fix: sec sweep v3 tier 2 (opentelemetry bumps + rm vscode lock)

[forbiddenlink]

Clears 6 high+ alerts. Tier 2.

Summary by CodeRabbit

• Chores
  • Upgraded OpenTelemetry instrumentation and locked the Prometheus exporter to a newer compatible release. This improves telemetry reliability and metrics stability for monitoring and observability with no user-facing feature changes.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Bumped @opentelemetry/auto-instrumentations-node from ^0.72.0 to ^0.75.0 and added a pnpm.overrides entry to force @opentelemetry/exporter-prometheus to resolve to versions >=0.217.0.

Changes

OpenTelemetry dependency updates

Layer / File(s)	Summary
Bump auto-instrumentations and add pnpm override package.json	Updated @opentelemetry/auto-instrumentations-node from ^0.72.0 to ^0.75.0. Added pnpm.overrides constraint to require @opentelemetry/exporter-prometheus >=0.217.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I’m a rabbit in the package tree,
I hop from 0.72 to 0.75 with glee,
I nudge Prometheus to newer ground,
So traces and metrics stay sound,
A tiny bump — a tidy spree. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is minimal and lacks required template sections (Summary, Changes list, Type of Change, Testing, Checklist), though it mentions the security alert count.	Expand the description to follow the template: add detailed summary of changes, list affected dependencies, mark the type of change, and confirm testing steps completed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: security fixes related to OpenTelemetry dependency bumps and VSCode lock file removal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sec-sweep-v3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR is a security-maintenance sweep intended to clear high-severity dependency alerts by updating OpenTelemetry-related dependencies in the main Node.js package, and removing the VS Code extension’s npm lockfile from the repo.

Changes:

• Bump @opentelemetry/auto-instrumentations-node and @opentelemetry/sdk-node to newer versions.
• Add a pnpm override to force @opentelemetry/exporter-prometheus to a patched version or newer.
• Remove vscode-extension/package-lock.json.

Reviewed changes

Copilot reviewed 1 out of 3 changed files in this pull request and generated 2 comments.

File	Description
vscode-extension/package-lock.json	Removes the VS Code extension npm lockfile from version control.
pnpm-lock.yaml	Updates resolved OpenTelemetry package versions and records the new override.
package.json	Updates OpenTelemetry dependency versions and adds a pnpm override for @opentelemetry/exporter-prometheus.

Files not reviewed (2)

• pnpm-lock.yaml: Language not supported
• vscode-extension/package-lock.json: Language not supported

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 67: The package.json currently bumps `@opentelemetry/sdk-node` to ^0.217.0
but leaves `@opentelemetry/exporter-trace-otlp-http` at ^0.214.0; update
package.json to align the exporter with the SDK (e.g., bump
`@opentelemetry/exporter-trace-otlp-http` to ^0.217.0 or remove the explicit pin
to rely on the SDK's transitive dependency) so OTLPTraceExporter used in
src/lib/telemetry.ts matches the SDK version; run install and verify
src/lib/telemetry.ts imports still resolve and tests/build pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6ea326c5-7dfb-4c28-85ef-4ba627f0c60d

📥 Commits

Reviewing files that changed from the base of the PR and between 6d5ab31 and 5783aa7.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• vscode-extension/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[github-actions]

👻 Specter Analysis

Metric	Value
Health Score	0/100 🔴
PR Risk	Low 🟢
Files Changed	-
Est. Review Time	~5 min

---

Generated by Specter - Give your codebase a voice

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​vscode@​1.109.0 ⏵ 1.120.0	+1		+1
	@​opentelemetry/​auto-instrumentations-node@​0.75.0

View full report