Skip to content

[AWS] Suppress NuGet audit warning#3677

Merged
Kielek merged 2 commits intoopen-telemetry:mainfrom
martincostello:fix-GHSA-9cvc-h2w8-phrp
Jan 13, 2026
Merged

[AWS] Suppress NuGet audit warning#3677
Kielek merged 2 commits intoopen-telemetry:mainfrom
martincostello:fix-GHSA-9cvc-h2w8-phrp

Conversation

@martincostello
Copy link
Copy Markdown
Member

@martincostello martincostello commented Jan 12, 2026
edited
Loading

Changes

Suppress low severity audit warning for GHSA-9cvc-h2w8-phrp to fix build error.

Alternatively, we need to bump from [4.0.0, 5.0.0) to [4.0.3.3, 5.0.0).

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • Changes in public API reviewed (if applicable)

@martincostello
[AWS] Suppress NuGet audit warning
c390944 
Suppress low severity audit warning for GHSA-9cvc-h2w8-phrp to fix build.
@github-actions github-actions Bot added the comp:instrumentation.aws Things related to OpenTelemetry.Instrumentation.AWS label Jan 12, 2026
@martincostello
[AWS] Suppress NuGet audit warning
084336e 
Suppress low severity audit warning for GHSA-9cvc-h2w8-phrp to fix build.
@codecov
Copy link
Copy Markdown

codecov Bot commented Jan 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.72%. Comparing base (b6723bb) to head (084336e).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3677      +/-   ##
==========================================
+ Coverage   71.58%   71.72%   +0.13%     
==========================================
  Files         455      445      -10     
  Lines       17700    17649      -51     
==========================================
- Hits        12670    12658      -12     
+ Misses       5030     4991      -39
Flag Coverage Δ
unittests-Instrumentation.AWS 83.42% <ø> (ø)
unittests-Instrumentation.Cassandra ?

Flags with carried forward coverage won't be shown. Click here to find out more.
see 10 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Kielek
Copy link
Copy Markdown
Member

Kielek commented Jan 12, 2026

I would go with update minimal package version if the AWS is fine with such changes.

@martincostello
Copy link
Copy Markdown
Member Author

martincostello commented Jan 12, 2026
edited
Loading

Moving out of draft so the AWS maintainers get pinged for review.

Doesn't appear to work when PR moves out of draft...

@martincostello martincostello marked this pull request as ready for review January 12, 2026 12:25
@martincostello martincostello requested a review from a team as a code owner January 12, 2026 12:25
Copilot AI review requested due to automatic review settings January 12, 2026 12:25
@martincostello
Copy link
Copy Markdown
Member Author

martincostello commented Jan 12, 2026

/cc @srprash @normj @lukeina2z

Copilot AI reviewed Jan 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR suppresses a low-severity NuGet audit warning (GHSA-9cvc-h2w8-phrp) to fix a build error in the AWS instrumentation package and related test app. The warning is related to AWSSDK packages with versions in the range [4.0.0, 5.0.0).

Changes:

  • Added NuGetAuditSuppress entries for the GHSA-9cvc-h2w8-phrp security advisory in two project files

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/OpenTelemetry.Instrumentation.AWS/OpenTelemetry.Instrumentation.AWS.csproj Added NuGet audit suppression for GHSA-9cvc-h2w8-phrp to allow building with AWSSDK packages v4.0.0+
test/OpenTelemetry.AotCompatibility.TestApp/OpenTelemetry.AotCompatibility.TestApp.csproj Added NuGet audit suppression for GHSA-9cvc-h2w8-phrp for the AOT compatibility test app that references AWS instrumentation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/OpenTelemetry.Instrumentation.AWS/OpenTelemetry.Instrumentation.AWS.csproj
Comment thread test/OpenTelemetry.AotCompatibility.TestApp/OpenTelemetry.AotCompatibility.TestApp.csproj
@Kielek Kielek mentioned this pull request Jan 13, 2026
Merged
3 tasks
@martincostello
Copy link
Copy Markdown
Member Author

martincostello commented Jan 13, 2026

@Kielek Given it's a low severity, should we merge this as-is to unblock CI and we can bump the version and remove the suppression in a follow-up if that's what the maintainers would rather do?

Kielek
Kielek approved these changes Jan 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Kielek Kielek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@martincostello, lets do this.

@Kielek Kielek added this pull request to the merge queue Jan 13, 2026
Merged via the queue into open-telemetry:main with commit 52bd736 Jan 13, 2026
79 checks passed
@Kielek Kielek mentioned this pull request Jan 13, 2026
Merged
2 tasks
@martincostello martincostello deleted the fix-GHSA-9cvc-h2w8-phrp branch January 13, 2026 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Kielek Kielek Kielek approved these changes

Assignees

No one assigned

Labels

comp:instrumentation.aws Things related to OpenTelemetry.Instrumentation.AWS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martincostello @Kielek