chore: bump OpenTelemetry to 1.15.3 for CVE fixes

[DevJonny]

Summary

Bumps OpenTelemetry packages from 1.15.2 → 1.15.3 in Directory.Packages.props to pick up upstream CVE fixes, and removes the unused OpenTelemetry.Exporter.Jaeger 1.5.1 pin.

Addresses CVEs:

• CVE-2026-40894
• CVE-2026-40891
• CVE-2026-40182

Packages bumped to 1.15.3:

• OpenTelemetry
• OpenTelemetry.Api.ProviderBuilderExtensions
• OpenTelemetry.Exporter.Console
• OpenTelemetry.Exporter.InMemory
• OpenTelemetry.Exporter.OpenTelemetryProtocol
• OpenTelemetry.Extensions.Hosting

Packages removed:

• OpenTelemetry.Exporter.Jaeger 1.5.1 — deprecated upstream, and had zero references in src/, samples/, or tests/ (dangling version pin only).

dotnet list package --vulnerable against the 1.15.3 set comes back clean (one unrelated hit on Oracle.ManagedDataAccess.Core in the Dapper samples via FluentMigrator.Extensions.Oracle, tracked separately).

[claude]

Code Review

Overview

This PR bumps six OpenTelemetry packages from 1.15.2 → 1.15.3 in Directory.Packages.props to address three CVEs (CVE-2026-40894, CVE-2026-40891, CVE-2026-40182). It's a focused, low-risk security maintenance change.

---

Code Quality

• Correct use of central package management — all version pins live in Directory.Packages.props as expected; individual project files don't need touching.
• Bonus whitespace cleanup — the trailing whitespace on the OpenTelemetry.Instrumentation.Runtime line is removed. Small but appreciated.
• Patch-level bump only — no API surface changes, so no code or test changes are needed.

---

Observations

Packages not bumped

Several other OTel packages remain on older versions. These are likely on different release trains and may not be affected by the CVEs, but worth confirming:

Package	Current version	Notes
OpenTelemetry.Instrumentation.Process	1.14.0-beta.2	Pre-release track
OpenTelemetry.Exporter.Prometheus.AspNetCore	1.14.0-beta.1	Pre-release track
OpenTelemetry.Instrumentation.Http	1.15.0	Patch behind
OpenTelemetry.Instrumentation.Runtime	1.15.0	Patch behind
OpenTelemetry.Instrumentation.AspNetCore	1.15.1	Patch behind
OpenTelemetry.Exporter.Zipkin	1.14.0	Minor behind
OpenTelemetry.Exporter.Jaeger	1.5.1	Very old — Jaeger exporter was deprecated by the OTel team; consider migrating to OTLP

CVE applicability — The PR description doesn't clarify which CVEs affect which packages. If any of the uninstrumented packages above are also in scope for the CVEs, they should be included in this patch. Worth a quick check against the NVD advisories.

Draft status — The PR is still marked as Draft. Once CI confirms everything builds and tests pass cleanly, marking it Ready for Review would help it get merged promptly given the security nature of the change.

---

Security

• Picking up upstream CVE fixes via a patch bump is exactly the right approach.
• No new code paths introduced, so no new attack surface.

---

Test Coverage

No test changes needed — this is a dependency version bump with no API changes. CI green is the only bar to clear.

---

Suggestions

1. Confirm CVE scope — verify none of the packages left at older versions are also affected.
2. Consider addressing the Jaeger exporter — 1.5.1 is very outdated and the Jaeger exporter has been deprecated upstream. A separate maintenance PR to migrate to OTLP would reduce long-term risk.
3. Mark as Ready for Review once CI passes, so maintainers can merge the security fix quickly.

---

Overall this is a clean, correct security patch. The main ask is confirming the CVE scope covers all affected packages.

🤖 Generated with Claude Code

[claude]

Code Review

Overview

This is a focused, security-motivated patch bump of six OpenTelemetry packages from 1.15.2 → 1.15.3 in the centralized Directory.Packages.props file to address three CVEs (CVE-2026-40894, CVE-2026-40891, CVE-2026-40182). The change is minimal and surgical — exactly what a security patch should look like.

---

What's Good

• Minimal blast radius. Only the six packages that have a 1.15.3 release are updated; unrelated OTel packages (Jaeger at 1.5.1, Prometheus/Zipkin/Instrumentation packages at their own version tracks) are deliberately left alone.
• Centralized package management. Using Directory.Packages.props means these version pins flow to every project in the solution automatically — no risk of a stale reference being missed.
• Bonus whitespace fix. The trailing whitespace on the OpenTelemetry.Instrumentation.Runtime line is cleaned up as a drive-by tidy.
• Clear, verifiable description. CVE IDs are named explicitly, and the packages list matches the diff exactly.

---

Observations / Questions

1. Draft state. The PR is still marked as draft. If CI is green and the change is ready, consider promoting to "Ready for Review" so it can be merged promptly — security fixes generally benefit from a short time-to-merge.

2. OpenTelemetry.Instrumentation.Runtime stays at 1.15.0. This package is listed in the diff only for the whitespace fix. If the CVEs also affect this instrumentation package, it may need a separate bump once an updated release is available — worth confirming upstream.

3. No lock-file changes. This project uses Central Package Management without packages.lock.json files, so that's expected. If lock files are ever introduced, this pattern would need to include them.

4. No changelog/release notes entry. Depending on whether Brighter tracks dependency bumps in a CHANGELOG, a brief entry ("Bump OpenTelemetry to 1.15.3 for CVE fixes") could be useful for downstream consumers who pin to Brighter's releases.

---

Verdict

The change is correct, safe, and appropriately scoped. The only actionable item before merge is confirming whether the CVEs affect any of the non-bumped OTel instrumentation packages (point 2 above). Everything else is minor.

Ready to approve once the draft flag is cleared and any CI checks pass.

[Copilot]

Pull request overview

Updates centrally-managed OpenTelemetry package versions to pick up upstream patch-level CVE fixes while keeping the rest of the dependency set unchanged.

Changes:

• Bump OpenTelemetry and related exporter/hosting packages from 1.15.2 to 1.15.3 in central package management.

[claude]

Code Review

Overview

This is a security-motivated patch-level upgrade of six OpenTelemetry packages from 1.15.2 → 1.15.3 to address three CVEs (CVE-2026-40894, CVE-2026-40891, CVE-2026-40182). The diff is minimal and confined entirely to Directory.Packages.props.

---

✅ What's Good

• Focused, minimal change — only Directory.Packages.props is touched, no production code is modified.
• Patch-level bump only; the OpenTelemetry project guarantees no API changes within a patch release.
• All six affected packages are updated together, keeping them version-aligned (important for OTel's internal consistency).
• Trailing whitespace removed from the OpenTelemetry.Instrumentation.Runtime line — small but welcome cleanup.

---

⚠️ Issue: Undocumented Removal of OpenTelemetry.Exporter.Jaeger

The diff silently drops this line, which is not mentioned in the PR summary:

-    <PackageVersion Include="OpenTelemetry.Exporter.Jaeger" Version="1.5.1" />

Is this safe? Yes — I confirmed that no .csproj in the repository actually references OpenTelemetry.Exporter.Jaeger, so there is no build impact. The remaining Jaeger references (Docker Compose files, CONTRIBUTING.md, sample READMEs) all point to the Jaeger Docker image acting as an OTLP receiver, not the deprecated .NET Jaeger exporter package.

Recommendation: Update the PR description to explicitly call out this removal. Even though it has no functional impact, an undocumented deletion of a dependency can confuse future git blame investigations and may surprise contributors who see "Jaeger" mentioned in the docs but not in the package list.

Context: OpenTelemetry.Exporter.Jaeger was officially deprecated by the OpenTelemetry .NET project; the guidance is to use the OTLP exporter instead. Removing the unused entry is correct.

---

💡 Minor Suggestions

1. CVE verification: It would add confidence to link the upstream advisory (e.g. the GitHub Security Advisory or NVD entries for CVE-2026-40894 / CVE-2026-40891 / CVE-2026-40182) directly in the PR description, so reviewers can confirm the fixed-in version without leaving GitHub.

2. OpenTelemetry.Instrumentation.Process and OpenTelemetry.Exporter.Prometheus.AspNetCore remain on older beta versions (1.14.0-beta.2 and 1.14.0-beta.1 respectively). These are outside the scope of this PR, but they are worth tracking — beta dependencies can introduce instability and are easy to overlook in a security-focused bump.

---

Summary

Concern	Severity	Status
Undocumented Jaeger removal	Low	Safe to merge; suggest adding to PR description
CVE advisory links missing	Informational	Nice-to-have
Stale beta OTel packages	Informational	Out of scope for this PR

The change is correct and safe to merge. The single actionable ask is a one-line PR description update to document the Jaeger package removal.

---

Review by Claude (claude-sonnet-4-6)

[codescene-delta-analysis]

No application code in the PR — skipped Code Health checks.

See analysis details in CodeScene

Quality Gate Profile: Clean Code Collective
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

[claude]

Code Review

Overall: LGTM with one minor question — this is a clean, well-scoped security maintenance PR.

---

What the PR Does

• Bumps six OpenTelemetry packages from 1.15.2 → 1.15.3 to address CVE-2026-40894, CVE-2026-40891, and CVE-2026-40182.
• Removes the dangling OpenTelemetry.Exporter.Jaeger 1.5.1 pin, which was deprecated upstream and has zero actual <PackageReference> usages anywhere in src/, samples/, or tests/.
• Normalises trailing whitespace on two lines (minor housekeeping).

---

Code Quality

• The diff is minimal and focused — exactly the right size for a CVE patch.
• Verified: searching across the entire repo confirms no .csproj file references OpenTelemetry.Exporter.Jaeger, so the removal is safe. The only remaining "Jaeger" mentions are in samples/WebAPI/WebAPI_Dapper/README.md, which refers to Jaeger as an external service (via the OTel Collector), not the deprecated .NET exporter package.
• Whitespace normalisation on OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.Runtime is a welcome cleanup (no functional impact).

---

One Question Worth Confirming

Several OTel packages are not bumped — they stay at their current versions:

Package	Current version
OpenTelemetry.Instrumentation.Http	1.15.0
OpenTelemetry.Instrumentation.Runtime	1.15.0
OpenTelemetry.Instrumentation.AspNetCore	1.15.1
OpenTelemetry.Exporter.Prometheus.AspNetCore	1.14.0-beta.1
OpenTelemetry.Exporter.Zipkin	1.14.0
OpenTelemetry.Instrumentation.Process	1.14.0-beta.2

This is likely intentional (those packages weren't patched in 1.15.3 because they aren't affected by the three CVEs), but it's worth confirming — especially for OpenTelemetry.Instrumentation.Http, which handles HTTP request/response data and is a plausible surface area for telemetry-related CVEs. The PR description says dotnet list package --vulnerable comes back clean for the 1.15.3 set, which is reassuring, but calling this out explicitly in the PR description (or confirming in a comment here) would help future readers understand why these were intentionally left behind.

---

Security

• The primary motivation is sound: picking up upstream CVE fixes promptly is good practice.
• Removing the deprecated Jaeger exporter removes a dependency with a long-standing version pin (1.5.1 while the rest moved well past it), which reduces attack surface.
• No new dependencies introduced.

---

Summary

✅ Jaeger removal is clean — confirmed zero <PackageReference> usage.
✅ Diff is minimal and correctly scoped to only the affected packages.
✅ Minor whitespace cleanup is harmless.
❓ Please confirm (even just in a comment) that the un-bumped instrumentation packages are known-clean for the three CVEs — this will help future auditors understand why the versions differ.

[Copilot]

Pull request overview

Updates centrally managed OpenTelemetry package versions to incorporate upstream CVE fixes and removes an unused/deprecated exporter version pin.

Changes:

• Bump multiple OpenTelemetry* packages from 1.15.2 to 1.15.3.
• Remove the unused OpenTelemetry.Exporter.Jaeger 1.5.1 central version pin.
• Normalize formatting for a couple of PackageVersion entries (spacing).

[iancooper]

Going to force this one, so that I can get #4061 in and fix errors on tests related to that.