CVE и Renovate policy: zero-HIGH gate + auto-PR

## Что это Renovate config `.renovaterc.json` с rules: - `vulnerabilityAlerts.enabled: true` → auto-PR на любой CVE - HIGH/CRITICAL severity → auto-merge after CI green (для patch versions) - MEDIUM → PR для manual review, deadline 7 дней - LOW → grouped weekly digest - Major bumps → manual review, никогда не auto-merge CI gate: `npm audit --audit-level=high` → fail PR если новый HIGH. SBOM (CycloneDX) сравнивается с previous release; новые HIGH-deps блокируют release. Компоненты: `.renovaterc.json`, `.github/workflows/sbom-diff.yml`, scripts/sbom-compare. ## Зачем Known CVE в production = inexcusable. Renovate с aggressive policy на HIGH/CRITICAL даёт mean-time-to-patch ≤ 24h без manual ops overhead. SBOM diff в release gate — last-line defense, чтобы новые vulnerabilities не проскользнули. ## Источники вдохновения - [m14r41/PentestingEverything](https://github.com/m14r41/PentestingEverything) — OWASP+SAST/DAST+DevSecOps методология - [tailscale-dev/tailscale-acl-combiner](https://github.com/tailscale-dev/tailscale-acl-combiner) — policy composition patterns - [JoshuaKGoldberg/TypeStat](https://github.com/JoshuaKGoldberg/TypeStat) — automated migration для зависимостей ## 🔗 Linear - [PZD-425](https://linear.app/kuhjie/issue/PZD-425) — backing ticket