github/codeql-action action to v4.35.1 (main) (#​42209) (b6fa499)

Tests

• config: ensure no duplicate environment variable names (#​42204) (9c57ae1)

v43.95.0

Compare Source

Features

• replacements: add @wuchale/vite-plugin (#​42036) (cb86e66)

v43.94.1

Compare Source

Bug Fixes

• manager/npm: revert passing --before to npm install when minimumReleaseAge is set (#​42198) (a74da77)

Miscellaneous Chores

• deps: update github/codeql-action action to v4.35.0 (main) (#​42200) (860230f)

v43.94.0

Compare Source

Features

• fleet: support registryAliases (#​42045) (00fefaf)

v43.93.1

Compare Source

Bug Fixes

• gerrit: use the ready push option to ensure changes are not wip (#​40960) (1472cd9)

Documentation

• gradle: fix typo (#​40808) (fbfe8eb)
• versioning/semver-coerced: coercion specific link (#​40708) (165a6ba)

Code Refactoring

• manager/pep723: move parsing to utils (#​41673) (ec71601)

v43.93.0

Compare Source

Features

• manager/npm: pass --before to npm install when minimumReleaseAge is set (#​42051) (c4d5697)
• replacements: add replacement for Kotlin Logging maven package (#​42078) (b83db48)

Bug Fixes

• cli: avoid printing logs on --version/--help (#​42183) (93985c3)
• deps: update ghcr.io/renovatebot/base-image docker tag to v13.30.3 (main) (#​42191) (0ab23ef)
• presets: allow short @tsconfig/node references (#​42189) (be016be)
• use correct digest when replacing packages with replacementNameTemplate (#​40058) (f33f3f6)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.5.5 (main) (#​42192) (8729a3e)
• deps: update dependency tar to v7.5.12 (main) (#​42174) (ca0b442)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.