Skip to content

chore(deps): bump OpenTelemetry SDK to 0.215.0 / v2.7.0#98

Merged
intech merged 2 commits intomainfrom
chore/deps-bump-otel-0.215
Apr 19, 2026
Merged

chore(deps): bump OpenTelemetry SDK to 0.215.0 / v2.7.0#98
intech merged 2 commits intomainfrom
chore/deps-bump-otel-0.215

Conversation

@intech
Copy link
Copy Markdown
Contributor

@intech intech commented Apr 18, 2026
edited by coderabbitai Bot
Loading

Summary

Quarterly OpenTelemetry dependency bump: @opentelemetry/api-logs and friends 0.212.0 → 0.215.0, stable packages (resources, sdk-metrics, sdk-trace-node) 2.5.1 → 2.7.0, semantic-conventions 1.39.0 → 1.40.0.

Breaking change impact check

Two upstream breaking changes were analyzed against packages/otel/src/:

  1. Custom LogRecordExporter.forceFlush() now required — N/A. @connectum/otel uses only stock exporters (OTLPLogExporterHTTP, OTLPLogExporterGRPC, ConsoleLogRecordExporter); no implements LogRecordExporter anywhere in source.
  2. gRPC exporter config headers field removed — N/A. The internal CollectorOptions interface has only concurrencyLimit and url; no headers is passed into the gRPC exporter constructors.

Feature auto-gains (no API changes)

  • Hand-rolled ProtobufLogsSerializer (PR feat(otlp-transformer): add custom logs protobuf serializer open-telemetry/opentelemetry-js#6390, v0.215.0) — ~43% throughput improvement for logs protobuf serialization.
  • cardinalitySelector option in PeriodicExportingMetricReader (PR #6460, v2.7.0) — protects against label cardinality explosion (e.g. per rpc.method). Can be wired in a follow-up.
  • SDK self-monitoring metrics: span creation (PR #6213, v2.6.0) and log creation (PR #6433, v2.7.0).
  • Prototype pollution safety patch in mergeTwoObjects (PR #6587, v2.7.0).
  • Stable RPC semantic conventions from semconv 1.28–1.30 (rpc.response.status_code, error.type).

Quality gates

  • L2 build: 16/16 successful
  • L2 typecheck: clean (tsc --noEmit)
  • L2 test: 29/29 successful, 139 tests in @connectum/events alone, 0 failures
  • L3 lint (biome): 13/13, no fixes applied

Changeset

Patch bump for @connectum/otel (no public API changes, only underlying SDK version).

Test plan

  • pnpm install regenerates lockfile cleanly
  • pnpm build && pnpm typecheck && pnpm test pass
  • pnpm lint passes
  • CI green on PR
  • Smoke test performance-test-server example post-merge (cardinality/throughput benchmark)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated OpenTelemetry SDK and related packages to the latest stable versions, including upstream bug fixes and feature improvements.
    • Updated semantic conventions to the latest version for improved standards compliance.

@github-actions github-actions Bot added the type:chore Maintenance: refactoring, dependencies, CI/CD label Apr 18, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 18, 2026
edited
Loading

Warning

Rate limit exceeded

@intech has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 39 minutes and 24 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 39 minutes and 24 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fcf6ec56-e1cd-4882-a263-7134381837b5

📥 Commits

Reviewing files that changed from the base of the PR and between 7748f33 and bf5d6f9.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • .changeset/bump-otel-0-215.md
  • pnpm-workspace.yaml
📝 Walkthrough

Walkthrough

This pull request updates OpenTelemetry dependencies to versions 0.215.0/v2.7.0 for the SDK and 1.40.0 for semantic conventions. A changeset file documents the patch release for @connectum/otel, and the workspace catalog is updated with the new version pins.

Changes

Cohort / File(s) Summary
OpenTelemetry Dependency Upgrades
.changeset/bump-otel-0-215.md, pnpm-workspace.yaml		 Dependency version pins updated across multiple OpenTelemetry packages (api-logs, exporters, instrumentation, resources, SDK modules, and semantic-conventions). Changeset documents the patch release, upstream feature updates, and confirms inapplicable breaking changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 The telescope grows clearer now,
With telemetry bright and true,
Version bumps hop down the row,
Our instruments brand new!
Observability's rabbit's delight,
Hop-hop-hop—we see the light!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: bumping OpenTelemetry SDK dependencies to specific versions (0.215.0 / v2.7.0). It directly matches the primary objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/deps-bump-otel-0.215

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 18, 2026
edited
Loading

Open in StackBlitz

@connectum/auth

npm i https://pkg.pr.new/@connectum/auth@98

@connectum/cli

npm i https://pkg.pr.new/@connectum/cli@98

@connectum/core

npm i https://pkg.pr.new/@connectum/core@98

@connectum/events

npm i https://pkg.pr.new/@connectum/events@98

@connectum/events-amqp

npm i https://pkg.pr.new/@connectum/events-amqp@98

@connectum/events-kafka

npm i https://pkg.pr.new/@connectum/events-kafka@98

@connectum/events-nats

npm i https://pkg.pr.new/@connectum/events-nats@98

@connectum/events-redis

npm i https://pkg.pr.new/@connectum/events-redis@98

@connectum/healthcheck

npm i https://pkg.pr.new/@connectum/healthcheck@98

@connectum/interceptors

npm i https://pkg.pr.new/@connectum/interceptors@98

@connectum/otel

npm i https://pkg.pr.new/@connectum/otel@98

@connectum/reflection

npm i https://pkg.pr.new/@connectum/reflection@98

@connectum/testing

npm i https://pkg.pr.new/@connectum/testing@98

commit: bf5d6f9

@intech intech self-assigned this Apr 18, 2026
coderabbitai[bot]
coderabbitai Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.changeset/bump-otel-0-215.md:
- Around line 8-12: Update the changeset entries to correct the inaccurate
performance, version, and PR references: re-run or cite the benchmark for
ProtobufLogsSerializer and change the "~43% throughput improvement" to the
verified 67–73% range (or add precise batch-size context), change any wording
that presents v2.7.0 as released to “upcoming v2.7.0” or similar for the
`cardinalitySelector` (PR `#6460`) entry, remove or replace the non-existent PR
`#6587` reference to the `mergeTwoObjects` prototype pollution fix (verify whether
the intended reference is issue `#4473` or another PR and update accordingly), and
verify which semconv version actually stabilized `rpc.response.status_code` /
`error.type` and correct the semconv line to cite the exact version(s) that
introduced those stable RPC/error conventions (or remove the stability claim if
not accurate); update the lines mentioning ProtobufLogsSerializer,
`cardinalitySelector`, `mergeTwoObjects`, and the semconv statement to reflect
these corrections.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6daf2db3-ae8f-4c92-9fc1-3efb3756333f

📥 Commits

Reviewing files that changed from the base of the PR and between 972248d and 7748f33.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • .changeset/bump-otel-0-215.md
  • pnpm-workspace.yaml

Comment thread .changeset/bump-otel-0-215.md Outdated
intech added a commit that referenced this pull request Apr 18, 2026
@intech @claude
docs(changeset): correct upstream metrics and semconv version
4b3245a 
- Fix ProtobufLogsSerializer throughput claim (43% → verified 67-73% for
  typical batches per upstream PR #6228 benchmarks)
- Reword PR #6587 description to match upstream title (safety checks on
  internal merge, not explicitly labeled prototype pollution)
- Correct semconv version: rpc.response.status_code stabilized in v1.39.0,
  we bump to v1.40.0

Addresses coderabbitai review on PR #98.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@intech
Copy link
Copy Markdown
Contributor Author

intech commented Apr 18, 2026

Thanks @coderabbitai for the careful review. Verified each claim against GitHub API and upstream sources:

Addressed in 4b3245a:

  1. Performance metric ✅ Corrected ~43% → verified upstream numbers from PR #6228: +72% at 512 logs, +67% at 1024 logs (see PR #6228 benchmarks).

  2. Semconv stabilityrpc.response.status_code stabilized in semconv v1.39.0, not v1.28–1.30. Our bump targets v1.40.0, so we benefit. Updated wording accordingly.

  3. PR #6587 wording ✅ Reworded from "prototype pollution safety fix" to match upstream PR title: "add extra checks on internal merge function for safety".

Not issues — verified via GitHub API:

  1. v2.7.0 IS released — published 2026-04-17T11:26:22Z as Latest, not draft/prerelease:

    $ gh api repos/open-telemetry/opentelemetry-js/releases/tags/v2.7.0
{"draft":false,"prerelease":false,"published_at":"2026-04-17T11:26:22Z","tag_name":"v2.7.0"}

    The newreleases.io reference in your web query was correct; the official GitHub releases page entry simply wasn't in your cache.

  2. PR #6587 exists — merged 2026-04-16T14:00:30Z, title "fix(opentelemetry-core): add extra checks on internal merge function for safety":

    $ gh pr view 6587 --repo open-telemetry/opentelemetry-js
state: MERGED, mergedAt: 2026-04-16T14:00:30Z

    It's in v2.7.0.

Would appreciate a re-review after 4b3245a.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 18, 2026

@intech: Thank you for the thorough verification against the GitHub API and upstream sources — this is exactly the kind of due diligence that makes changeset notes trustworthy. Here's a summary of my assessment:

Items addressed in 4b3245a

  1. Performance metric — Correcting ~43% to the upstream-measured figures (+72% at 512 logs, +67% at 1024 logs from PR #6228 which adds the custom protobuf logs serializer) is strictly more accurate and scoped to the actual benchmark payload sizes. Good call.

  2. Semconv stability — Aligning the rpc.response.status_code stabilization to v1.39.0 (rather than the earlier vague range) is correct; since the bump targets v1.40.0, the benefit is clearly captured.

  3. PR #6587 wording — Matching the upstream commit title ("add extra checks on internal merge function for safety") over the informal "prototype pollution safety fix" framing is the right editorial choice.

Items confirmed as non-issues ✅

  1. v2.7.0 release status — Your gh api output is conclusive ("draft":false,"prerelease":false). My prior web-search cache simply didn't reflect the 2026-04-17 publication. Noted.

  2. PR #6587 existencestate: MERGED, mergedAt: 2026-04-16T14:00:30Z is definitive; it's in the v2.7.0 tag.

All corrections look accurate. Triggering a re-review of the updated changeset.

✏️ Learnings added 
Learnt from: intech
URL: https://github.com/Connectum-Framework/connectum/pull/98

Timestamp: 2026-04-18T23:55:10.000Z
Learning: In the opentelemetry-js repository, PR `#6228` (feat(otlp-transformer): add custom protobuf logs serializer) yields benchmark improvements of +72% throughput at 512 logs and +67% at 1024 logs for protobuf log serialization — not ~43%.

Learnt from: intech
URL: https://github.com/Connectum-Framework/connectum/pull/98

Timestamp: 2026-04-18T23:55:10.000Z
Learning: In opentelemetry-js semantic-conventions, `rpc.response.status_code` was stabilized in semconv v1.39.0, not in the v1.28–1.30 range.

Learnt from: intech
URL: https://github.com/Connectum-Framework/connectum/pull/98

Timestamp: 2026-04-18T23:55:10.000Z
Learning: opentelemetry-js PR `#6587` is titled "fix(opentelemetry-core): add extra checks on internal merge function for safety" (merged 2026-04-16), not "prototype pollution safety patch". It was included in the v2.7.0 release published 2026-04-17.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

intech and others added 2 commits April 19, 2026 03:57
@intech @claude
chore(deps): bump OpenTelemetry SDK to 0.215.0 / v2.7.0
853fd75 
- Bump @opentelemetry/* 0.212.0 -> 0.215.0 (api-logs, exporters, sdk-logs, sdk-node, instrumentation)
- Bump @opentelemetry/resources, sdk-metrics, sdk-trace-node 2.5.1 -> 2.7.0
- Bump @opentelemetry/semantic-conventions 1.39.0 -> 1.40.0
- Verified no breaking changes impact @connectum/otel:
  * No custom LogRecordExporter implementations (stock exporters only)
  * CollectorOptions has no `headers` field (gRPC config change N/A)
- Auto-gain: hand-rolled ProtobufLogsSerializer (~43% throughput),
  cardinalitySelector protection, SDK self-observability metrics,
  prototype pollution fix in mergeTwoObjects

L2 build + typecheck + test: PASS (16/16, 29/29, 13/13 lint)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@intech @claude
docs(changeset): correct upstream metrics and semconv version
bf5d6f9 
- Fix ProtobufLogsSerializer throughput claim (43% → verified 67-73% for
  typical batches per upstream PR #6228 benchmarks)
- Reword PR #6587 description to match upstream title (safety checks on
  internal merge, not explicitly labeled prototype pollution)
- Correct semconv version: rpc.response.status_code stabilized in v1.39.0,
  we bump to v1.40.0

Addresses coderabbitai review on PR #98.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@intech intech force-pushed the chore/deps-bump-otel-0.215 branch from 4b3245a to bf5d6f9 Compare April 18, 2026 23:57
@intech intech mentioned this pull request Apr 19, 2026
Merged
6 tasks
@intech intech merged commit 15f4dbb into main Apr 19, 2026
13 checks passed
@intech intech deleted the chore/deps-bump-otel-0.215 branch April 19, 2026 00:03
@connectum-release-bot connectum-release-bot Bot mentioned this pull request Apr 19, 2026
Merged
intech added a commit that referenced this pull request Apr 19, 2026
@intech @claude
chore(deps): regenerate lockfile after rebase onto main
999b931 
PR #98 (OTel 0.215 bump) merged into main; rebased this branch
and regenerated pnpm-lock.yaml to reconcile both sets of changes
(security overrides + OTel version bumps).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intech added a commit that referenced this pull request Apr 19, 2026
@intech @claude
security(deps): resolve 4 Dependabot alerts (2 critical, 2 high) (#99)
5b3f01d 
## Summary

Resolves 4 open Dependabot alerts on the default branch.

| # | Severity | Package | Vulnerable | Patched | Type | Advisory |
|---|----------|---------|------------|---------|------|----------|
| 18 | Critical | protobufjs | `< 7.5.5` | 7.5.5 | transitive |
[GHSA-xq3m-2v4x-88gg](GHSA-xq3m-2v4x-88gg)
|
| 16 | Critical | protobufjs | `>= 8.0.0, < 8.0.1` | 8.0.1 | transitive
|
[GHSA-xq3m-2v4x-88gg](GHSA-xq3m-2v4x-88gg)
|
| 15 | High | basic-ftp | `<= 5.2.1` | 5.2.2 | transitive (dev) |
[GHSA-6v7q-wjvx-w8wg](GHSA-6v7q-wjvx-w8wg)
|
| 14 | High | basic-ftp | `= 5.2.0` | 5.2.1 | transitive (dev) |
[GHSA-chqc-8p9q-pq6q](GHSA-chqc-8p9q-pq6q)
|

## Impact analysis

- **protobufjs** reaches runtime via `@connectum/otel` through two
paths:
- `@grpc/grpc-js` -> `@grpc/proto-loader` -> `protobufjs@7.5.4` (gRPC
exporters)
- `@opentelemetry/otlp-transformer` -> `protobufjs@8.0.1` (OTLP
transformer)
- **basic-ftp** is dev-only, reachable only via `@exodus/test` ->
`puppeteer-core` -> `@puppeteer/browsers` -> `proxy-agent` ->
`pac-proxy-agent` -> `get-uri`. Not shipped to consumers, but still
flagged on default branch.

## Strategy

All four alerts are transitive. Fixed via `pnpm.overrides` in the
monorepo root `package.json`:

```diff
-      "basic-ftp@<5.2.0": "5.2.0",
+      "basic-ftp@<5.2.2": "5.2.2",
       "rollup@>=4.0.0 <4.59.0": "4.59.0",
       ...
-      "brace-expansion@>=4.0.0 <5.0.5": "5.0.5"
+      "brace-expansion@>=4.0.0 <5.0.5": "5.0.5",
+      "protobufjs@<7.5.5": "7.5.5",
+      "protobufjs@>=8.0.0 <8.0.1": "8.0.1"
```

The pre-existing `basic-ftp@<5.2.0: 5.2.0` override was stale (it pinned
the now-vulnerable 5.2.0); it has been tightened to `<5.2.2 -> 5.2.2` to
cover both high-severity advisories.

All bumps are patch-level; no API changes in the upstream packages.

## Verification

After `pnpm install`:

```text
basic-ftp      5.2.2   (was 5.2.0)
protobufjs     7.5.5   (was 7.5.4, via @grpc/proto-loader)
protobufjs     8.0.1   (unchanged, already patched; override prevents regression)
```

## Changesets

- `@connectum/otel`: `patch` — the only published package whose runtime
dependency graph is affected.
- `basic-ftp` changes are dev-only and do not require a changeset.

## Coordination

Does not conflict with PR #98 (OTel `0.212 -> 0.215` bump, currently in
auto-merge queue). This PR is based on `main` after #98-free state, and
touches only `package.json` overrides + `pnpm-lock.yaml` + a new
changeset. After #98 merges, the overrides remain valid: OTel 0.215
already pulls `protobufjs 8.0.1`; the override only constrains older
versions.

## Test plan

- [x] `pnpm install` succeeds; lockfile updated
- [x] L2: `pnpm build` + `pnpm typecheck` + `pnpm test` pass (29 turbo
tasks green)
- [x] L3: `pnpm lint` passes (13 packages, biome clean)
- [x] `pnpm why` confirms patched versions resolved across the monorepo
- [ ] CI checks pass on this PR
- [ ] All 4 Dependabot alerts auto-close after merge

Generated with Claude Code

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intech pushed a commit that referenced this pull request Apr 19, 2026
@connectum-release-bot @github-actions
chore: version packages (rc) (#100)
88cf7e3 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

`main` is currently in **pre mode** so this branch has prereleases
rather than normal releases. If you want to exit prereleases, run
`changeset pre exit` on `main`.

⚠️⚠️⚠️⚠️⚠️⚠️

# Releases
## @connectum/auth@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/core@1.0.0-rc.11

## @connectum/events@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/core@1.0.0-rc.11

## @connectum/events-amqp@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/events@1.0.0-rc.11

## @connectum/events-kafka@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/events@1.0.0-rc.11

## @connectum/events-nats@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/events@1.0.0-rc.11

## @connectum/events-redis@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/events@1.0.0-rc.11

## @connectum/healthcheck@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/core@1.0.0-rc.11

## @connectum/interceptors@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/core@1.0.0-rc.11

## @connectum/otel@1.0.0-rc.11

### Patch Changes

- [#98](#98)
[`15f4dbb`](15f4dbb)
Thanks [@intech](https://github.com/intech)! - Bump OpenTelemetry SDK to
0.215.0 / v2.7.0 and semantic conventions to 1.40.0.

    Highlights (auto-gain, no API changes in `@connectum/otel`):

- Hand-rolled `ProtobufLogsSerializer` (PR
open-telemetry/opentelemetry-js#6390, v0.215.0) — +67–73% throughput for
typical batch sizes (100–1024 logs); +72% at 512 logs, +67% at 1024 logs
per upstream benchmarks in PR
[#6228](https://github.com/Connectum-Framework/connectum/issues/6228)
- `cardinalitySelector` support in `PeriodicExportingMetricReader` (PR
[#6460](https://github.com/Connectum-Framework/connectum/issues/6460),
v2.7.0) — protection against cardinality explosion on high-variance
attributes
- SDK self-observability: span + log creation metrics (PRs
[#6213](https://github.com/Connectum-Framework/connectum/issues/6213),
[#6433](https://github.com/Connectum-Framework/connectum/issues/6433))
- Internal `mergeTwoObjects` safety checks (PR
[#6587](https://github.com/Connectum-Framework/connectum/issues/6587),
v2.7.0) — additional guards against unsafe key merges
- Updated semantic conventions (semconv v1.40.0) — stable RPC attributes
including `rpc.response.status_code` and `error.type` (stabilized in
semconv v1.39.0)

Breaking changes upstream that do NOT affect `@connectum/otel`
(verified):

- Custom `LogRecordExporter.forceFlush()` requirement — not applicable
(we use stock exporters only)
- gRPC exporter config `headers` field removal — not applicable
(`CollectorOptions` has no `headers`)

- [#99](#99)
[`5b3f01d`](5b3f01d)
Thanks [@intech](https://github.com/intech)! - security(deps): force
patched versions of protobufjs and basic-ftp via pnpm overrides

    Resolves Dependabot alerts on main branch:

- **GHSA-xq3m-2v4x-88gg** (Critical) — Arbitrary code execution in
protobufjs &lt; 7.5.5
        (transitive via `@grpc/proto-loader` under OTel gRPC exporters).
- **GHSA-xq3m-2v4x-88gg** (Critical) — Arbitrary code execution in
protobufjs 8.0.0
        (transitive via `@opentelemetry/otlp-transformer`).
- **GHSA-chqc-8p9q-pq6q** (High) — basic-ftp 5.2.0 FTP Command Injection
via CRLF
        (dev-only transitive via `@exodus/test` → puppeteer-core).
- **GHSA-6v7q-wjvx-w8wg** (High) — basic-ftp ≤ 5.2.1 incomplete CRLF
protection
        (dev-only transitive via `@exodus/test` → puppeteer-core).

No runtime API changes. Only `pnpm.overrides` in the monorepo root were
adjusted
    to force patched transitive versions: `protobufjs@<7.5.5 → 7.5.5`,
    `protobufjs@>=8.0.0 <8.0.1 → 8.0.1`, `basic-ftp@<5.2.2 → 5.2.2`.

## @connectum/reflection@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/core@1.0.0-rc.11

## @connectum/testing@1.0.0-rc.11

### Patch Changes

-   Updated dependencies \[]:
    -   @connectum/core@1.0.0-rc.11

## @connectum/cli@1.0.0-rc.11



## @connectum/core@1.0.0-rc.11

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@intech intech

Labels

type:chore Maintenance: refactoring, dependencies, CI/CD

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@intech