Skip to content

fix: upgrade OpenTelemetry OTLP deps to 0.209.0 to resolve protobufjs vulnerability#3784

Closed
mdayan8 wants to merge 1 commit into
triggerdotdev:mainfrom
mdayan8:fix/upgrade-otel-deps
Closed

fix: upgrade OpenTelemetry OTLP deps to 0.209.0 to resolve protobufjs vulnerability#3784
mdayan8 wants to merge 1 commit into
triggerdotdev:mainfrom
mdayan8:fix/upgrade-otel-deps

Conversation

@mdayan8
Copy link
Copy Markdown

@mdayan8 mdayan8 commented May 31, 2026

Summary

Upgrades @opentelemetry/exporter-logs-otlp-http, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-metrics-otlp-proto, and @opentelemetry/exporter-trace-otlp-http from 0.203.0 to 0.209.0 across the monorepo, along with their co-dependencies.

Why

Vulnerability chain: @opentelemetry/otlp-transformer@0.203.0protobufjs@7.5.5 (vulnerable). @opentelemetry/otlp-transformer@0.209.0 depends on protobufjs@8.0.0 which resolves it.

Changes

File Packages bumped
packages/core/package.json 10
packages/cli-v3/package.json 6
apps/webapp/package.json 12
references/d3-chat/package.json 6

@mdayan8
fix: upgrade OpenTelemetry OTLP deps to 0.209.0 to resolve protobufjs…
409f58a 
…@7.5.5 vulnerability

Updates @opentelemetry OTLP exporter packages from 0.203.0 to 0.209.0
and their co-dependencies (core, resources, SDK packages) to matching
versions. This pulls in @opentelemetry/otlp-transformer@0.209.0 which
depends on protobufjs@8.0.0, resolving the protobufjs@7.5.5
vulnerability.

Affected packages:
  - packages/core/package.json     (10 deps bumped)
  - packages/cli-v3/package.json   (6 deps bumped)
  - apps/webapp/package.json       (12 deps bumped)
  - references/d3-chat/package.json (6 deps bumped)
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 31, 2026

⚠️ No Changeset found

Latest commit: 409f58a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 31, 2026

Hi @mdayan8, thanks for your interest in contributing!

This project requires that pull request authors are vouched, and you are not in the list of vouched users.

This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

@github-actions github-actions Bot closed this May 31, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 31, 2026
edited
Loading

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9e0fc317-db43-4871-9466-3b80be9e345d

📥 Commits

Reviewing files that changed from the base of the PR and between 9cb6fd1 and 409f58a.

⛔ Files ignored due to path filters (1)
  • references/d3-chat/package.json is excluded by !references/**
📒 Files selected for processing (3)
  • apps/webapp/package.json
  • packages/cli-v3/package.json
  • packages/core/package.json

Walkthrough

This PR upgrades OpenTelemetry packages across the monorepo from versions 0.203.0/2.0.1 to 0.209.0/2.3.0. The changes affect apps/webapp/package.json, packages/cli-v3/package.json, and packages/core/package.json, updating 30+ dependency entries consistently across API, core, OTLP exporters, instrumentation, resources, and SDK packages. No code logic, scripts, or other configuration fields are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

devin-ai-integration[bot]
devin-ai-integration Bot reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 0 potential issues.

View 1 additional finding in Devin Review.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdayan8