From 40611cd93438c8ea83e50edfe2af7955bda930cc Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Wed, 17 Jun 2026 23:14:05 +0000 Subject: [PATCH 1/2] chore: upgrade @opentelemetry/core to ^2.8.0 to address CVE-2026-54285 Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1365/sourcebot-devsourcebot-cve-2026-54285-opentelemetry-core-unbounded#agent-session-ef5a0208) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 1 + package.json | 1 + yarn.lock | 41 ++++------------------------------------- 3 files changed, 6 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 34e3e5585..3cd4ffb41 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Upgraded `dompurify` to `^3.4.11`. [#1332](https://github.com/sourcebot-dev/sourcebot/pull/1332) - Upgraded `nodemailer` to `^8.0.9`. [#1331](https://github.com/sourcebot-dev/sourcebot/pull/1331) - Upgraded `nodemailer` to `^8.0.11`. [#1328](https://github.com/sourcebot-dev/sourcebot/pull/1328) +- Upgraded `@opentelemetry/core` to `^2.8.0`. [#PRNUM](https://github.com/sourcebot-dev/sourcebot/pull/PRNUM) ## [5.0.3] - 2026-06-17 diff --git a/package.json b/package.json index 16a3c7844..ed846875f 100644 --- a/package.json +++ b/package.json @@ -40,6 +40,7 @@ "sucrase/glob": "^10.5.0", "rimraf@npm:5.0.10/glob": "^10.5.0", "@opentelemetry/resources": "2.5.1", + "@opentelemetry/core": "^2.8.0", "path-to-regexp@0.1.12": "0.1.13", "path-to-regexp@^8": "^8.4.0", "picomatch@^4": "^4.0.4", diff --git a/yarn.lock b/yarn.lock index f0a78d462..b35ce63ff 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4752,47 +4752,14 @@ __metadata: languageName: node linkType: hard -"@opentelemetry/core@npm:2.0.1": - version: 2.0.1 - resolution: "@opentelemetry/core@npm:2.0.1" - dependencies: - "@opentelemetry/semantic-conventions": "npm:^1.29.0" - peerDependencies: - "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/d587b1289559757d80da98039f9f57612f84f72ec608cd665dc467c7c6c5ce3a987dfcc2c63b521c7c86ce984a2552b3ead15a0dc458de1cf6bde5cdfe4ca9d8 - languageName: node - linkType: hard - -"@opentelemetry/core@npm:2.2.0": - version: 2.2.0 - resolution: "@opentelemetry/core@npm:2.2.0" - dependencies: - "@opentelemetry/semantic-conventions": "npm:^1.29.0" - peerDependencies: - "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/f618b63f2f560d052791d2406b1411722aa4b0585031242e6906f869f0a707ffe725c4b29bf18aed1f202e1ab5dfc3a9f769c517ac8521338b33ac8c4265fba9 - languageName: node - linkType: hard - -"@opentelemetry/core@npm:2.5.0": - version: 2.5.0 - resolution: "@opentelemetry/core@npm:2.5.0" - dependencies: - "@opentelemetry/semantic-conventions": "npm:^1.29.0" - peerDependencies: - "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/5bc67c74513036bb5a22955027382f24cff405601837546e66588ef9c87c161b7e872ed1ac63d910f88288ec1c0f00fc5ea5e750c9d63b2dabd3ab4a30fcf7b8 - languageName: node - linkType: hard - -"@opentelemetry/core@npm:2.5.1, @opentelemetry/core@npm:^2.0.0, @opentelemetry/core@npm:^2.5.1": - version: 2.5.1 - resolution: "@opentelemetry/core@npm:2.5.1" +"@opentelemetry/core@npm:^2.8.0": + version: 2.8.0 + resolution: "@opentelemetry/core@npm:2.8.0" dependencies: "@opentelemetry/semantic-conventions": "npm:^1.29.0" peerDependencies: "@opentelemetry/api": ">=1.0.0 <1.10.0" - checksum: 10c0/cbaf36953364d1295ef2ff4587c3f99eca121c7c2dbd2553699100ccbd91017f20fb1a710ac76fad832d9762dc98ae009ce0e96ab8fb00e5b539dc401d57f217 + checksum: 10c0/35b8a464b359a0699fcbcea8c11a883f0f634ee7638719b89fa0c0cbbaaa38c57db22e9ac19ffb15ce18014751dc7db11a26d7fb6ad6259f89a26bdc4d167e4b languageName: node linkType: hard From d85e818884a033caa379907824da0d8611ae7b24 Mon Sep 17 00:00:00 2001 From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com> Date: Wed, 17 Jun 2026 23:14:21 +0000 Subject: [PATCH 2/2] chore: update CHANGELOG with PR link Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1365/sourcebot-devsourcebot-cve-2026-54285-opentelemetry-core-unbounded#agent-session-ef5a0208) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cd4ffb41..03780c345 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Upgraded `dompurify` to `^3.4.11`. [#1332](https://github.com/sourcebot-dev/sourcebot/pull/1332) - Upgraded `nodemailer` to `^8.0.9`. [#1331](https://github.com/sourcebot-dev/sourcebot/pull/1331) - Upgraded `nodemailer` to `^8.0.11`. [#1328](https://github.com/sourcebot-dev/sourcebot/pull/1328) -- Upgraded `@opentelemetry/core` to `^2.8.0`. [#PRNUM](https://github.com/sourcebot-dev/sourcebot/pull/PRNUM) +- Upgraded `@opentelemetry/core` to `^2.8.0`. [#1343](https://github.com/sourcebot-dev/sourcebot/pull/1343) ## [5.0.3] - 2026-06-17