From 3d9ec7821fbbf5de3d291064b4ae31a99f2fa966 Mon Sep 17 00:00:00 2001 From: Copilot <223556219+Copilot@users.noreply.github.com> Date: Sat, 16 May 2026 06:07:58 -0500 Subject: [PATCH] Bump OpenTelemetry JS deps to address GHSA-q7rr-3cgh-j5r3 Bumps @opentelemetry/sdk-node from ^0.213.0 to ^0.218.0 and @opentelemetry/auto-instrumentations-node from ^0.71.0 to ^0.76.0 to patch the Prometheus exporter denial of service via malformed HTTP request (GHSA-q7rr-3cgh-j5r3, first patched at sdk-node 0.217.0 / auto-instrumentations-node 0.75.0). The remaining OpenTelemetry JS packages (exporter-logs/metrics/trace otlp-grpc, sdk-logs, sdk-metrics) are aligned to the same release wave because @opentelemetry/sdk-node pins them to exact matching versions transitively; keeping the manifest spec in sync avoids misleading caret ranges that no longer reflect what actually installs. Affected manifests (no lockfile present, which is why dependabot couldn't auto-bump these): - playground/JavaAppHost/api/package.json - src/Aspire.Cli/Templating/Templates/java-starter/api/package.json - src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json Validated with npm install --package-lock-only against the playground manifest: dependencies resolve cleanly, sdk-node and auto-instrumentations-node install at 0.218.0 and 0.76.0 respectively, and npm audit reports 0 vulnerabilities. Fixes 6 of the 29 open dependabot alerts on microsoft/aspire (alerts #1033, #1034, #1035, #1040, #1041, #1042). The remaining 23 alerts (fast-uri, @babel/plugin-transform-modules-systemjs, next) are covered by dependabot PR #17157. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- playground/JavaAppHost/api/package.json | 14 +++++++------- .../Templates/java-starter/api/package.json | 14 +++++++------- .../Templates/ts-starter/api/package.json | 14 +++++++------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/playground/JavaAppHost/api/package.json b/playground/JavaAppHost/api/package.json index 4c7e48f9f3a..8ac5bfe8115 100644 --- a/playground/JavaAppHost/api/package.json +++ b/playground/JavaAppHost/api/package.json @@ -6,13 +6,13 @@ "start": "tsx src/index.ts" }, "dependencies": { - "@opentelemetry/auto-instrumentations-node": "^0.71.0", - "@opentelemetry/exporter-logs-otlp-grpc": "^0.213.0", - "@opentelemetry/exporter-metrics-otlp-grpc": "^0.213.0", - "@opentelemetry/exporter-trace-otlp-grpc": "^0.213.0", - "@opentelemetry/sdk-logs": "^0.213.0", - "@opentelemetry/sdk-metrics": "^2.6.0", - "@opentelemetry/sdk-node": "^0.213.0", + "@opentelemetry/auto-instrumentations-node": "^0.76.0", + "@opentelemetry/exporter-logs-otlp-grpc": "^0.218.0", + "@opentelemetry/exporter-metrics-otlp-grpc": "^0.218.0", + "@opentelemetry/exporter-trace-otlp-grpc": "^0.218.0", + "@opentelemetry/sdk-logs": "^0.218.0", + "@opentelemetry/sdk-metrics": "^2.7.1", + "@opentelemetry/sdk-node": "^0.218.0", "express": "^5.1.0" }, "devDependencies": { diff --git a/src/Aspire.Cli/Templating/Templates/java-starter/api/package.json b/src/Aspire.Cli/Templating/Templates/java-starter/api/package.json index 296e3af621c..ed306920321 100644 --- a/src/Aspire.Cli/Templating/Templates/java-starter/api/package.json +++ b/src/Aspire.Cli/Templating/Templates/java-starter/api/package.json @@ -6,13 +6,13 @@ "start": "tsx src/index.ts" }, "dependencies": { - "@opentelemetry/auto-instrumentations-node": "^0.71.0", - "@opentelemetry/exporter-logs-otlp-grpc": "^0.213.0", - "@opentelemetry/exporter-metrics-otlp-grpc": "^0.213.0", - "@opentelemetry/exporter-trace-otlp-grpc": "^0.213.0", - "@opentelemetry/sdk-logs": "^0.213.0", - "@opentelemetry/sdk-metrics": "^2.6.0", - "@opentelemetry/sdk-node": "^0.213.0", + "@opentelemetry/auto-instrumentations-node": "^0.76.0", + "@opentelemetry/exporter-logs-otlp-grpc": "^0.218.0", + "@opentelemetry/exporter-metrics-otlp-grpc": "^0.218.0", + "@opentelemetry/exporter-trace-otlp-grpc": "^0.218.0", + "@opentelemetry/sdk-logs": "^0.218.0", + "@opentelemetry/sdk-metrics": "^2.7.1", + "@opentelemetry/sdk-node": "^0.218.0", "express": "^5.1.0" }, "devDependencies": { diff --git a/src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json b/src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json index 296e3af621c..ed306920321 100644 --- a/src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json +++ b/src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json @@ -6,13 +6,13 @@ "start": "tsx src/index.ts" }, "dependencies": { - "@opentelemetry/auto-instrumentations-node": "^0.71.0", - "@opentelemetry/exporter-logs-otlp-grpc": "^0.213.0", - "@opentelemetry/exporter-metrics-otlp-grpc": "^0.213.0", - "@opentelemetry/exporter-trace-otlp-grpc": "^0.213.0", - "@opentelemetry/sdk-logs": "^0.213.0", - "@opentelemetry/sdk-metrics": "^2.6.0", - "@opentelemetry/sdk-node": "^0.213.0", + "@opentelemetry/auto-instrumentations-node": "^0.76.0", + "@opentelemetry/exporter-logs-otlp-grpc": "^0.218.0", + "@opentelemetry/exporter-metrics-otlp-grpc": "^0.218.0", + "@opentelemetry/exporter-trace-otlp-grpc": "^0.218.0", + "@opentelemetry/sdk-logs": "^0.218.0", + "@opentelemetry/sdk-metrics": "^2.7.1", + "@opentelemetry/sdk-node": "^0.218.0", "express": "^5.1.0" }, "devDependencies": {