security(deps): resolve 4 Dependabot alerts (2 critical, 2 high)#99
Merged
security(deps): resolve 4 Dependabot alerts (2 critical, 2 high)#99
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 30 minutes and 41 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
@connectum/auth
@connectum/cli
@connectum/core
@connectum/events
@connectum/events-amqp
@connectum/events-kafka
@connectum/events-nats
@connectum/events-redis
@connectum/healthcheck
@connectum/interceptors
@connectum/otel
@connectum/reflection
@connectum/testing
commit: |
Force patched transitive versions via pnpm overrides: - protobufjs <7.5.5 -> 7.5.5 (GHSA-xq3m-2v4x-88gg, Critical) - protobufjs >=8.0.0 <8.0.1 -> 8.0.1 (GHSA-xq3m-2v4x-88gg, Critical) - basic-ftp <5.2.2 -> 5.2.2 (GHSA-chqc-8p9q-pq6q + GHSA-6v7q-wjvx-w8wg, High) protobufjs reaches runtime via @connectum/otel through @grpc/proto-loader and @opentelemetry/otlp-transformer. basic-ftp is dev-only via @exodus/test -> puppeteer-core. Quality gates: pnpm build + typecheck + test (L2) + lint (L3) all pass. No runtime API changes.
PR #98 (OTel 0.215 bump) merged into main; rebased this branch and regenerated pnpm-lock.yaml to reconcile both sets of changes (security overrides + OTel version bumps). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intech
force-pushed
the
security/dependabot-critical-fixes-2026-04-19
branch
from
37ee3de to
999b931
Compare
intech
pushed a commit
that referenced
this pull request
Apr 19, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ `main` is currently in **pre mode** so this branch has prereleases rather than normal releases. If you want to exit prereleases, run `changeset pre exit` on `main`.⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ # Releases ## @connectum/auth@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/core@1.0.0-rc.11 ## @connectum/events@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/core@1.0.0-rc.11 ## @connectum/events-amqp@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/events@1.0.0-rc.11 ## @connectum/events-kafka@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/events@1.0.0-rc.11 ## @connectum/events-nats@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/events@1.0.0-rc.11 ## @connectum/events-redis@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/events@1.0.0-rc.11 ## @connectum/healthcheck@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/core@1.0.0-rc.11 ## @connectum/interceptors@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/core@1.0.0-rc.11 ## @connectum/otel@1.0.0-rc.11 ### Patch Changes - [#98](#98) [`15f4dbb`](15f4dbb) Thanks [@intech](https://github.com/intech)! - Bump OpenTelemetry SDK to 0.215.0 / v2.7.0 and semantic conventions to 1.40.0. Highlights (auto-gain, no API changes in `@connectum/otel`): - Hand-rolled `ProtobufLogsSerializer` (PR open-telemetry/opentelemetry-js#6390, v0.215.0) — +67–73% throughput for typical batch sizes (100–1024 logs); +72% at 512 logs, +67% at 1024 logs per upstream benchmarks in PR [#6228](https://github.com/Connectum-Framework/connectum/issues/6228) - `cardinalitySelector` support in `PeriodicExportingMetricReader` (PR [#6460](https://github.com/Connectum-Framework/connectum/issues/6460), v2.7.0) — protection against cardinality explosion on high-variance attributes - SDK self-observability: span + log creation metrics (PRs [#6213](https://github.com/Connectum-Framework/connectum/issues/6213), [#6433](https://github.com/Connectum-Framework/connectum/issues/6433)) - Internal `mergeTwoObjects` safety checks (PR [#6587](https://github.com/Connectum-Framework/connectum/issues/6587), v2.7.0) — additional guards against unsafe key merges - Updated semantic conventions (semconv v1.40.0) — stable RPC attributes including `rpc.response.status_code` and `error.type` (stabilized in semconv v1.39.0) Breaking changes upstream that do NOT affect `@connectum/otel` (verified): - Custom `LogRecordExporter.forceFlush()` requirement — not applicable (we use stock exporters only) - gRPC exporter config `headers` field removal — not applicable (`CollectorOptions` has no `headers`) - [#99](#99) [`5b3f01d`](5b3f01d) Thanks [@intech](https://github.com/intech)! - security(deps): force patched versions of protobufjs and basic-ftp via pnpm overrides Resolves Dependabot alerts on main branch: - **GHSA-xq3m-2v4x-88gg** (Critical) — Arbitrary code execution in protobufjs < 7.5.5 (transitive via `@grpc/proto-loader` under OTel gRPC exporters). - **GHSA-xq3m-2v4x-88gg** (Critical) — Arbitrary code execution in protobufjs 8.0.0 (transitive via `@opentelemetry/otlp-transformer`). - **GHSA-chqc-8p9q-pq6q** (High) — basic-ftp 5.2.0 FTP Command Injection via CRLF (dev-only transitive via `@exodus/test` → puppeteer-core). - **GHSA-6v7q-wjvx-w8wg** (High) — basic-ftp ≤ 5.2.1 incomplete CRLF protection (dev-only transitive via `@exodus/test` → puppeteer-core). No runtime API changes. Only `pnpm.overrides` in the monorepo root were adjusted to force patched transitive versions: `protobufjs@<7.5.5 → 7.5.5`, `protobufjs@>=8.0.0 <8.0.1 → 8.0.1`, `basic-ftp@<5.2.2 → 5.2.2`. ## @connectum/reflection@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/core@1.0.0-rc.11 ## @connectum/testing@1.0.0-rc.11 ### Patch Changes - Updated dependencies \[]: - @connectum/core@1.0.0-rc.11 ## @connectum/cli@1.0.0-rc.11 ## @connectum/core@1.0.0-rc.11 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves 4 open Dependabot alerts on the default branch.
< 7.5.5>= 8.0.0, < 8.0.1<= 5.2.1= 5.2.0Impact analysis
@connectum/otelthrough two paths:@grpc/grpc-js->@grpc/proto-loader->protobufjs@7.5.4(gRPC exporters)@opentelemetry/otlp-transformer->protobufjs@8.0.1(OTLP transformer)@exodus/test->puppeteer-core->@puppeteer/browsers->proxy-agent->pac-proxy-agent->get-uri. Not shipped to consumers, but still flagged on default branch.Strategy
All four alerts are transitive. Fixed via
pnpm.overridesin the monorepo rootpackage.json:The pre-existing
basic-ftp@<5.2.0: 5.2.0override was stale (it pinned the now-vulnerable 5.2.0); it has been tightened to<5.2.2 -> 5.2.2to cover both high-severity advisories.All bumps are patch-level; no API changes in the upstream packages.
Verification
After
pnpm install:Changesets
@connectum/otel:patch— the only published package whose runtime dependency graph is affected.basic-ftpchanges are dev-only and do not require a changeset.Coordination
Does not conflict with PR #98 (OTel
0.212 -> 0.215bump, currently in auto-merge queue). This PR is based onmainafter #98-free state, and touches onlypackage.jsonoverrides +pnpm-lock.yaml+ a new changeset. After #98 merges, the overrides remain valid: OTel 0.215 already pullsprotobufjs 8.0.1; the override only constrains older versions.Test plan
pnpm installsucceeds; lockfile updatedpnpm build+pnpm typecheck+pnpm testpass (29 turbo tasks green)pnpm lintpasses (13 packages, biome clean)pnpm whyconfirms patched versions resolved across the monorepoGenerated with Claude Code