From 409f58ac885ce58ecc508ee00b0051eff2a502a0 Mon Sep 17 00:00:00 2001 From: Md Ayan Date: Sun, 31 May 2026 20:11:42 +0530 Subject: [PATCH] fix: upgrade OpenTelemetry OTLP deps to 0.209.0 to resolve protobufjs@7.5.5 vulnerability Updates @opentelemetry OTLP exporter packages from 0.203.0 to 0.209.0 and their co-dependencies (core, resources, SDK packages) to matching versions. This pulls in @opentelemetry/otlp-transformer@0.209.0 which depends on protobufjs@8.0.0, resolving the protobufjs@7.5.5 vulnerability. Affected packages: - packages/core/package.json (10 deps bumped) - packages/cli-v3/package.json (6 deps bumped) - apps/webapp/package.json (12 deps bumped) - references/d3-chat/package.json (6 deps bumped) --- apps/webapp/package.json | 26 +++++++++++++------------- packages/cli-v3/package.json | 12 ++++++------ packages/core/package.json | 22 +++++++++++----------- references/d3-chat/package.json | 12 ++++++------ 4 files changed, 36 insertions(+), 36 deletions(-) diff --git a/apps/webapp/package.json b/apps/webapp/package.json index 198ce88b9f5..554016a24da 100644 --- a/apps/webapp/package.json +++ b/apps/webapp/package.json @@ -70,23 +70,23 @@ "@kapaai/react-sdk": "^0.1.3", "@lezer/highlight": "^1.1.6", "@opentelemetry/api": "1.9.0", - "@opentelemetry/api-logs": "0.203.0", - "@opentelemetry/core": "2.0.1", - "@opentelemetry/exporter-logs-otlp-http": "0.203.0", - "@opentelemetry/exporter-metrics-otlp-proto": "0.203.0", - "@opentelemetry/exporter-trace-otlp-http": "0.203.0", + "@opentelemetry/api-logs": "0.209.0", + "@opentelemetry/core": "2.3.0", + "@opentelemetry/exporter-logs-otlp-http": "0.209.0", + "@opentelemetry/exporter-metrics-otlp-proto": "0.209.0", + "@opentelemetry/exporter-trace-otlp-http": "0.209.0", "@opentelemetry/host-metrics": "^0.37.0", - "@opentelemetry/instrumentation": "0.203.0", + "@opentelemetry/instrumentation": "0.209.0", "@opentelemetry/instrumentation-aws-sdk": "^0.57.0", "@opentelemetry/instrumentation-express": "^0.52.0", - "@opentelemetry/instrumentation-http": "0.203.0", + "@opentelemetry/instrumentation-http": "0.209.0", "@opentelemetry/resource-detector-aws": "^2.3.0", - "@opentelemetry/resources": "2.0.1", - "@opentelemetry/sdk-logs": "0.203.0", - "@opentelemetry/sdk-metrics": "2.0.1", - "@opentelemetry/sdk-node": "0.203.0", - "@opentelemetry/sdk-trace-base": "2.0.1", - "@opentelemetry/sdk-trace-node": "2.0.1", + "@opentelemetry/resources": "2.3.0", + "@opentelemetry/sdk-logs": "0.209.0", + "@opentelemetry/sdk-metrics": "2.3.0", + "@opentelemetry/sdk-node": "0.209.0", + "@opentelemetry/sdk-trace-base": "2.3.0", + "@opentelemetry/sdk-trace-node": "2.3.0", "@opentelemetry/semantic-conventions": "1.36.0", "@popperjs/core": "^2.11.8", "@prisma/instrumentation": "^6.14.0", diff --git a/packages/cli-v3/package.json b/packages/cli-v3/package.json index 8b90095849e..61510f8c25e 100644 --- a/packages/cli-v3/package.json +++ b/packages/cli-v3/package.json @@ -87,12 +87,12 @@ "@depot/cli": "0.0.1-cli.2.80.0", "@modelcontextprotocol/sdk": "^1.25.2", "@opentelemetry/api": "1.9.0", - "@opentelemetry/api-logs": "0.203.0", - "@opentelemetry/exporter-trace-otlp-http": "0.203.0", - "@opentelemetry/instrumentation": "0.203.0", - "@opentelemetry/instrumentation-fetch": "0.203.0", - "@opentelemetry/resources": "2.0.1", - "@opentelemetry/sdk-trace-node": "2.0.1", + "@opentelemetry/api-logs": "0.209.0", + "@opentelemetry/exporter-trace-otlp-http": "0.209.0", + "@opentelemetry/instrumentation": "0.209.0", + "@opentelemetry/instrumentation-fetch": "0.209.0", + "@opentelemetry/resources": "2.3.0", + "@opentelemetry/sdk-trace-node": "2.3.0", "@opentelemetry/semantic-conventions": "1.36.0", "@s2-dev/streamstore": "^0.22.5", "@trigger.dev/build": "workspace:4.5.0-rc.2", diff --git a/packages/core/package.json b/packages/core/package.json index d35a21e1ab5..73204338e99 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -193,18 +193,18 @@ "@google-cloud/precise-date": "^4.0.0", "@jsonhero/path": "^1.0.21", "@opentelemetry/api": "1.9.0", - "@opentelemetry/api-logs": "0.203.0", - "@opentelemetry/core": "2.0.1", - "@opentelemetry/exporter-logs-otlp-http": "0.203.0", - "@opentelemetry/exporter-metrics-otlp-http": "0.203.0", - "@opentelemetry/exporter-trace-otlp-http": "0.203.0", + "@opentelemetry/api-logs": "0.209.0", + "@opentelemetry/core": "2.3.0", + "@opentelemetry/exporter-logs-otlp-http": "0.209.0", + "@opentelemetry/exporter-metrics-otlp-http": "0.209.0", + "@opentelemetry/exporter-trace-otlp-http": "0.209.0", "@opentelemetry/host-metrics": "^0.37.0", - "@opentelemetry/instrumentation": "0.203.0", - "@opentelemetry/resources": "2.0.1", - "@opentelemetry/sdk-logs": "0.203.0", - "@opentelemetry/sdk-metrics": "2.0.1", - "@opentelemetry/sdk-trace-base": "2.0.1", - "@opentelemetry/sdk-trace-node": "2.0.1", + "@opentelemetry/instrumentation": "0.209.0", + "@opentelemetry/resources": "2.3.0", + "@opentelemetry/sdk-logs": "0.209.0", + "@opentelemetry/sdk-metrics": "2.3.0", + "@opentelemetry/sdk-trace-base": "2.3.0", + "@opentelemetry/sdk-trace-node": "2.3.0", "@opentelemetry/semantic-conventions": "1.36.0", "@s2-dev/streamstore": "0.22.5", "dequal": "^2.0.3", diff --git a/references/d3-chat/package.json b/references/d3-chat/package.json index c14602d4010..b56adcab99c 100644 --- a/references/d3-chat/package.json +++ b/references/d3-chat/package.json @@ -23,13 +23,13 @@ "@ai-sdk/openai": "2.0.14", "@e2b/code-interpreter": "^1.1.0", "@opentelemetry/api": "^1.9.0", - "@opentelemetry/api-logs": "^0.203.0", - "@opentelemetry/exporter-logs-otlp-http": "0.203.0", - "@opentelemetry/exporter-trace-otlp-http": "0.203.0", - "@opentelemetry/instrumentation-http": "0.203.0", + "@opentelemetry/api-logs": "^0.209.0", + "@opentelemetry/exporter-logs-otlp-http": "0.209.0", + "@opentelemetry/exporter-trace-otlp-http": "0.209.0", + "@opentelemetry/instrumentation-http": "0.209.0", "@opentelemetry/instrumentation-undici": "0.14.0", - "@opentelemetry/instrumentation": "^0.203.0", - "@opentelemetry/sdk-logs": "^0.203.0", + "@opentelemetry/instrumentation": "^0.209.0", + "@opentelemetry/sdk-logs": "^0.209.0", "@radix-ui/react-avatar": "^1.1.3", "@slack/web-api": "7.9.1", "@trigger.dev/python": "workspace:*",