GHSA-8wc6-vgrq-x6cf: 
JavaScript vulnerability analysis and mitigation

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to. Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to. This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment. It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.

Impact

Child processes spawned by Renovate (i.e. npm install, anything defined in postUpgradeTasks or postUpdateOptions) will have full access to the environment variables that the Renovate process has. This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.

Patches

This is patched in 42.96.3 and 43.4.4.

Workarounds

There are no workarounds, other than upgrading your Renovate version.

Why did this happen?

As part of work towards https://github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96, one of the preparatory changes we made was moving to execa. One of the default behaviours of execa is to extend the process' environment variables with any new ones, rather than override them. This was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with execa by Renovate. This was discovered as part of an unrelated change.