Skip to content

fix(deps): runtime dependency security fixes#21771

Closed
javascript-sdk-gitflow[bot] wants to merge 1 commit into
developfrom
bot/dependabot-fixes-runtime
Closed

fix(deps): runtime dependency security fixes#21771
javascript-sdk-gitflow[bot] wants to merge 1 commit into
developfrom
bot/dependabot-fixes-runtime

Conversation

@javascript-sdk-gitflow

Copy link
Copy Markdown
Contributor

Summary

Batched runtime dependency security fixes. One commit per vulnerability.

Fixes

The @opentelemetry/core devDependency floor was bumped to ^2.8.0 in @sentry/node-core, @sentry/opentelemetry, and node-core-integration-tests, moving the resolved first-party version off the vulnerable 2.6.1. peerDependency ranges were intentionally left at ^1.30.1 || ^2.1.0 to preserve OpenTelemetry v1/v2 compatibility for downstream consumers (narrowing them would be a breaking change).

Partially resolved — needs human

  • @opentelemetry/core 2.6.1 still remains transitively in the lockfile because the @opentelemetry/exporter-trace-otlp-http@0.214.0 experimental suite (exporter-trace-otlp-http, instrumentation-http, otlp-transformer, sdk-logs, sdk-metrics, resources, sdk-trace-base) pins @opentelemetry/core to the exact version 2.6.1. Our range for that suite (^0.214.0) locks to 0.214.x, and a release pinning core 2.8.0 only ships in a newer minor (0.215+). Fully clearing the alert requires a coordinated bump of the entire OpenTelemetry experimental suite, which is a breaking-risk change outside the CI-safe patch/minor gate — https://github.com/getsentry/sentry-javascript/security/dependabot/1962

🤖 Generated with Claude Code

Bumps the @opentelemetry/core devDependency floor to ^2.8.0 in @sentry/node-core, @sentry/opentelemetry, and node-core-integration-tests so the resolved version moves off the vulnerable 2.6.1. peerDependency ranges are intentionally left at ^1.30.1 || ^2.1.0 to preserve OTel v1/v2 compatibility for consumers. Resolves GHSA-8988-4f7v-96qf / CVE-2026-54285 (medium). Dependabot alert: https://github.com/getsentry/sentry-javascript/security/dependabot/1962

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@javascript-sdk-gitflow javascript-sdk-gitflow Bot requested a review from a team as a code owner June 25, 2026 00:39
@javascript-sdk-gitflow javascript-sdk-gitflow Bot requested review from JPeer264, andreiborza and mydea and removed request for a team June 25, 2026 00:39
@github-actions

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size % Change Change
@sentry/browser 27.47 kB - -
@sentry/browser - with treeshaking flags 25.91 kB - -
@sentry/browser (incl. Tracing) 45.97 kB - -
@sentry/browser (incl. Tracing + Span Streaming) 47.72 kB - -
@sentry/browser (incl. Tracing, Profiling) 50.76 kB - -
@sentry/browser (incl. Tracing, Replay) 85.22 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 74.81 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 89.91 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 102.57 kB - -
@sentry/browser (incl. Feedback) 44.66 kB - -
@sentry/browser (incl. sendFeedback) 32.26 kB - -
@sentry/browser (incl. FeedbackAsync) 37.4 kB - -
@sentry/browser (incl. Metrics) 28.54 kB - -
@sentry/browser (incl. Logs) 28.78 kB - -
@sentry/browser (incl. Metrics & Logs) 29.47 kB - -
@sentry/react 29.27 kB - -
@sentry/react (incl. Tracing) 48.28 kB - -
@sentry/vue 32.63 kB - -
@sentry/vue (incl. Tracing) 47.84 kB - -
@sentry/svelte 27.5 kB - -
CDN Bundle 29.89 kB - -
CDN Bundle (incl. Tracing) 47.89 kB - -
CDN Bundle (incl. Logs, Metrics) 31.44 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 49.24 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 70.78 kB - -
CDN Bundle (incl. Tracing, Replay) 85.4 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 86.68 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 91.19 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 92.45 kB - -
CDN Bundle - uncompressed 88.94 kB - -
CDN Bundle (incl. Tracing) - uncompressed 145.03 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 93.65 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 149 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 218.62 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 264.05 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 268 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 277.75 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 281.69 kB - -
@sentry/nextjs (client) 50.67 kB - -
@sentry/sveltekit (client) 46.37 kB - -
@sentry/core/server 76.5 kB - -
@sentry/core/browser 63.63 kB - -
@sentry/node-core 61.52 kB +0.02% +11 B 🔺
@sentry/node 122.89 kB +0.2% +236 B 🔺
@sentry/node/import (ESM hook with diagnostics-channel injection) 69.95 kB - -
@sentry/node/light 50.4 kB - -
@sentry/node - without tracing 73.77 kB +0.31% +223 B 🔺
@sentry/aws-serverless 84.94 kB +0.25% +208 B 🔺
@sentry/cloudflare (withSentry) - minified 176.92 kB - -
@sentry/cloudflare (withSentry) 439.66 kB - -

View base workflow run

@JPeer264

Copy link
Copy Markdown
Member

I don't think we want to update OTel rn. Feel free to reopen

@JPeer264 JPeer264 closed this Jun 25, 2026
@JPeer264 JPeer264 deleted the bot/dependabot-fixes-runtime branch June 25, 2026 06:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant