fix(deps): batch security update — 2 vulnerabilities#41981
fix(deps): batch security update — 2 vulnerabilities#41981appsmith-smithes[bot] wants to merge 1 commit into
Conversation
🔍 Root Cause Analysis — Smithes BotSummaryBoth CI failures ( Failure 1:
|
| Package | Current | Target |
|---|---|---|
@opentelemetry/core |
^1.30.0 |
^2.9.0 |
@opentelemetry/sdk-trace-base |
^1.30.0 |
^2.9.0 |
@opentelemetry/sdk-trace-web |
^1.30.0 |
^2.9.0 |
@opentelemetry/resources |
^1.30.0 |
^2.9.0 |
@opentelemetry/context-zone |
^1.30.0 |
^2.9.0 |
@opentelemetry/exporter-trace-otlp-http |
^0.57.0 |
^0.220.0 |
@opentelemetry/instrumentation |
^0.57.0 |
^0.220.0 |
@opentelemetry/semantic-conventions |
^1.28.0 |
^1.29.0 |
Additional required change: app/client/tsconfig.json → update "moduleResolution": "node" to "moduleResolution": "bundler" (needed for /incubating subpath imports with the exports field).
Note: sdk-trace-base@2.9.0 also introduces a new internal package @opentelemetry/sdk-trace@2.9.0 not present in v1.x. Code in src/instrumentation/index.ts should be reviewed after the upgrade.
Recommendation
This PR should be closed (the automated fix is incorrect). The @opentelemetry/core CVE-2026-54285 needs a dedicated PR by a developer to upgrade the full OpenTelemetry ecosystem to v2.x with proper testing. SLA: 62d remaining (medium severity).
— Smithes automated analysis
Summary
Batch security update via resolutions pins.
Resolved alerts
No code changes — resolutions pins only.
/ok-to-test tags="@tag.All"
Warning
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/29147945391
Commit: f4efe6f
Cypress dashboard.
Tags: @tag.All
Spec:
It seems like no tests ran 😔. We are not able to recognize it, please check workflow here.
Sat, 11 Jul 2026 09:39:07 UTC