[Repo Assist] eng: fix OpenTelemetry.Api GHSA-g94r-2vxg-569j by pinning >= 1.15.1 and updating GitHubActionsTestLogger to 3.0.3 by github-actions[bot] · Pull Request #1762 · fsprojects/FSharp.Data

github-actions · 2026-04-26T05:07:29Z

🤖 This is an automated pull request from Repo Assist, an AI assistant for this repository.

Fixes the pre-existing moderate vulnerability GHSA-g94r-2vxg-569j in OpenTelemetry.Api that was blocking dotnet restore and dotnet build in development environments (NU1902 — warning treated as error).

Root Cause

The vulnerability chain was:

NUnit3TestAdapter
  → Microsoft.Testing.Extensions.VSTestBridge
    → Microsoft.Testing.Extensions.Telemetry
      → Microsoft.ApplicationInsights (>= 2.23)
        → Azure.Monitor.OpenTelemetry.Exporter (>= 1.6)
          → OpenTelemetry.Extensions.Hosting (>= 1.14)
            → OpenTelemetry.Api 1.15.0  ← GHSA-g94r-2vxg-569j (moderate)

OpenTelemetry.Api 1.15.0 was the vulnerable version. 1.15.1+ is clean.

Changes

paket.dependencies (Test group):
- Pin GitHubActionsTestLogger from unpinned (resolved to 3.0.1) to 3.0.3 — the newer version also has no direct OpenTelemetry dependency
- Add nuget OpenTelemetry.Api >= 1.15.1 lower bound to force paket's resolver to pick a patched version
paket.lock:
- GitHubActionsTestLogger bumped from 3.0.1 → 3.0.3
- OpenTelemetry.Api bumped from 1.15.0 → 1.15.3 (latest patch)

No source code changes.

Test Status

✅ dotnet restore on test projects — succeeds with no NU1902 errors
✅ dotnet test tests/FSharp.Data.Core.Tests/ --filter "StringExtensions|HttpEncodings|ParseLink" — 37 passed, 0 failed
i️ Full FAKE build was not run (pre-existing infrastructure constraint in this environment), but GitHub CI uses the FAKE build system which is unaffected by this change

Generated by 🌈 Repo Assist, see workflow run. Learn more.

To install this agentic workflow, run
gh aw add githubnext/agentics/workflows/repo-assist.md@96b9d4c39aa22359c0b38265927eadb31dcf4e2a

…ating GitHubActionsTestLogger to 3.0.3 - Pin GitHubActionsTestLogger to 3.0.3 (was floating, resolved to 3.0.1) - Add explicit OpenTelemetry.Api >= 1.15.1 lower bound to Test group - paket.lock now resolves OpenTelemetry.Api to 1.15.3 (fixes GHSA-g94r-2vxg-569j) - 37 tests pass; dotnet restore no longer errors with NU1902 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…er-2026-04-26-dedcc9a97ae187f2

github-actions Bot added automation enhancement repo-assist security labels Apr 26, 2026

ci: trigger checks

b798e1e

Merge branch 'main' into repo-assist/eng-update-githubactionstestlogg…

efe33d0

…er-2026-04-26-dedcc9a97ae187f2

dsyme marked this pull request as ready for review May 1, 2026 11:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Repo Assist] eng: fix OpenTelemetry.Api GHSA-g94r-2vxg-569j by pinning >= 1.15.1 and updating GitHubActionsTestLogger to 3.0.3#1762

[Repo Assist] eng: fix OpenTelemetry.Api GHSA-g94r-2vxg-569j by pinning >= 1.15.1 and updating GitHubActionsTestLogger to 3.0.3#1762
github-actions[bot] wants to merge 3 commits intomainfrom
repo-assist/eng-update-githubactionstestlogger-2026-04-26-dedcc9a97ae187f2

github-actions Bot commented Apr 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

github-actions Bot commented Apr 26, 2026

Root Cause

Changes

Test Status

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant