Skip to content

fix(deps): batch security update — 2 vulnerabilities#41981

Closed
appsmith-smithes[bot] wants to merge 1 commit into
releasefrom
fix/dependabot-batch-20260711-093233
Closed

fix(deps): batch security update — 2 vulnerabilities#41981
appsmith-smithes[bot] wants to merge 1 commit into
releasefrom
fix/dependabot-batch-20260711-093233

Conversation

@appsmith-smithes

@appsmith-smithes appsmith-smithes Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Batch security update via resolutions pins.

Resolved alerts

No code changes — resolutions pins only.

/ok-to-test tags="@tag.All"

Warning

Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/29147945391
Commit: f4efe6f
Cypress dashboard.
Tags: @tag.All
Spec:
It seems like no tests ran 😔. We are not able to recognize it, please check workflow here.


Sat, 11 Jul 2026 09:39:07 UTC

@appsmith-smithes appsmith-smithes Bot added the ok-to-test Required label for CI label Jul 11, 2026
@github-actions github-actions Bot added Bug Something isn't working and removed Bug Something isn't working labels Jul 11, 2026
@appsmith-smithes

Copy link
Copy Markdown
Contributor Author

🔍 Root Cause Analysis — Smithes Bot

Summary

Both CI failures (client-build and client-unit-tests) have a single root cause: the PR bumped only @opentelemetry/core to v2.x while leaving all companion packages (sdk-trace-base, sdk-trace-web, resources, etc.) at v1.x. The @opentelemetry packages have strict internal version alignment — mixing v1.x and v2.x breaks at both compile time and runtime.


Failure 1: client-build — TypeScript error TS2307

Error:

src/instrumentation/index.ts(8,8): error TS2307: Cannot find module '@opentelemetry/semantic-conventions/incubating' or its corresponding type declarations.
There are types at 'node_modules/@opentelemetry/semantic-conventions/build/src/index-incubating.d.ts', but this result could not be resolved under your current 'moduleResolution' setting.

Cause:

  • The PR added @opentelemetry/core@^2.8.0 which depends on @opentelemetry/semantic-conventions@^1.29.0
  • The lockfile now installs semantic-conventions@1.43.0 (new) alongside the existing 1.28.0 entry for sdk-trace-base
  • Yarn hoists 1.43.0 to top-level node_modules
  • tsconfig.json has moduleResolution: "node" (classic) which cannot resolve package.json exports subpath entries (/incubating)
  • With 1.28.0, this worked previously because yarn kept only 1.28.0 hoisted; 1.43.0 didn't appear at top-level
  • The fix for this failure alone requires updating tsconfig.json to moduleResolution: "bundler" or "node16"

Failure 2: client-unit-tests — TypeError: Cannot read properties of undefined (reading 'AlwaysOn')

Error:

TypeError: Cannot read properties of undefined (reading 'AlwaysOn')
  at node_modules/@opentelemetry/sdk-trace-base/src/config.ts:25:58

Cause:

  • @opentelemetry/sdk-trace-base@1.30.0 uses core_1.TracesSamplerValues.AlwaysOn from @opentelemetry/core
  • TracesSamplerValues was removed from @opentelemetry/core in v2.x (breaking change)
  • The global resolution "@opentelemetry/core": "^2.8.0" forces sdk-trace-base (which internally pins core@1.30.0) to receive core@2.9.0 at runtime
  • core@2.9.0.TracesSamplerValues is undefined.AlwaysOn crashes

Why the bot's approach was wrong

The bot added "@opentelemetry/core": "^2.8.0" to both the direct dependency and the yarn resolutions field. The resolutions override forces ALL packages in the dependency tree (including sdk-trace-base@1.30.0) to receive core@2.x — but sdk-trace-base@1.x is not compatible with core@2.x due to breaking API changes.


What's needed to fix this properly

The @opentelemetry CVE (CVE-2026-54285, medium severity, 90d SLA) has no v1.x patch. The fix is available only in v2.x. A coordinated upgrade of the entire ecosystem is required:

Package Current Target
@opentelemetry/core ^1.30.0 ^2.9.0
@opentelemetry/sdk-trace-base ^1.30.0 ^2.9.0
@opentelemetry/sdk-trace-web ^1.30.0 ^2.9.0
@opentelemetry/resources ^1.30.0 ^2.9.0
@opentelemetry/context-zone ^1.30.0 ^2.9.0
@opentelemetry/exporter-trace-otlp-http ^0.57.0 ^0.220.0
@opentelemetry/instrumentation ^0.57.0 ^0.220.0
@opentelemetry/semantic-conventions ^1.28.0 ^1.29.0

Additional required change: app/client/tsconfig.json → update "moduleResolution": "node" to "moduleResolution": "bundler" (needed for /incubating subpath imports with the exports field).

Note: sdk-trace-base@2.9.0 also introduces a new internal package @opentelemetry/sdk-trace@2.9.0 not present in v1.x. Code in src/instrumentation/index.ts should be reviewed after the upgrade.


Recommendation

This PR should be closed (the automated fix is incorrect). The @opentelemetry/core CVE-2026-54285 needs a dedicated PR by a developer to upgrade the full OpenTelemetry ecosystem to v2.x with proper testing. SLA: 62d remaining (medium severity).

— Smithes automated analysis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Required label for CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Receiving different results on Safari, Firefox with App Link.

1 participant