Skip to content

bump otel dependencies#8040

Merged
n1ru4l merged 3 commits into
mainfrom
chore-vulnerabilities-2026-05-12
May 12, 2026
Merged

bump otel dependencies#8040
n1ru4l merged 3 commits into
mainfrom
chore-vulnerabilities-2026-05-12

Conversation

@n1ru4l
Copy link
Copy Markdown
Contributor

@n1ru4l n1ru4l commented May 12, 2026
edited
Loading

Background

Description

Bumps a bunch of packages (hive gateway) to reduce the amount of duped dependencies and address vulnerabilities

Checklist

  • Input validation
  • Output encoding
  • Authentication management
  • Session management
  • Access control
  • Cryptographic practices
  • Error handling and logging
  • Data protection
  • Communication security
  • System configuration
  • Database security
  • File management
  • Memory management
  • Testing

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026
edited
Loading

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package Version Info
@graphql-hive/cli 0.59.2-alpha-20260512074934-3c5c60c43eb09d0a0ce81271c70194347a4050bb npm ↗︎ unpkg ↗︎
hive 11.1.0-alpha-20260512074934-3c5c60c43eb09d0a0ce81271c70194347a4050bb npm ↗︎ unpkg ↗︎

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates dependencies across several packages, including @graphql-hive/logger, @graphql-hive/plugin-opentelemetry, and various OpenTelemetry libraries. Feedback indicates that required changesets are missing for both the service and SDK scopes, which is necessary for proper versioning and release notes according to the repository style guide.

Comment thread packages/services/service-common/package.json
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026
edited
Loading

🐋 This PR was built and pushed to the following Docker images:

Targets: build

Platforms: linux/arm64

Image Tag: 3c5c60c43eb09d0a0ce81271c70194347a4050bb

n1ru4l
n1ru4l commented May 12, 2026
View reviewed changes
Comment thread deployment/package.json
},
"devDependencies": {
"@graphql-hive/gateway": "^2.1.19",
"@graphql-hive/gateway": "2.7.2",
Copy link
Copy Markdown
Contributor Author

@n1ru4l n1ru4l May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the old version was causing bunch of duped packages.

n1ru4l
n1ru4l commented May 12, 2026
View reviewed changes
Comment thread packages/libraries/apollo/package.json
"dependencies": {
"@graphql-hive/core": "workspace:*",
"@graphql-hive/logger": "^1.0.9"
"@graphql-hive/logger": "^1.1.0"
Copy link
Copy Markdown
Contributor Author

@n1ru4l n1ru4l May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumped so we do not have multiple versions of it in the project at the same time.

n1ru4l
n1ru4l commented May 12, 2026
View reviewed changes
Comment thread packages/services/server/package.json
"@envelop/core": "5.5.1",
"@envelop/graphql-jit": "8.0.3",
"@envelop/graphql-modules": "9.1.0",
"@envelop/opentelemetry": "6.3.1",
Copy link
Copy Markdown
Contributor Author

@n1ru4l n1ru4l May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one was unused

n1ru4l
n1ru4l commented May 12, 2026
View reviewed changes
Comment thread package.json
"glob@10.x.x": "^10.5.0",
"path-to-regexp@0.x.x": "^0.1.13"
"path-to-regexp@0.x.x": "^0.1.13",
"fast-uri@2.x.x": "3.x.x"
Copy link
Copy Markdown
Contributor Author

@n1ru4l n1ru4l May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one we could not address via dependency updates.

devDependencies:
@graphql-hive/gateway 2.7.2
└─┬ @graphql-mesh/plugin-jit 0.2.36
  └─┬ graphql-jit 0.8.7
    └─┬ fast-json-stringify 5.16.1
      └── fast-uri 2.4.0

@hive/server /Users/laurinquast/Projects/graphql-hive-3/packages/services/server (PRIVATE)

devDependencies:
@envelop/graphql-jit 8.0.3
└─┬ graphql-jit 0.8.6
  └─┬ fast-json-stringify 5.16.1
    └── fast-uri 2.4.0

@n1ru4l n1ru4l marked this pull request as ready for review May 12, 2026 08:38
dotansimha
dotansimha approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dotansimha dotansimha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. just worth mentioning in Pr title/descipriton that you also upgrade hive-gw?

@n1ru4l n1ru4l merged commit 931c327 into main May 12, 2026
23 of 24 checks passed
@n1ru4l n1ru4l deleted the chore-vulnerabilities-2026-05-12 branch May 12, 2026 08:41
@theguild-bot theguild-bot mentioned this pull request May 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dotansimha dotansimha dotansimha approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@n1ru4l @dotansimha