Bump OpenTelemetry JS deps to address GHSA-q7rr-3cgh-j5r3#17171
Open
IEvangelist wants to merge 1 commit into
Open
Bump OpenTelemetry JS deps to address GHSA-q7rr-3cgh-j5r3#17171IEvangelist wants to merge 1 commit into
IEvangelist wants to merge 1 commit into
Conversation
Bumps @opentelemetry/sdk-node from ^0.213.0 to ^0.218.0 and @opentelemetry/auto-instrumentations-node from ^0.71.0 to ^0.76.0 to patch the Prometheus exporter denial of service via malformed HTTP request (GHSA-q7rr-3cgh-j5r3, first patched at sdk-node 0.217.0 / auto-instrumentations-node 0.75.0). The remaining OpenTelemetry JS packages (exporter-logs/metrics/trace otlp-grpc, sdk-logs, sdk-metrics) are aligned to the same release wave because @opentelemetry/sdk-node pins them to exact matching versions transitively; keeping the manifest spec in sync avoids misleading caret ranges that no longer reflect what actually installs. Affected manifests (no lockfile present, which is why dependabot couldn't auto-bump these): - playground/JavaAppHost/api/package.json - src/Aspire.Cli/Templating/Templates/java-starter/api/package.json - src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json Validated with npm install --package-lock-only against the playground manifest: dependencies resolve cleanly, sdk-node and auto-instrumentations-node install at 0.218.0 and 0.76.0 respectively, and npm audit reports 0 vulnerabilities. Fixes 6 of the 29 open dependabot alerts on microsoft/aspire (alerts #1033, #1034, #1035, #1040, #1041, #1042). The remaining 23 alerts (fast-uri, @babel/plugin-transform-modules-systemjs, next) are covered by dependabot PR #17157. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
IEvangelist
requested review from
JamesNK,
davidfowl and
mitchdenny
as code owners
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17171Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17171" |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates OpenTelemetry JavaScript dependencies in starter-template and playground API manifests to remediate GHSA-q7rr-3cgh-j5r3 and keep related OTel package versions aligned.
Changes:
- Bumps
@opentelemetry/sdk-nodeand@opentelemetry/auto-instrumentations-nodeto patched release ranges. - Aligns related OpenTelemetry exporter, logs, and metrics packages across the affected manifests.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json |
Updates OTel dependencies used by the TypeScript starter API template. |
src/Aspire.Cli/Templating/Templates/java-starter/api/package.json |
Updates OTel dependencies used by the Java starter API template. |
playground/JavaAppHost/api/package.json |
Updates matching OTel dependencies for the Java AppHost playground API. |
Contributor
|
❌ CLI E2E Tests failed — 84 passed, 1 failed, 1 unknown (commit Failed Tests
View all recordings
📹 Recordings uploaded automatically from CI run #25960474905 |
davidfowl
approved these changes
May 16, 2026
Contributor
davidfowl
left a comment
davidfowl
left a comment
There was a problem hiding this comment.
I'm assuming you verified that no code changes are needed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches 6 of the 29 open Dependabot alerts on this repo by bumping OpenTelemetry JS dependencies in three JavaScript manifests. The remaining 23 alerts are covered by #17157 (Dependabot) and are intentionally out of scope here.
@opentelemetry/sdk-node< 0.217.00.217.0@opentelemetry/auto-instrumentations-node< 0.75.00.75.0Alert numbers fixed: #1033, #1034, #1035, #1040, #1041, #1042.
Why the bigger bump (
^0.213.0→^0.218.0, etc.)The minimum patched versions are
sdk-node@0.217.0/auto-instrumentations-node@0.75.0, but the OpenTelemetry JS SDK packages release in lockstep and@opentelemetry/sdk-nodepins its transitive deps to exact matching versions (e.g."@opentelemetry/exporter-trace-otlp-grpc": "0.218.0"). Leaving the other manifest entries at^0.213.0while bumpingsdk-nodeto^0.218.0would still resolve correctly via the caret range, but the manifest would be misleading. Aligning the whole set to the current release wave (0.218.0for unstable packages,2.7.1for stablesdk-metrics) keeps the manifest honest about what actually installs.Files
playground/JavaAppHost/api/package.jsonsrc/Aspire.Cli/Templating/Templates/java-starter/api/package.jsonsrc/Aspire.Cli/Templating/Templates/ts-starter/api/package.jsonThese three files have no committed lockfile, which is why Dependabot didn't auto-bump them along with the lockfile-based manifests in #17157.
Why Dependabot couldn't do this
Dependabot's npm/yarn updater needs a lockfile to compute a deterministic update. For manifests without one, it skips the bump even when the package.json range is vulnerable — that's why all 6 OTel alerts show up against
package.json(notpackage-lock.json) and why none of them appear in #17157.Validation
Validated locally with
npm install --package-lock-onlyagainst a scratch copy ofplayground/JavaAppHost/api/package.json:npm auditagainst the resolved tree reports 0 vulnerabilities.Risk notes for reviewers
0.x) can include breaking changes between minors. This jumps from0.213→0.218(5 minor releases). The user-facing surface in the affected files is justnew NodeSDK({...}).start()in the templates / playground, which has been stable across recent minors, but reviewers may want to pin tighter (e.g. exact0.217.0/0.75.0) if a more conservative change is preferred.npm installstep in CI). The blast radius is: (a)aspire initusers templatingjava-starterorts-starterand then runningnpm install, and (b) anyone running theJavaAppHostplayground locally.Related
fast-uri,@babel/plugin-transform-modules-systemjs,next) across the lockfile-based manifests inextension/,playground/AspireWithJavaScript/{Angular,React}/, andtests/.../JsPublish/nextjs/.