fix(deps): bump vulnerable opentelemetry and esbuild dependencies#8306
fix(deps): bump vulnerable opentelemetry and esbuild dependencies#8306youvalv wants to merge 1 commit into
Conversation
Bump @opentelemetry/api to ^1.9.1 and add overrides to force @netlify/otel's opentelemetry packages and the esbuild used by @netlify/edge-bundler and @netlify/zip-it-and-ship-it to patched versions. Generated with [Linear](https://linear.app/netlify/issue/EX-2432/bump-vulnerable-opentelemetry-and-esbuild-dependencies-in-netlify-cli#agent-session-1522c3c2) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
|
No actionable comments were generated in the recent review. π βΉοΈ Recent review infoβοΈ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: β Files ignored due to path filters (1)
π Files selected for processing (1)
π Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
π WalkthroughSummary by CodeRabbit
Walkthrough
Estimated code review effortπ― 2 (Simple) | β±οΈ ~5 minutes π₯ Pre-merge checks | β 5β Passed checks (5 passed)
βοΈ Tip: You can configure your own custom pre-merge checks in the settings. β¨ Finishing Touchesπ§ͺ Generate unit tests (beta)
Comment |
|
@CodeRabbit review |
β Action performedReview finished.
|
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2812b0a146
βΉοΈ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "verdaccio": "^6.3.2", | ||
| "vitest": "^3.2.4" | ||
| }, | ||
| "overrides": { |
There was a problem hiding this comment.
Use publishable pins instead of npm overrides
For published/global installs of this CLI, the transitive patches here are ignored: npm's package-json docs state that overrides are only considered in the root package.json and overrides in installed dependencies are not used, while the repo package-lock.json is not what consumers resolve from npm publish. In that scenario @netlify/otel still pulls its exact vulnerable OpenTelemetry deps and @netlify/edge-bundler/@netlify/zip-it-and-ship-it still pull [email protected], so the security fix only works for contributors installing this repo as the root project; use patched upstream package versions or an npm-shrinkwrap.json/pinned publishable resolution instead.
Useful? React with πΒ / π.
Addresses reported vulnerabilities in
opentelemetryandesbuilddependencies.@opentelemetry/apidependency to^1.9.1.overridesto force patched versions of the relevant transitive dependencies, since the source packages pin them exactly / with~:@netlify/otel:@opentelemetry/core^2.8.0,@opentelemetry/instrumentation^0.219.0,@opentelemetry/resources^2.8.0,@opentelemetry/sdk-trace-node^2.8.0@netlify/edge-bundlerand@netlify/zip-it-and-ship-it:esbuild^0.28.1The overrides can be removed once the source packages release with these bumps.
npm installresolves cleanly andnpm run typecheckpasses.