GHSA-5vjq-5jmg-39xq: Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance

April 16, 2026

When using lockFileMaintenance using the bazel-module or bazelisk managers between Renovate 43.65.0 (2026-03-12) and 43.102.11 (2026-04-02), there was the opportunity for remote code execution from a malicious dependency, if the Bazel module executes code that relies on a dependency.

References

github.com/advisories/GHSA-5vjq-5jmg-39xq
github.com/renovatebot/renovate
github.com/renovatebot/renovate/releases/tag/43.102.11
github.com/renovatebot/renovate/security/advisories/GHSA-5vjq-5jmg-39xq

Code Behaviors & Features

Detect and mitigate GHSA-5vjq-5jmg-39xq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →