Skip to content

fix(deps): update vulnerable dependencies#855

Merged
wochinge merged 2 commits into
mainfrom
fix-dependabot-alerts
Jul 3, 2026
Merged

fix(deps): update vulnerable dependencies#855
wochinge merged 2 commits into
mainfrom
fix-dependabot-alerts

Conversation

@wochinge

@wochinge wochinge commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Updated the OpenTelemetry dependency family so @opentelemetry/core resolves to a patched version across the workspace lockfile.
  • Refreshed pnpm-lock.yaml so the vulnerable js-yaml and linkify-it transitive versions are replaced with patched releases.

Linear

  • None

Greptile Summary

This PR updates OpenTelemetry dev dependencies across the workspace from the 0.217.0 family to 0.220.0 and refreshes pnpm-lock.yaml to remediate three transitive vulnerability chains.

  • js-yaml 4.1.04.2.0: fixes CVE-2025-64718 (prototype pollution) and CVE-2026-53550 (DoS via quadratic merge-key processing).
  • linkify-it 5.0.05.0.1: fixes CVE-2026-48801 (DoS via O(N²) link matching).
  • protobufjs@8.0.1 removed: the old @opentelemetry/otlp-transformer@0.217.0 snapshot pulled in the vulnerable protobufjs@8.0.1; upgrading to 0.220.0 drops the protobufjs dependency entirely, so the vulnerability is gone.

Confidence Score: 4/5

Safe to merge. All three stated vulnerability chains are confirmed remediated in the refreshed lockfile, and the only runtime-affecting packages here are devDependencies used for testing and tracing instrumentation.

All three vulnerabilities are correctly fixed — js-yaml bumped to 4.2.0, linkify-it bumped to 5.0.1, and protobufjs@8.0.1 dropped by the otlp-transformer upgrade. The one remaining issue is a stale override entry in package.json that has no runtime effect but is misleading dead code.

The stale @opentelemetry/otlp-transformer@0.205.0>protobufjs entry in package.json resolutions should be removed on this PR since it was originally added to address the same package family being updated here.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[package.json resolutions] --> B["@grpc/proto-loader@0.8.1 → protobufjs@7.6.4 ✅"]
    A --> C["@opentelemetry/otlp-transformer@0.205.0 → protobufjs@7.6.4 ⚠️ STALE"]
    A --> D["ml-spectra-processing: 14.14.0 ✅"]

    E[OTel packages updated] --> F["otlp-transformer@0.217.0 → protobufjs@8.0.1 VULN"]
    E --> G["otlp-transformer@0.220.0 → NO protobufjs dep ✅"]

    H[Transitive vulns fixed] --> I["js-yaml 4.1.0 → 4.2.0\nCVE-2025-64718, CVE-2026-53550 ✅"]
    H --> J["linkify-it 5.0.0 → 5.0.1\nCVE-2026-48801 ✅"]
    H --> K["protobufjs@8.0.1 removed\nvia otlp-transformer upgrade ✅"]

    style C fill:#ffcc00,stroke:#ff9900
    style F fill:#ff4444,stroke:#cc0000,color:#fff
    style G fill:#44bb44,stroke:#228822,color:#fff
    style I fill:#44bb44,stroke:#228822,color:#fff
    style J fill:#44bb44,stroke:#228822,color:#fff
    style K fill:#44bb44,stroke:#228822,color:#fff
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[package.json resolutions] --> B["@grpc/proto-loader@0.8.1 → protobufjs@7.6.4 ✅"]
    A --> C["@opentelemetry/otlp-transformer@0.205.0 → protobufjs@7.6.4 ⚠️ STALE"]
    A --> D["ml-spectra-processing: 14.14.0 ✅"]

    E[OTel packages updated] --> F["otlp-transformer@0.217.0 → protobufjs@8.0.1 VULN"]
    E --> G["otlp-transformer@0.220.0 → NO protobufjs dep ✅"]

    H[Transitive vulns fixed] --> I["js-yaml 4.1.0 → 4.2.0\nCVE-2025-64718, CVE-2026-53550 ✅"]
    H --> J["linkify-it 5.0.0 → 5.0.1\nCVE-2026-48801 ✅"]
    H --> K["protobufjs@8.0.1 removed\nvia otlp-transformer upgrade ✅"]

    style C fill:#ffcc00,stroke:#ff9900
    style F fill:#ff4444,stroke:#cc0000,color:#fff
    style G fill:#44bb44,stroke:#228822,color:#fff
    style I fill:#44bb44,stroke:#228822,color:#fff
    style J fill:#44bb44,stroke:#228822,color:#fff
    style K fill:#44bb44,stroke:#228822,color:#fff
Loading
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
package.json:81-85
The resolution `@opentelemetry/otlp-transformer@0.205.0>protobufjs` is now dead code. `@opentelemetry/otlp-transformer@0.205.0` is no longer present in the dependency tree, and the new `@opentelemetry/otlp-transformer@0.220.0` snapshot drops the `protobufjs` dependency entirely — so the override has no effect and offers no protection. It should be removed to avoid misleading future readers into thinking `protobufjs` is still being pinned via this path.

```suggestion
  "resolutions": {
    "@grpc/proto-loader@0.8.1>protobufjs": "7.6.4",
    "ml-spectra-processing": "14.14.0"
  },
```

Reviews (1): Last reviewed commit: "fix(deps): update vulnerable dependencie..." | Re-trigger Greptile

@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
langfuse-js Ready Ready Preview Jul 3, 2026 8:21am

Request Review

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

@claude review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 93b39091f6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package.json
Comment thread package.json
@wochinge wochinge enabled auto-merge (squash) July 3, 2026 08:21
@wochinge wochinge merged commit 6463b6a into main Jul 3, 2026
13 checks passed
@wochinge wochinge deleted the fix-dependabot-alerts branch July 3, 2026 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant