fix(deps): upgrade @opentelemetry/core to v2 to fix CVE-2026-54285#42009
fix(deps): upgrade @opentelemetry/core to v2 to fix CVE-2026-54285#42009subrata71 wants to merge 2 commits into
Conversation
Upgrade OpenTelemetry JS SDK from v1 to v2 and Grafana Faro from v1.12.2 to v2.0.2 to resolve Dependabot alert for unbounded memory allocation in W3C Baggage propagation (CVE-2026-54285). Changes: - @opentelemetry/core, resources, sdk-trace-base, sdk-trace-web, context-zone: ^1.30.0 → ^2.8.0 - @opentelemetry/exporter-trace-otlp-http, instrumentation: ^0.57.0 → ^0.220.0 - @grafana/faro-react, faro-web-tracing: ^1.12.2 → ^2.0.2 (v2.0.2 supports react-router-dom v5 and uses OTel v2 natively) - Add resolutions entry for @opentelemetry/core to ensure no transitive v1 copies remain in the lockfile - Adapt instrumentation code to v2 API: Resource → resourceFromAttributes, addSpanProcessor → spanProcessors constructor option, FaroSessionSpanProcessor → FaroMetaAttributesSpanProcessor
WalkthroughUpdates Faro and OpenTelemetry dependencies, pins the OpenTelemetry core resolution, and adapts ChangesTelemetry upgrade
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant AppsmithTelemetry
participant WebTracerProvider
participant SessionOnlySpanProcessor
participant FaroTraceExporter
AppsmithTelemetry->>WebTracerProvider: Create with resource attributes and span processors
WebTracerProvider->>SessionOnlySpanProcessor: Send spans
SessionOnlySpanProcessor->>FaroTraceExporter: Forward spans with session.id
AppsmithTelemetry->>WebTracerProvider: Register provider
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@app/client/src/instrumentation/index.ts`:
- Around line 85-89: Update the span processor configuration around
FaroMetaAttributesSpanProcessor so user-identifying fields from this.faro.metas,
including id, username, and email populated by identifyUser(), are removed
before spans reach FaroTraceExporter. Preserve non-user metadata while ensuring
these PII fields are never exported.
- Around line 78-92: In the instrumentation initialization flow, update the
WebTracerProvider instance created in the tracerProvider declaration to call
tracerProvider.register() before this.faro.api.initOTEL(trace, context). Keep
the existing Faro span processor configuration unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f38ca6ca-aabf-4923-b341-4d76156344db
⛔ Files ignored due to path filters (1)
app/client/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (2)
app/client/package.jsonapp/client/src/instrumentation/index.ts
- Remove trackWebVitalsAttribution config option (removed in Faro v2) which caused TS2353 build failure in CI - Add tracerProvider.register() before initOTEL() so the provider becomes the active global tracer (CodeRabbit review) - Replace FaroMetaAttributesSpanProcessor with a custom SessionOnlySpanProcessor that only copies session ID onto spans, matching the old FaroSessionSpanProcessor behavior and avoiding exporting user PII (email, username, id) on every span (CodeRabbit security review)
There was a problem hiding this comment.
🧹 Nitpick comments (1)
app/client/src/instrumentation/index.ts (1)
31-66: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd regression coverage for the session-only processor.
Test that
session.idis forwarded, user metadata is omitted, and all wrapped processor lifecycle methods are delegated.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@app/client/src/instrumentation/index.ts` around lines 31 - 66, The SessionOnlySpanProcessor lacks regression coverage. Add tests for SessionOnlySpanProcessor verifying that onStart forwards session.id while omitting user metadata, and that onStart, onEnd, forceFlush, and shutdown delegate to the wrapped SpanProcessor with the expected arguments and results.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@app/client/src/instrumentation/index.ts`:
- Around line 31-66: The SessionOnlySpanProcessor lacks regression coverage. Add
tests for SessionOnlySpanProcessor verifying that onStart forwards session.id
while omitting user metadata, and that onStart, onEnd, forceFlush, and shutdown
delegate to the wrapped SpanProcessor with the expected arguments and results.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 87545316-4f64-4959-a97d-5d1e9a3c400b
📒 Files selected for processing (1)
app/client/src/instrumentation/index.ts
Description
Upgrades the OpenTelemetry JS SDK from v1 to v2 and Grafana Faro observability packages from v1.12.2 to v2.0.2 to resolve the Dependabot alert for CVE-2026-54285 — unbounded memory allocation in W3C Baggage propagation (
W3CBaggagePropagator.extract()).What changed
Dependencies (
package.json):@opentelemetry/core,resources,sdk-trace-base,sdk-trace-web,context-zone:^1.30.0→^2.8.0@opentelemetry/exporter-trace-otlp-http,instrumentation:^0.57.0→^0.220.0@grafana/faro-react,faro-web-tracing:^1.12.2→^2.0.2(v2.0.2 uses OTel v2 natively while maintainingreact-router-domv5 compatibility)resolutionsentry for@opentelemetry/core: ^2.8.0to prevent any transitive v1 copies in the lockfileCode (
src/instrumentation/index.ts):new Resource({...})→resourceFromAttributes({...})(v2 API change)tracerProvider.addSpanProcessor(...)→spanProcessors: [...]in constructor options (v2 API change)FaroSessionSpanProcessor→FaroMetaAttributesSpanProcessor(Faro v2 rename, same constructor signature)@opentelemetry/semantic-conventions/incubatingimport → inlineATTR_DEPLOYMENT_NAMEconstant + main package importWhy Faro was also upgraded
@grafana/faro-web-tracing@1.12.2bundles@opentelemetry/core@^1.26.0as a regular dependency. Without upgrading Faro, the v1 copy would remain inyarn.lockand the Dependabot alert would persist.@grafana/faro-react@2.0.2was chosen because it still supportsreact-router-domv5, unlike later 2.x versions that require v7+.Verification
yarn.lockcontains only@opentelemetry/core@2.9.0— no v1 entries remainyarn buildexit 0)instrumentation/index.tsremain unchanged)Automation
/ok-to-test tags=""
🔍 Cypress test results
Communication
Should the DevRel and Marketing teams inform users about this change?
Summary by CodeRabbit
Warning
Tests have not run on the HEAD e1c86d4 yet
Fri, 17 Jul 2026 07:39:06 UTC