chore(deps): update dependency renovate to v43.102.11 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
renovate (source)	43.76.4 → 43.102.11

---

Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance

GHSA-5vjq-5jmg-39xq

More information

Details

When using lockFileMaintenance using the bazel-module or bazelisk managers between Renovate 43.65.0 (2026-03-12) and 43.102.11 (2026-04-02), there was the opportunity for remote code execution from a malicious dependency, if the Bazel module executes code that relies on a dependency.

As this is an "unsafe" execution path, we have disabled this by default, and self-hosted administrators must add it to the allowedUnsafeExecutions allowlist.

It is recommended to review whether you have enabled this functionality for these managers, and if so, whether any dependency updates may have led to remote code execution.

Impact

If Renovate suggested an update to a malicious dependency, and that dependency is referenced as part of the bazel mod deps call - for instance as part of a ctx.execute call - this would call attacker-controlled code.

This could lead to insider attackers and outside attackers, executing code that is distributed as part of the package.

Patches

This is patched in 43.102.11.

This does not affect any versions of Mend Renovate Self-Hosted.

Workarounds

• Upgrade your Renovate version
• Disable lockFileMaintenance for these managers

Why did this happen?

This was missed in code review (as part of https://github.com/renovatebot/renovate/pull/41507).

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

References

• https://github.com/renovatebot/renovate/security/advisories/GHSA-5vjq-5jmg-39xq
• https://github.com/renovatebot/renovate/releases/tag/43.102.11
• https://github.com/advisories/GHSA-5vjq-5jmg-39xq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

renovatebot/renovate (renovate)

v43.102.11

Compare Source

Bug Fixes

• bazel-module,bazelisk: add allowedUnsafeExecutions for bazel mod deps (#​42323) (4d2d86f)

Build System

• bump lodash to v4.18.1 (#​42327) (3fa1256)

v43.102.10

Compare Source

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​42320) (3c895dc)

v43.102.9

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.3 (main) (#​42318) (aa2e7bf)

Miscellaneous Chores

• deps: update dependency oxlint-tsgolint to v0.17.4 (main) (#​42316) (9535323)

v43.102.8

Compare Source

Build System

• deps: update opentelemetry-js monorepo (main) (#​42315) (a2ab6f9)

v43.102.7

Compare Source

Bug Fixes

• correctly warn when an attestation is missing (#​42311) (0b74302), closes #​37258

v43.102.6

Compare Source

Miscellaneous Chores

• deps: update dependency tsdown to v0.21.5 (main) (#​42306) (8869926)

Build System

• deps: update dependency @​renovatebot/detect-tools to v3 (main) (#​42304) (644fd81)

v43.102.5

Compare Source

Bug Fixes

• swift: don't write from: range to Package.resolved (#​42303) (35dbc3b)

v43.102.4

Compare Source

Documentation

• fix typo in installing-onboarding (#​42293) (1cf23b9)

Miscellaneous Chores

• use ts extension (#​42300) (440e353)

Build System

• deps: update dependency @​renovatebot/detect-tools to v2.0.1 (main) (#​42302) (28b1152)

v43.102.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.2 (main) (#​42299) (059db63)

Miscellaneous Chores

• deps: update pdm-project/setup-pdm action to v4.5 (main) (#​42298) (21d4a04)

v43.102.2

Compare Source

Build System

• deps: update aws-sdk-js-v3 monorepo to v3.1021.0 (main) (#​42295) (a482aac)

v43.102.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.1 (main) (#​42294) (3883fc8)

v43.102.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.0 (main) (#​42292) (e914a5f)

Bug Fixes

• presets: revert oxlint grouping (#​42272) (d4162b2), closes #​42268

Miscellaneous Chores

• deps: update dependency pnpm to v10.33.0 (main) (#​42291) (08e7bd0)
• types: export additional types for downstream log consumers (#​40930) (eda8c59)

Code Refactoring

• extract applyHostRules and applyNpmrc to functions (#​41528) (e7f55d7)

v43.101.7

Compare Source

Bug Fixes

• http: fallback to github hostType for GHE platform endpoint (#​42287) (b8809ce)

v43.101.6

Compare Source

Miscellaneous Chores

• deps: update docker/dockerfile docker tag to v1.23.0 (main) (#​42290) (5a77836)

Build System

• deps: update dependency @​pnpm/parse-overrides to v1001.0.4 (main) (#​42289) (cfdff36)

v43.101.5

Compare Source

Bug Fixes

• type: pattern groups (#​42288) (e0daef7)

v43.101.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.32.2 (main) (#​42282) (37f8206)
• presets: allow Aspire's organization move (#​42281) (502d11f)

Documentation

• inter-link presets' extends (#​42270) (c8adab2)

Miscellaneous Chores

• deps: update linters to v1.57.0 (main) (#​42278) (5cf0aac)

v43.101.3

Compare Source

Bug Fixes

• presets: follow Aspire's organization move (#​42273) (5f68d3d)

Documentation

• explicitly document depTypes each manager supports (#​42142) (2d239d2)
• minimum-release-age: add Nuget to list of supported registries (#​42279) (c252a0d)

Miscellaneous Chores

• azure: remove JSON.stringify'd message (#​42241) (c04e7b1)
• deps: update dependency graphql to v16.13.2 (main) (#​42280) (7e28021)
• deps: update dependency oxlint-tsgolint to v0.17.2 (main) (#​42266) (70b497e)
• deps: update dependency oxlint-tsgolint to v0.17.3 (main) (#​42271) (0913a78)
• deps: update rhysd/actionlint docker tag to v1.7.12 (main) (#​42262) (5281173)

Continuous Integration

• skip issues when not enabled (#​42274) (de777a2)

v43.101.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.32.1 (main) (#​42265) (b0f453d)

Miscellaneous Chores

• deps: update dependency tar to v7.5.13 (main) (#​42256) (5cfbba3)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.6.9 (main) (#​42261) (d54e8da)

v43.101.1

Compare Source

Documentation

• mend-hosted: how to perform config validation (#​40441) (107fcfd)

Miscellaneous Chores

• azure: log more context when updating PRs (#​42242) (450e086)
• deps: update dependency typescript-eslint to v8.57.2 (main) (#​42255) (2ed3103)

Code Refactoring

• lint: move option-dependent rules from ESLint to oxlint (#​42215) (e0c9bc1)
• pass packageFile to updateDependency (#​42253) (3953a78)
• tools/sync-module-labels: move shared code into a shared helper (#​42249) (e31dfd7), closes #​42012

Build System

• deps: update dependency @​renovatebot/good-enough-parser to v2 (main) (#​42248) (5b8447b)

v43.101.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.32.0 (main) (#​42252) (d1f917f)
• dry-run: log commit contents (#​41718) (3951723)
• report: add reportFormatting option to format JSON reports with Prettier (#​42162) (1b58cd6)

v43.100.2

Compare Source

Miscellaneous Chores

• deps: update vitest monorepo to v4.1.1 (main) (#​42246) (f03acbe)

Build System

• deps: update dependency @​renovatebot/detect-tools to v2 (main) (#​42243) (3f94069)

v43.100.1

Compare Source

Documentation

• config: clarify commitMessagePrefix affects Dependency Dashboard (#​42236) (9a76a15)

Build System

• deps: update dependency diff to v8.0.4 (main) (#​42244) (4cc9819)

v43.100.0

Compare Source

Features

• manager/mise: add npm upgrade tooling (#​42235) (c5e1b14)

Bug Fixes

• swift: Parse pins without version key in Package.resolved (#​42220) (8ed5d0f)

Documentation

• update references to renovate/renovate (main) (#​42228) (30d346b)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​42229) (f8a752e)
• deps: update containerbase/internal-tools action to v4.5.8 (main) (#​42230) (4d23825)
• deps: update containerbase/internal-tools action to v4.5.9 (main) (#​42232) (5e3680b)
• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.38 (main) (#​42231) (7ae0c34)
• deps: update dependency @​containerbase/semantic-release-pnpm to v1.3.28 (main) (#​42233) (a569c4e)

v43.99.1

Compare Source

Bug Fixes

• datasource/dart: Use npm versioning to make rangeStrategy=bump work again (#​42115) (ef9662a)
• deps: update ghcr.io/renovatebot/base-image docker tag to v13.31.1 (main) (#​42226) (fa018c4)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.5.6 (main) (#​42219) (d850027)
• deps: update dependency markdownlint-cli2 to v0.22.0 (main) (#​42222) (8ae44af)

Code Refactoring

• lint: Enable oxlint correctness category (#​42218) (b79ea93)
• lint: Move style rules to oxlint (#​42221) (0a6c86f)
• lint: Switch custom rules from eslint to oxlint (#​42212) (3201eee)

v43.99.0

Compare Source

Features

• manager/kubernetes: extract image volume references from manifests (#​42038) (b438e57)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​42217) (81e6582)
• deps: update dependency memfs to v4.57.0 (main) (#​42214) (dffce08)
• deps: update dependency memfs to v4.57.1 (main) (#​42216) (9dd6f5e)

Code Refactoring

• lint: remove ESLint rules already covered by oxlint (#​42213) (072e008)

v43.98.0

Compare Source

Features

• datasource: add elm-package datasource (#​41000) (f340b1a)

v43.97.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.31.0 (main) (#​42211) (91049f0)

Miscellaneous Chores

• tools: handle additional errors (#​42205) (f31aec3)

v43.96.0

Compare Source

Features

• gradle: use Java 25 with gradle >= 9.1 (#​42206) (fe7ab7e)

Miscellaneous Chores

• deps: update github/codeql-action action to v4.35.1 (main) (#​42209) (b6fa499)

Tests

• config: ensure no duplicate environment variable names (#​42204) (9c57ae1)

v43.95.0

Compare Source

Features

• replacements: add @wuchale/vite-plugin (#​42036) (cb86e66)

v43.94.1

Compare Source

Bug Fixes

• manager/npm: revert passing --before to npm install when minimumReleaseAge is set (#​42198) (a74da77)

Miscellaneous Chores

• deps: update github/codeql-action action to v4.35.0 (main) (#​42200) (860230f)

v43.94.0

Compare Source

Features

• fleet: support registryAliases (#​42045) (00fefaf)

v43.93.1

Compare Source

Bug Fixes

• gerrit: use the ready push option to ensure changes are not wip (#​40960) (1472cd9)

Documentation

• gradle: fix typo (#​40808) (fbfe8eb)
• versioning/semver-coerced: coercion specific link (#​40708) (165a6ba)

Code Refactoring

• manager/pep723: move parsing to utils (#​41673) (ec71601)

v43.93.0

Compare Source

Features

• manager/npm: pass --before to npm install when minimumReleaseAge is set (#​42051) (c4d5697)
• replacements: add replacement for Kotlin Logging maven package (#​42078) (b83db48)

Bug Fixes

• cli: avoid printing logs on --version/--help (#​42183) (93985c3)
• deps: update ghcr.io/renovatebot/base-image docker tag to v13.30.3 (main) (#​42191) (0ab23ef)
• presets: allow short @tsconfig/node references (#​42189) (be016be)
• use correct digest when replacing packages with replacementNameTemplate (#​40058) (f33f3f6)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.5.5 (main) (#​42192) (8729a3e)
• deps: update dependency tar to v7.5.12 (main) (#​42174) (ca0b442)

v43.92.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.30.2 (main) (#​42171) (2a1bbc9)

Miscellaneous Chores

• deps: update dependency oxlint-tsgolint to v0.17.1 (main) (#​42170) (704b455)

v43.92.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.30.0 (main) (#​42163) (149f8d9)

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.30.1 (main) (#​42168) (5dd56b1)

Miscellaneous Chores

• logger: sanitize boxed String objects (#​42159) (30ddfe3)

Build System

• deps: update dependency handlebars to v4.7.9 [security] (main) (#​42167) (772f4d8)

v43.91.6

Compare Source

Bug Fixes

• platform/bitbucket: replace deprecated cross-workspace repos endpoint (#​42134) (413dcdd)

Miscellaneous Chores

• allow oxlint to run in child worktrees (#​42153) (a1495c8)
• deps: update codecov/codecov-action action to v5.5.4 (main) (#​42157) (cdf6ffe)

Tests

• workers/repository: cover generation of prettyDepType (#​42152) (41eba99), closes #​42142

Build System

• deps: update dependency @​yarnpkg/core to v4.6.0 (main) (#​42160) (10bbc2e)

v43.91.5

Compare Source

Miscellaneous Chores

• deps: update dependency type-fest to v5.5.0 (main) (#​42151) (e07d27f)
• deps: update sigstore/cosign-installer action to v4.1.1 (main) (#​42149) (697491a)

Build System

• deps: update dependency @​renovatebot/osv-offline to v2.4.0 (main) (#​42150) (61cd5e3)

v43.91.4

Compare Source

Build System

• deps: update dependency yaml to v2.8.3 [security] (main) (#​42147) (5c21744)

v43.91.3

Compare Source

Build System

• deps: update dependency cronstrue to v3.14.0 (main) (#​42146) (cf3507c)

v43.91.2

Compare Source

Build System

• deps: update dependency cacache to v20.0.4 (main) (#​42143) (865387f)

v43.91.1

Compare Source

Bug Fixes

• maven-wrapper: only delete old JAR if performing updates to the properties file (#​42141) (f8abdb8), closes #​41994

v43.91.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.29.0 (main) (#​42140) (c80f520)

v43.90.1

Compare Source

Bug Fixes

• template: do not escape html character with double curly brackets (#​42136) (990c64e)

v43.90.0

Compare Source

Features

• manager/mise: add support for tart (#​42094) (18c118c)

Miscellaneous Chores

• autodiscover: log options being filtered (#​42090) (2f8c8ee)

v43.89.9

Compare Source

Bug Fixes

• instrumentation: always process Git Operation spans (#​42119) (470ee61), closes #​42118

Miscellaneous Chores

• instrumentation: remove TODO (#​42133) (3f9b23d)

Continuous Integration

• add module label sync tooling (#​42012) (f2546b8)
• add script to sync Issue Fields (#​42132) (a4e38c8)

v43.89.8

Compare Source

Bug Fixes

• preset: restore subdirectory and prefix matching for gitlabPipelineVersions preset (#​42130) (e5d5482)

v43.89.7

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.8 (main) (#​42128) (f93ae9d)

Miscellaneous Chores

• deps: update dependency node to v24.14.1 (main) (#​42127) (f7a0cd1)
• workers/repository: add more information to lookup error warnings (#​42120) (f785fd2)

v43.89.6

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.7 (main) (#​42125) (a5c62c1)

v43.89.5

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.6 (main) (#​42124) (efbec6c)

v43.89.4

Compare Source

Build System

• deps: update node.js to v24.14.1 (main) (#​42123) (60a6981)

v43.89.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.5 (main) (#​42122) (a0820df)

v43.89.2

Compare Source

Bug Fixes

• http: detect x-access-token prefix before hostType-based auth branching (#​42083) (0ae4481)

v43.89.1

Compare Source

Bug Fixes

• config: use constant for allowed Platform values (#​42111) (1a75c76)

Tests

• platform: ensure PLATFORM_HOST_TYPES is in sync with getPlatformList (#​42110) (8aed44b)

v43.89.0

Compare Source

Features

• presets: Add opentelemetry php monorepo (#​42108) (bb4f113)

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.4 (main) (#​42109) (7e879ff)

v43.88.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.3 (main) (#​42107) (1b7fa64)

Miscellaneous Chores

• bitbucket-server: remove confusing log prefix (#​42089) (a001693)
• tools: add extra newline before Markdown list (#​42084) (f283497)

v43.88.0

Compare Source

Features

• manager/mise: add support for packer (#​42093) (d297032)
• mise: support rumdl short name (#​42095) (20f12d0)

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.2 (main) (#​42105) (edebc9c)
• scm-manager: invalid base url, due to double slashes and a fixed context path (#​42068) (bcf3fcd)

Miscellaneous Chores

• deps: update dependency pdm to v2.26.7 (main) (#​42103) (2a3ea2c)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.6.8 (main) (#​42104) (814a1db)

v43.87.1

Compare Source

Build System

• deps: update dependency sax to v1.6.0 (main) (#​42101) (afff355)

v43.87.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.28.1 (main) (#​42097) (2ba8d95)

Miscellaneous Chores

• note commit message squashing on PR template (#​39335) (8cd262f)

v43.86.2

Compare Source

Miscellaneous Chores

• deps: update dependency @​smithy/util-stream to v4.5.20 (main) (#​42079) (bb135af)
• deps: update dependency tsdown to v0.21.4 (main) (#​42075) (af60452)
• deps: update dependency typescript-eslint to v8.57.1 (main) (#​42092) (fad7cad)
• deps: update linters to v1.56.0 (main) (#​42071) (d6fd567)

Build System

• deps: update dependency google-auth-library to v10.6.2 (main) (#​42091) ([d3bde51](https://red

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.