fix(deps): runtime dependency security fixes#21771
Closed
javascript-sdk-gitflow[bot] wants to merge 1 commit into
Closed
fix(deps): runtime dependency security fixes#21771javascript-sdk-gitflow[bot] wants to merge 1 commit into
javascript-sdk-gitflow[bot] wants to merge 1 commit into
Conversation
Bumps the @opentelemetry/core devDependency floor to ^2.8.0 in @sentry/node-core, @sentry/opentelemetry, and node-core-integration-tests so the resolved version moves off the vulnerable 2.6.1. peerDependency ranges are intentionally left at ^1.30.1 || ^2.1.0 to preserve OTel v1/v2 compatibility for consumers. Resolves GHSA-8988-4f7v-96qf / CVE-2026-54285 (medium). Dependabot alert: https://github.com/getsentry/sentry-javascript/security/dependabot/1962 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
size-limit report 📦
|
Member
|
I don't think we want to update OTel rn. Feel free to reopen |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batched runtime dependency security fixes. One commit per vulnerability.
Fixes
@opentelemetry/core2.6.1 → 2.8.0 — GHSA-8988-4f7v-96qf / CVE-2026-54285 (medium) — https://github.com/getsentry/sentry-javascript/security/dependabot/1962The
@opentelemetry/coredevDependencyfloor was bumped to^2.8.0in@sentry/node-core,@sentry/opentelemetry, andnode-core-integration-tests, moving the resolved first-party version off the vulnerable 2.6.1.peerDependencyranges were intentionally left at^1.30.1 || ^2.1.0to preserve OpenTelemetry v1/v2 compatibility for downstream consumers (narrowing them would be a breaking change).Partially resolved — needs human
@opentelemetry/core2.6.1 still remains transitively in the lockfile because the@opentelemetry/exporter-trace-otlp-http@0.214.0experimental suite (exporter-trace-otlp-http,instrumentation-http,otlp-transformer,sdk-logs,sdk-metrics,resources,sdk-trace-base) pins@opentelemetry/coreto the exact version2.6.1. Our range for that suite (^0.214.0) locks to0.214.x, and a release pinning core2.8.0only ships in a newer minor (0.215+). Fully clearing the alert requires a coordinated bump of the entire OpenTelemetry experimental suite, which is a breaking-risk change outside the CI-safe patch/minor gate — https://github.com/getsentry/sentry-javascript/security/dependabot/1962🤖 Generated with Claude Code