Skip to content

fix(deps): runtime dependency security fixes#21853

Closed
javascript-sdk-gitflow[bot] wants to merge 1 commit into
developfrom
bot/dependabot-fixes-runtime
Closed

fix(deps): runtime dependency security fixes#21853
javascript-sdk-gitflow[bot] wants to merge 1 commit into
developfrom
bot/dependabot-fixes-runtime

Conversation

@javascript-sdk-gitflow

Copy link
Copy Markdown
Contributor

Summary

Batched runtime dependency security fixes. One commit per vulnerability.

Fixes

OpenTelemetry pins its internal @opentelemetry/core to an exact version, so clearing the vulnerable 2.6.1 required bumping the parent packages that pulled it in alongside the direct dependency:

  • @opentelemetry/sdk-trace-base 2.6.1 → 2.8.0
  • @opentelemetry/resources 2.6.1 → 2.8.0
  • @opentelemetry/exporter-trace-otlp-http 0.214.0 → 0.219.0
  • @opentelemetry/instrumentation-http 0.214.0 → 0.219.0

After the bump, yarn why @opentelemetry/core resolves to a single 2.8.0 entry. The optional OpenTelemetry peer dependency ranges (^1.30.1 || ^2.1.0, >=0.57.0 <1) are intentionally left wide so consumer compatibility is unchanged; only the SDK's own dev/runtime resolutions were raised. @sentry/node-core and @sentry/node build cleanly against the new versions.

🤖 Generated with Claude Code

Bumps @opentelemetry/core to 2.8.0 and the OpenTelemetry parent packages that pinned core 2.6.1 exactly (sdk-trace-base and resources to 2.8.0; exporter-trace-otlp-http and instrumentation-http to 0.219.0), so no vulnerable @opentelemetry/core remains in the dependency tree. Optional peer dependency ranges are kept wide to preserve consumer compatibility. Resolves GHSA-8988-4f7v-96qf / CVE-2026-54285 (medium). Dependabot alert: https://github.com/getsentry/sentry-javascript/security/dependabot/1962

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@javascript-sdk-gitflow javascript-sdk-gitflow Bot requested a review from a team as a code owner June 30, 2026 00:45
@javascript-sdk-gitflow javascript-sdk-gitflow Bot requested review from JPeer264, andreiborza and mydea and removed request for a team June 30, 2026 00:45
@github-actions

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size % Change Change
@sentry/browser 27.48 kB - -
@sentry/browser - with treeshaking flags 25.91 kB - -
@sentry/browser (incl. Tracing) 46.01 kB - -
@sentry/browser (incl. Tracing + Span Streaming) 47.76 kB - -
@sentry/browser (incl. Tracing, Profiling) 50.8 kB - -
@sentry/browser (incl. Tracing, Replay) 85.26 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 74.85 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 89.95 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 102.61 kB - -
@sentry/browser (incl. Feedback) 44.66 kB - -
@sentry/browser (incl. sendFeedback) 32.26 kB - -
@sentry/browser (incl. FeedbackAsync) 37.4 kB - -
@sentry/browser (incl. Metrics) 28.54 kB - -
@sentry/browser (incl. Logs) 28.78 kB - -
@sentry/browser (incl. Metrics & Logs) 29.47 kB - -
@sentry/react 29.27 kB - -
@sentry/react (incl. Tracing) 48.32 kB - -
@sentry/vue 32.66 kB - -
@sentry/vue (incl. Tracing) 47.87 kB - -
@sentry/svelte 27.5 kB - -
CDN Bundle 29.89 kB - -
CDN Bundle (incl. Tracing) 47.95 kB - -
CDN Bundle (incl. Logs, Metrics) 31.44 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 49.3 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 70.77 kB - -
CDN Bundle (incl. Tracing, Replay) 85.45 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 86.72 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 91.25 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 92.5 kB - -
CDN Bundle - uncompressed 88.95 kB - -
CDN Bundle (incl. Tracing) - uncompressed 145.18 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 93.65 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 149.15 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 218.63 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 264.19 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 268.15 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 277.89 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 281.84 kB - -
@sentry/nextjs (client) 50.71 kB - -
@sentry/sveltekit (client) 46.41 kB - -
@sentry/core/server 77.67 kB - -
@sentry/core/browser 63.97 kB - -
@sentry/node-core 61.42 kB +0.01% +2 B 🔺
@sentry/node 123.26 kB +0.42% +507 B 🔺
@sentry/node/import (ESM hook with diagnostics-channel injection) 69.95 kB - -
@sentry/node/light 50.39 kB - -
@sentry/node - without tracing 73.67 kB +0.73% +527 B 🔺
@sentry/aws-serverless 84.55 kB +0.64% +532 B 🔺
@sentry/cloudflare (withSentry) - minified 180.46 kB - -
@sentry/cloudflare (withSentry) 446.48 kB - -

View base workflow run

@andreiborza

Copy link
Copy Markdown
Member

No we won't bump OTel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant