fix(nodejs): raise @opentelemetry/core peer floor to >=2.8.0 (GHSA-8988-4f7v-96qf)#15
Merged
Merged
Conversation
…88-4f7v-96qf) The `>=1.0.0` peer range let downstream consumers resolve a vulnerable @opentelemetry/core (<2.8.0 — unbounded memory allocation in W3C Baggage propagation, GHSA-8988-4f7v-96qf), surfacing as a moderate `npm audit` finding in projects that depend on these packages. The advisory has no 1.x backport — 2.8.0 is the only fixed line — so the peer floor is raised to `>=2.8.0`. All three packages import W3CTraceContextPropagator from @opentelemetry/core, which is unchanged and compatible in 2.8.0; builds and the drizzle pglite integration test pass against the patched version. Bumps: - @query-doctor/sqlcommenter-drizzle 0.2.0 -> 0.3.0 - @query-doctor/sqlcommenter-mikroorm 0.1.0 -> 0.2.0 - @query-doctor/sqlcommenter-typeorm 0.1.0 -> 0.2.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A downstream user of
@query-doctor/sqlcommenter-drizzlereported a moderatenpm auditfinding:@opentelemetry/core <2.8.0— GHSA-8988-4f7v-96qf (unbounded memory allocation in W3C Baggage propagation).The QD sqlcommenter packages declare
@opentelemetry/coreas a peer with a very loose floor (>=1.0.0). That range happily resolves to a vulnerable<2.8.0core in a consumer's tree (e.g. a lockfile generated before 2.8.0 existed never gets nudged upward), so the advisory surfaces downstream.Fix
Raise the peer floor to
>=2.8.0. The advisory has no 1.x backport —2.8.0is the only fixed line — so a tighter range that still allows 1.x isn't possible. All three affected QD packages import onlyW3CTraceContextPropagatorfrom@opentelemetry/core, which is unchanged and compatible in 2.8.0.Applies to the three QD-owned packages sharing the identical loose peer + usage (the
@google-cloud/*knex/sequelize packages are upstream and out of scope):@query-doctor/sqlcommenter-drizzle>=1.0.0→>=2.8.0@query-doctor/sqlcommenter-mikroorm>=1.0.0→>=2.8.0@query-doctor/sqlcommenter-typeorm>=1.0.0→>=2.8.0Version bumps are minor because dropping otel/core 1.x support is a breaking change for consumers still on 1.x.
Validation
tscesm + cjs) with@opentelemetry/coreresolving to 2.8.0.sqlcommenter-drizzletest suite passes (15/15), including the pglite driver-integration test that exercises the propagator and verifies the injected SQL comment.🤖 Generated with Claude Code