fix(deps): bump @opentelemetry/sdk-node to >=0.217.0 for high severity CVE#458
fix(deps): bump @opentelemetry/sdk-node to >=0.217.0 for high severity CVE#458sergioestebance wants to merge 2 commits into
Conversation
Review AssessmentRisk: Medium — Run JS tests before merging Diff Analysis
UsageThis is a production dependency. The codebase imports from OpenTelemetry packages extensively:
Concerns
RecommendationRun VerdictLikely safe, but the implicit |
…DK v2 In @opentelemetry/sdk-trace-base 2.x, `parentSpanId` was removed from the `ReadableSpan` interface. The canonical accessor is now `parentSpanContext?.spanId`. Updated all three `getParentSpanId()` helpers to use `parentSpanContext` as the primary path while keeping a runtime fallback to the legacy `parentSpanId` property for backward compatibility.
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
Security Assessment: Dependabot Alerts #353–#357 — Prometheus Exporter DoS (CVE in
|
| Factor | Status |
|---|---|
| Prometheus exporter imported in source code | No |
| Prometheus exporter configured programmatically | No |
OTEL_METRICS_EXPORTER=prometheus set anywhere |
No |
| Prometheus HTTP server starts at runtime | No |
| Port 9464 referenced anywhere | No |
| Default env behavior triggers Prometheus | No (defaults to otlp) |
| End-user docs suggest Prometheus config | No |
| Production code changes required by upgrade | Yes — 3 files, regression risk |
Recommendation
Dismiss the Dependabot alerts. The vulnerability requires the Prometheus exporter's HTTP server to be running, which never happens in this project. The @opentelemetry/exporter-prometheus package is a transitive dependency of @opentelemetry/sdk-node that is never activated.
If we want to be extra cautious, the correct fix would be to pass metricReader: 'none' or metricReaders: [] to the NodeSDK constructor in the langwatch SDK to prevent getMetricReadersFromEnv() from ever being called — eliminating the theoretical env-var attack vector entirely, without requiring a major version bump.
Upgrading @opentelemetry/sdk-node from 0.212.0 to 0.217.0 is a semver-minor bump that includes breaking changes (OTel experimental packages don't follow semver strictly). It forces production code changes to adapt to the v2 ReadableSpan interface, introduces regression risk, and solves a vulnerability we are not exposed to.
Files examined: node_modules/@opentelemetry/sdk-node@0.212.0/build/src/sdk.js, node_modules/@opentelemetry/exporter-prometheus@0.212.0/build/src/PrometheusExporter.js, node_modules/langwatch@0.16.1/dist/chunk-C2X4KWDK.js, javascript/src/tracing/setup.ts, javascript/src/agents/judge/judge-span-collector.ts, javascript/src/agents/judge/judge-span-digest-formatter.ts, javascript/src/agents/judge/span-utils.ts, all .env* files, all .github/workflows/*.yml, package.json (root + javascript), pnpm-lock.yaml.
Independent Security Assessment — Prometheus Exporter DoS (GHSA-q7rr-3cgh-j5r3)Verdict: Confirmed — we are NOT exploitable. The alerts can be safely dismissed. MethodologyI independently traced the full activation path for Findings1. Vulnerability confirmed in installed code
2. Activation requires explicit opt-in via In
3. This project never passes
4. Zero references to Prometheus anywhere in source or config Searched all Risk Summary
Theoretical edge caseIf an attacker could inject RecommendationDismiss Dependabot alerts #353–#357. The upgrade to Independent assessment — traced code paths through installed Related: #400 |
Summary
Bumps
@opentelemetry/sdk-nodefrom0.212.0to0.217.0to address high severity CVE:@opentelemetry/exporter-prometheusis a transitive dependency of@opentelemetry/sdk-node)Changes
package.json(root):^0.212.0->^0.217.0javascript/package.json:0.212.0->0.217.0javascript/examples/custom-observability/package.json: bumped@opentelemetry/sdk-trace-baseand@opentelemetry/sdk-trace-nodefrom^1.30.0to^2.7.1to match the new sdk-node transitive dependency versionsjavascript/pnpm-lock.yaml: regeneratedCompatibility
@opentelemetry/api@1.9.1remains compatible (sdk-node 0.217.0 requires>=1.3.0 <1.10.0)@opentelemetry/exporter-prometheusresolved to0.217.0(patched)Closes Dependabot alerts #353, #355, #356, and #357.
Linked to #400