From 32efa7f1a5d524e15703da479f52b33098b9bffd Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Wed, 1 Jul 2026 19:22:06 -0700 Subject: [PATCH 1/2] chore: upgrade @opentelemetry/core to ^2.8.0 to address CVE-2026-54285 @opentelemetry/core is a transitive dependency requested at several exact pins (2.5.0, 2.5.1, 2.2.0, 2.0.1) and ranges (^2.5.1, ^2.0.0) via Sentry, the OpenTelemetry instrumentation packages, and PostHog. The advisory (GHSA-8988-4f7v-96qf) affects all versions < 2.8.0, so a `yarn up -R` refresh alone can't reach the patched 2.8.0 past the exact pins. Add a root `resolutions` override pinning @opentelemetry/core to ^2.8.0, consistent with the existing @opentelemetry/resources override. After the change `yarn why @opentelemetry/core` collapses to a single 2.8.0 instance. Co-Authored-By: Claude Opus 4.8 (1M context) --- package.json | 1 + yarn.lock | 41 ++++------------------------------------- 2 files changed, 5 insertions(+), 37 deletions(-) diff --git a/package.json b/package.json index 16a3c7844..ed846875f 100644 --- a/package.json +++ b/package.json @@ -40,6 +40,7 @@ "sucrase/glob": "^10.5.0", "rimraf@npm:5.0.10/glob": "^10.5.0", "@opentelemetry/resources": "2.5.1", + "@opentelemetry/core": "^2.8.0", "path-to-regexp@0.1.12": "0.1.13", "path-to-regexp@^8": "^8.4.0", "picomatch@^4": "^4.0.4", diff --git a/yarn.lock b/yarn.lock index 917986f5b..6c15b19e1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4691,47 +4691,14 @@ __metadata: languageName: node linkType: hard -"@opentelemetry/core@npm:2.0.1": - version: 2.0.1 - resolution: "@opentelemetry/core@npm:2.0.1" - dependencies: - "@opentelemetry/semantic-conventions": "npm:^1.29.0" - peerDependencies: - "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/d587b1289559757d80da98039f9f57612f84f72ec608cd665dc467c7c6c5ce3a987dfcc2c63b521c7c86ce984a2552b3ead15a0dc458de1cf6bde5cdfe4ca9d8 - languageName: node - linkType: hard - -"@opentelemetry/core@npm:2.2.0": - version: 2.2.0 - resolution: "@opentelemetry/core@npm:2.2.0" - dependencies: - "@opentelemetry/semantic-conventions": "npm:^1.29.0" - peerDependencies: - "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/f618b63f2f560d052791d2406b1411722aa4b0585031242e6906f869f0a707ffe725c4b29bf18aed1f202e1ab5dfc3a9f769c517ac8521338b33ac8c4265fba9 - languageName: node - linkType: hard - -"@opentelemetry/core@npm:2.5.0": - version: 2.5.0 - resolution: "@opentelemetry/core@npm:2.5.0" - dependencies: - "@opentelemetry/semantic-conventions": "npm:^1.29.0" - peerDependencies: - "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/5bc67c74513036bb5a22955027382f24cff405601837546e66588ef9c87c161b7e872ed1ac63d910f88288ec1c0f00fc5ea5e750c9d63b2dabd3ab4a30fcf7b8 - languageName: node - linkType: hard - -"@opentelemetry/core@npm:2.5.1, @opentelemetry/core@npm:^2.0.0, @opentelemetry/core@npm:^2.5.1": - version: 2.5.1 - resolution: "@opentelemetry/core@npm:2.5.1" +"@opentelemetry/core@npm:^2.8.0": + version: 2.8.0 + resolution: "@opentelemetry/core@npm:2.8.0" dependencies: "@opentelemetry/semantic-conventions": "npm:^1.29.0" peerDependencies: "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/cbaf36953364d1295ef2ff4587c3f99eca121c7c2dbd2553699100ccbd91017f20fb1a710ac76fad832d9762dc98ae009ce0e96ab8fb00e5b539dc401d57f217 + checksum: 10c0/35b8a464b359a0699fcbcea8c11a883f0f634ee7638719b89fa0c0cbbaaa38c57db22e9ac19ffb15ce18014751dc7db11a26d7fb6ad6259f89a26bdc4d167e4b languageName: node linkType: hard From cb81431a5d5f5bed30dd11059501360136696158 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Wed, 1 Jul 2026 19:26:30 -0700 Subject: [PATCH 2/2] docs: add CHANGELOG entry for @opentelemetry/core upgrade Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd4b1a55c..8fa48a16f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396) - Added HTTP security headers to all web app responses. [#1407](https://github.com/sourcebot-dev/sourcebot/pull/1407) - Upgraded `nodemailer` to `^9.0.1`. [#1356](https://github.com/sourcebot-dev/sourcebot/pull/1356) +- Upgraded `@opentelemetry/core` to `^2.8.0`. [#1413](https://github.com/sourcebot-dev/sourcebot/pull/1413) ## [5.0.4] - 2026-06-18