Lock file maintenance npm dependencies (main)

[red-hat-konflux]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 04:59 AM (* 0-4 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 4:49 AM UTC · Completed 4:58 AM UTC
Commit: 47d3320 · View workflow run →

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	53.44% <ø> (ø)
generative	16.79% <ø> (ø)
integration	27.66% <ø> (ø)
unit	69.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

Review

Findings

High

• [supply chain / dependency integrity] package-lock.json:302 — lodash is being updated from 4.17.21 to 4.18.1. As of mid-2025, lodash 4.17.21 was the latest release and the repository had been largely inactive. However, the current date is June 2026, meaning a legitimate 4.18.x release could have occurred in the intervening year. The version should be verified against the npm registry before merging.
  Remediation: Before merging: (1) Run npm view lodash versions or check https://www.npmjs.com/package/lodash to confirm 4.18.1 is a legitimate release. (2) If it does not exist or was published by an unexpected maintainer, reject this PR. (3) If legitimate, review the changelog before accepting.

Low

• [supply chain / dependency verification] package-lock.json — The other dependency updates in this PR (fastq 1.19.1 → 1.20.1, picomatch 2.3.1 → 2.3.2, yaml 1.10.2 → 1.10.3) are routine minor/patch bumps from well-maintained packages. These are normal lock file maintenance updates produced by Renovate.

---

Labels: PR contains a dependency version bump that requires manual verification for supply chain integrity

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] supply chain / dependency integrity

lodash is being updated from 4.17.21 to 4.18.1. As of mid-2025, lodash 4.17.21 was the latest release and the repository had been largely inactive. However, the current date is June 2026, meaning a legitimate 4.18.x release could have occurred in the intervening year. The version should be verified against the npm registry before merging.

Suggested fix: Before merging: (1) Run 'npm view lodash versions' or check https://www.npmjs.com/package/lodash to confirm 4.18.1 is a legitimate release. (2) If it does not exist or was published by an unexpected maintainer, reject this PR. (3) If legitimate, review the changelog before accepting.