You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
model|risks_v6 ✨Encryption Key State Risk✨KMS Key Creation
🔴 Change Signals
Routine 🔴 ▇▅▃▂▁ Multiple compute resources showing unusual weekly changes at 1 event/week for the last 2-3 months, which is infrequent compared to typical patterns.
We investigated 3 potential risks across 15 resources and verified each was safe. See the investigation details below.
🧠 Reasoning · ✔ 0 · ✖ 3
EBS DeleteOnTermination on updated instances risks data loss
Observations 2
Hypothesis
Multiple EC2 instances have attached EBS data volumes with DeleteOnTermination=true. When these instances are updated, replacement or termination of the instances can automatically delete the associated volumes (e.g., vol-090e750179b5fa681 on i-09d6479fb9b97d123 and vol-0a61278f4602fc12b on i-0464c4413cb0c54aa). If these volumes contain important data and there are no recent snapshots or backup/lifecycle policies, the change can cause irreversible data loss and violate data protection and compute-configuration best practices. Risk is mitigated by ensuring updates do not replace the instances, or by snapshotting / backing up volumes and defining clear snapshot lifecycle before the change.
Investigation
Evidence Gathered
I first loaded the relevant organizational guidance for compute and data protection: aws-compute-configuration, aws-data-protection, and security-compliance-requirements. Those files confirm that EBS deletion and unprotected data would be a valid concern if this change were actually replacing or terminating instances, and they also note that unencrypted EBS volumes are non-compliant.
I then checked the full planned changes for both EC2 instances, 540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123 and 540044833068.eu-west-2.ec2-instance.i-0464c4413cb0c54aa. The only diff shown for each instance is public_dns and public_ip changing from concrete values to (known after apply). There are no diffs to block device mappings, no diffs to DeleteOnTermination, no diffs to AMI, instance type, subnet, security groups, or any other force-replacement attributes, and the planned change type is updated, not replaced.
I queried the current blast-radius state for both instances and both attached volumes. That confirmed each instance has only its root EBS volume attached at /dev/xvda, and both attached volumes currently have DeleteOnTermination: true. It also confirmed the two volumes in question are vol-090e750179b5fa681 and vol-0a61278f4602fc12b. I checked AWS and Terraform documentation as well: Terraform commonly renders public_ip and public_dns as (known after apply) during in-place EC2 updates, and AWS documents that a stop/start cycle can reassign an auto-assigned public IPv4 address while attached EBS volumes persist through stop/start. AWS separately documents that attached EBS volumes persist across stop/start and that the default deletion behavior applies on termination, not on ordinary in-place updates. (developer.hashicorp.com)
Impact Assessment
The hypothesis points at 2 EC2 instances and 2 attached EBS root volumes. If these instances were being replaced or terminated, the blast radius would indeed include both volumes because they are attached with DeleteOnTermination=true. However, the actual plan does not show a replacement path for either instance; it shows an in-place update only. The operational effect supported by the evidence is limited to possible reassignment of the ephemeral public IPv4 addresses on the two instances after apply, not deletion of their EBS volumes. AWS documentation indicates that during stop/start, the instance can receive a new public IPv4 address, while attached EBS volumes and their data persist. (docs.aws.amazon.com)
So the directly affected resources are 2 EC2 instances: i-09d6479fb9b97d123 and i-0464c4413cb0c54aa. The data volumes identified by the hypothesis are not at risk of deletion from this specific change because there is no evidence that Terraform will terminate or replace either instance. I did note a separate compliance issue: both EBS volumes are currently unencrypted, which conflicts with organizational policy, but that is pre-existing state and not a failure introduced by this change.
Conclusion
I conclude the hypothesized data-loss risk is not real for this change. The key evidence is that both resources are planned as in-place updated instances with only public_ip/public_dns becoming unknown until apply, and AWS documents that attached EBS volumes persist across the stop/start behavior associated with such updates rather than being deleted. (developer.hashicorp.com)
✖ Hypothesis disproven
ENI/IP churn risks breaking internal DNS and static IP consumers
Observations 1
Hypothesis
An EC2 instance update may detach or replace an attached ENI with DeleteOnTermination=true (e.g., eni-0a8dc8648170059f4), reallocating its private IP address 10.0.101.11 that is referenced by internal DNS (ip-10-0-101-11.eu-west-2.compute.internal) or other static contracts. This can cause DNS to point to a non-existent or reassigned IP, breaking services that depend on that hostname or fixed IP. The risk is that network identity is pinned to an ephemeral ENI/IP instead of a stable abstraction. Mitigations include ensuring ENI persistence across instance refreshes, or automating DNS and dependent configuration updates when instances/ENIs are replaced.
Investigation
Evidence Gathered
I first checked the relevant organizational knowledge for EC2 and networking (aws-network-security, aws-compute-configuration, infrastructure-quick-reference, and multi-region-architecture). None of those files introduced a requirement that would make this specific diff risky, though they do reinforce that direct EC2 public endpoints are generally less stable than managed abstractions.
I then inspected the planned changes for both EC2 instances in this PR. For the instance named api-207c90ee-api-server (540044833068.eu-west-2.ec2-instance.i-09d6479fb9b97d123), the only concrete change shown is public_dns and public_ip becoming (known after apply). The instance's private_ip remains explicitly 10.0.101.11 in the diff. The second instance shows the same pattern for its public address only. There is no diff showing instance replacement, ENI replacement, subnet change, security group change, private IP change, or any network interface block changes.
I queried the current blast-radius state for the instance, its attached ENI eni-0a8dc8648170059f4, and the internal DNS record global.dns.ip-10-0-101-11.eu-west-2.compute.internal. The current state shows a single primary ENI attached to the instance with DeleteOnTermination: true, private IP 10.0.101.11, and private DNS ip-10-0-101-11.eu-west-2.compute.internal. The DNS record itself is just the AWS-generated A record for that private IP. I also checked the sibling instance and its ENI to compare the pattern; it is identical.
Finally, I verified AWS/Terraform behavior in the official docs. AWS documents that stopping and starting an EC2 instance typically causes an auto-assigned public IPv4 address to change, while attached network interfaces and their private IPv4 addresses persist across stop/start. HashiCorp's Terraform material also shows public_ip/public_dns commonly appearing as (known after apply) during in-place EC2 updates because those computed public values may be reassigned during apply, even when the resource is still shown as an in-place update. (docs.aws.amazon.com)
Impact Assessment
The hypothesis is concerned with one internal DNS name and one private IP: ip-10-0-101-11.eu-west-2.compute.internal → 10.0.101.11, tied to the primary ENI on api-207c90ee-api-server. Based on the actual plan, 1 EC2 instance is directly changing in a way that could affect its public address, but there is no evidence that its private network identity is changing. The blast radius contains the corresponding ENI and DNS objects, and both currently line up exactly with the instance's primary private IP.
Operationally, the likely effect of this change is limited to public internet reachability for any consumer pinned to the auto-assigned public IP or public DNS name. That is a different concern from the hypothesis. For the hypothesis's stated failure mode—internal DNS or static consumers of 10.0.101.11 breaking—there is no supporting evidence. The private IP remains fixed in the diff, the instance is not being replaced, and AWS documents that private IPs on attached ENIs persist across stop/start while auto-assigned public IPs may change. (docs.aws.amazon.com)
Conclusion
I am confident the hypothesized private-IP/ENI churn risk is not real for this change. The plan only indicates recomputation of the instance's public address fields; there is no evidence of ENI replacement or private IP change, and AWS behavior for stop/start preserves the attached ENI and its private IP. (docs.aws.amazon.com)
✖ Hypothesis disproven
Simultaneous public endpoint churn without stable front door or failover
Observations 3
Hypothesis
Public DNS and IPs for a pair of EC2 instances will both be reallocated during the update. Any external or operational dependency pinned to those public endpoints—such as scripts, SSM parameters, manual allowlists, synthetic tests, health checks, dashboards, and runbooks—can simultaneously go stale, breaking access and masking real service health. Updating both instances at once removes any stable, unchanged endpoint that can serve as a failover target; if the pair is used for redundancy or manual failover, delayed DNS/allowlist updates or a failed refresh can leave no reachable node. This creates rollout and reliability risk because all mutable endpoints change together instead of using a stable front door (e.g., load balancer, DNS name) or staggered updates, and it can undermine incident detection and response if observability tooling does not automatically discover the new addresses.
Investigation
Evidence Gathered
I first checked the relevant organizational guidance. aws-high-availability says to flag deployments that apply changes to all instances simultaneously when that removes gradual rollout or fault isolation, and it also emphasizes avoiding manual failover dependencies. I also checked infrastructure-quick-reference, which contains an important environment-specific note: the ovm-scale test environment contains dummy and relationship-density resources, but these two EC2 instances are not tagged as ovm-scale resources and instead carry Environment=production, so I treated them as real production instances.
I then queried the current state of both affected instances and their ENIs. Both instances are ordinary EC2 instances in the same subnet (subnet-07b5b1fb2ba02f964) and the same AZ (eu-west-2a), each with an auto-assigned public IPv4 address and public DNS name. Instance i-09d6479fb9b97d123 currently has public IP 35.179.137.86 and DNS ec2-35-179-137-86.eu-west-2.compute.amazonaws.com; instance i-0464c4413cb0c54aa currently has public IP 18.175.147.19 and DNS ec2-18-175-147-19.eu-west-2.compute.amazonaws.com. The planned changes for both resources show only public_ip and public_dns becoming (known after apply). No load balancer, Route53 record, Elastic IP, Auto Scaling Group, or other stable front-door resource is present in the change, and the queried current state shows neither instance has an Elastic IP attached.
I also checked AWS documentation. AWS documents that automatically assigned public IPv4 addresses are lost when an instance is stopped and started, and that starting the instance assigns a new public IPv4 address unless an Elastic IP is used. AWS also documents that changing the primary public IPv4 address invalidates the previous public hostname because the hostname is derived from the IP address.
Impact Assessment
Two production EC2 instances are directly affected: i-09d6479fb9b97d123 and i-0464c4413cb0c54aa. For both, the current internet-reachable endpoints will change together. That means there will be zero unchanged public endpoints left in this pair after the update.
However, the hypothesis depends on additional external or operational consumers being pinned to those exact public IPs or AWS-generated hostnames. I found no concrete evidence of such dependencies in the blast radius: no Route53 records, no Elastic IPs, no ALB, no SSM parameters, no monitoring resources, and no other internal resources referencing these public endpoints. The blast radius only confirms that the public endpoints themselves will churn, not that anything critical actually depends on them. The operational consequence is therefore unproven. Endpoint churn is real, but the claim that it will break access, failover, dashboards, synthetic checks, or incident response remains speculative with the evidence available.
Conclusion
I conclude the risk is not proven. The change will rotate both instances' auto-assigned public IPs and AWS-generated public DNS names, but I found no evidence of a real dependent front door, failover process, or operational tooling pinned to those endpoints, so the hypothesis does not clear the bar from plausible concern to demonstrated risk.
renovatebot
changed the title
chore(deps): update dependency typescript to v6
chore(deps): update dependency typescript to v6 - autoclosed
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This PR contains the following updates:
^5.8.3→^6.0.0Release Notes
microsoft/TypeScript (typescript)
v6.0.2Compare Source
Configuration
📅 Schedule: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.