Skip to content

chore: upgrade @opentelemetry/core to ^2.8.0 to address CVE-2026-54285#1413

Merged
brendan-kellam merged 3 commits into
mainfrom
cursor/cve/opentelemetry-core
Jul 2, 2026
Merged

chore: upgrade @opentelemetry/core to ^2.8.0 to address CVE-2026-54285#1413
brendan-kellam merged 3 commits into
mainfrom
cursor/cve/opentelemetry-core

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1365
Fixes SOU-1358
Fixes SOU-1359

Addresses CVE-2026-54285 (GHSA-8988-4f7v-96qf) — unbounded memory allocation in @opentelemetry/core's W3C Baggage extract() path. The advisory affects all versions < 2.8.0.

Why a resolutions override

@opentelemetry/core is a transitive dependency requested at several exact pins (2.5.0, 2.5.1, 2.2.0, 2.0.1) and ranges (^2.5.1, ^2.0.0) via Sentry, the OpenTelemetry instrumentation packages, and PostHog. A yarn up -R @opentelemetry/core refresh moves the caret ranges to 2.8.0 but cannot get past the exact pins (e.g. @opentelemetry/instrumentation-http@0.211.0 pins @opentelemetry/core@2.5.0).

Since every requested version is in the affected range, this adds a root resolutions override pinning @opentelemetry/core to ^2.8.0, consistent with the existing @opentelemetry/resources override. After the change, yarn why @opentelemetry/core collapses to a single 2.8.0 instance, so Dependabot alert #235 will clear.

Note on duplicate issues

SOU-1358, SOU-1359, and SOU-1365 are all the same CVE against the same package (all tied to Dependabot alert #235). Prior PRs #1340/#1341/#1343 used this identical fix but were closed as mutual duplicates, so nothing ever merged and main still shipped the vulnerable versions. This single PR resolves all three.

Verification

  • yarn install clean; yarn why @opentelemetry/core → single 2.8.0 instance, no < 2.8.0 requesters remain.
  • No direct @opentelemetry/core imports in app source (purely transitive).
  • @sourcebot/backend (the flagged Sentry → instrumentation-http → core path) builds clean with tsc.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated a bundled telemetry-related dependency to a newer version.
    • Added a changelog entry documenting the update.

@opentelemetry/core is a transitive dependency requested at several exact
pins (2.5.0, 2.5.1, 2.2.0, 2.0.1) and ranges (^2.5.1, ^2.0.0) via Sentry,
the OpenTelemetry instrumentation packages, and PostHog. The advisory
(GHSA-8988-4f7v-96qf) affects all versions < 2.8.0, so a `yarn up -R`
refresh alone can't reach the patched 2.8.0 past the exact pins.

Add a root `resolutions` override pinning @opentelemetry/core to ^2.8.0,
consistent with the existing @opentelemetry/resources override. After the
change `yarn why @opentelemetry/core` collapses to a single 2.8.0 instance.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

This comment has been minimized.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 94f1285b-60ae-4429-8178-2682f79d9171

📥 Commits

Reviewing files that changed from the base of the PR and between efcabdf and dded950.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • CHANGELOG.md
  • package.json

Walkthrough

Adds a resolutions entry in package.json pinning @opentelemetry/core to ^2.8.0, with a corresponding CHANGELOG.md entry under [Unreleased]### Fixed documenting the upgrade.

Changes

Dependency resolution update

Layer / File(s) Summary
Pin @opentelemetry/core resolution
package.json, CHANGELOG.md
Adds a resolutions entry pinning @opentelemetry/core to ^2.8.0 and documents this in the changelog's Fixed section.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

  • sourcebot-dev/sourcebot#1186: Similar pattern of pinning a dependency in package.json resolutions along with a matching CHANGELOG.md entry.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/cve/opentelemetry-core

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{}

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

License Audit

⚠️ Status: PASS

Metric Count
Total packages 2221
Resolved (non-standard) 12
Unresolved 0
Strong copyleft 0
Weak copyleft 39

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
dompurify 3.4.11 (MPL-2.0 OR Apache-2.0)
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (12)
Package Version Original Resolved Source
@react-grab/cli 0.1.23 UNKNOWN MIT GitHub repo (LICENSE file in published package tarball)
@react-grab/cli 0.1.29 UNKNOWN MIT GitHub repo (LICENSE file in published package tarball)
@react-grab/mcp 0.1.29 UNKNOWN MIT GitHub repo (LICENSE file in published package tarball)
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 npm registry (package.json license field)
element-source 0.0.3 UNKNOWN MIT GitHub repo (LICENSE file in published package tarball)
khroma 2.1.0 UNKNOWN MIT GitHub repo (license file at fabiospampinato/khroma)
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 npm registry (package.json license field)
map-stream 0.1.0 UNKNOWN MIT npm registry (package.json license field)
memorystream 0.3.1 UNKNOWN MIT npm registry (licenses array object, extracted type)
pause-stream 0.0.11 ["MIT","Apache2"] MIT extracted from object (license field ["MIT","Apache2"], primary type MIT)
posthog-js 1.369.0 SEE LICENSE IN LICENSE Apache-2.0 GitHub repo (LICENSE file at PostHog/posthog-js)
valid-url 1.0.9 UNKNOWN MIT GitHub repo (LICENSE file at ogt/valid-url)

@brendan-kellam brendan-kellam merged commit fd6720f into main Jul 2, 2026
7 checks passed
@brendan-kellam brendan-kellam deleted the cursor/cve/opentelemetry-core branch July 2, 2026 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant