Bump OpenTelemetry JS deps to address GHSA-q7rr-3cgh-j5r3

[IEvangelist]

Summary

Patches 6 of the 29 open Dependabot alerts on this repo by bumping OpenTelemetry JS dependencies in three JavaScript manifests. The remaining 23 alerts are covered by #17157 (Dependabot) and are intentionally out of scope here.

GHSA	Severity	Package	Vulnerable	Patched at
GHSA-q7rr-3cgh-j5r3	High	@opentelemetry/sdk-node	< 0.217.0	0.217.0
GHSA-q7rr-3cgh-j5r3	High	@opentelemetry/auto-instrumentations-node	< 0.75.0	0.75.0

Prometheus exporter process crash via malformed HTTP request. Both packages ship the affected exporter; either path triggers the same DoS.

Alert numbers fixed: #1033, #1034, #1035, #1040, #1041, #1042.

Why the bigger bump (^0.213.0 → ^0.218.0, etc.)

The minimum patched versions are sdk-node@0.217.0 / auto-instrumentations-node@0.75.0, but the OpenTelemetry JS SDK packages release in lockstep and @opentelemetry/sdk-node pins its transitive deps to exact matching versions (e.g. "@opentelemetry/exporter-trace-otlp-grpc": "0.218.0"). Leaving the other manifest entries at ^0.213.0 while bumping sdk-node to ^0.218.0 would still resolve correctly via the caret range, but the manifest would be misleading. Aligning the whole set to the current release wave (0.218.0 for unstable packages, 2.7.1 for stable sdk-metrics) keeps the manifest honest about what actually installs.

Files

• playground/JavaAppHost/api/package.json
• src/Aspire.Cli/Templating/Templates/java-starter/api/package.json
• src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json

These three files have no committed lockfile, which is why Dependabot didn't auto-bump them along with the lockfile-based manifests in #17157.

Why Dependabot couldn't do this

Dependabot's npm/yarn updater needs a lockfile to compute a deterministic update. For manifests without one, it skips the bump even when the package.json range is vulnerable — that's why all 6 OTel alerts show up against package.json (not package-lock.json) and why none of them appear in #17157.

Validation

Validated locally with npm install --package-lock-only against a scratch copy of playground/JavaAppHost/api/package.json:

@opentelemetry/auto-instrumentations-node   0.76.0
@opentelemetry/exporter-logs-otlp-grpc      0.218.0
@opentelemetry/exporter-metrics-otlp-grpc   0.218.0
@opentelemetry/exporter-trace-otlp-grpc     0.218.0
@opentelemetry/sdk-logs                     0.218.0
@opentelemetry/sdk-metrics                  2.7.1
@opentelemetry/sdk-node                     0.218.0

npm audit against the resolved tree reports 0 vulnerabilities.

Risk notes for reviewers

• OpenTelemetry JS unstable packages (0.x) can include breaking changes between minors. This jumps from 0.213 → 0.218 (5 minor releases). The user-facing surface in the affected files is just new NodeSDK({...}).start() in the templates / playground, which has been stable across recent minors, but reviewers may want to pin tighter (e.g. exact 0.217.0 / 0.75.0) if a more conservative change is preferred.
• None of these three manifests are exercised by CI builds or tests in this repo (no lockfile, no npm install step in CI). The blast radius is: (a) aspire init users templating java-starter or ts-starter and then running npm install, and (b) anyone running the JavaAppHost playground locally.

Related

• Dependabot PR Bump the npm_and_yarn group across 4 directories with 3 updates #17157 covers the remaining 23 alerts (fast-uri, @babel/plugin-transform-modules-systemjs, next) across the lockfile-based manifests in extension/, playground/AspireWithJavaScript/{Angular,React}/, and tests/.../JsPublish/nextjs/.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17171

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17171"

[Copilot]

Pull request overview

This PR updates OpenTelemetry JavaScript dependencies in starter-template and playground API manifests to remediate GHSA-q7rr-3cgh-j5r3 and keep related OTel package versions aligned.

Changes:

• Bumps @opentelemetry/sdk-node and @opentelemetry/auto-instrumentations-node to patched release ranges.
• Aligns related OpenTelemetry exporter, logs, and metrics packages across the affected manifests.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/Aspire.Cli/Templating/Templates/ts-starter/api/package.json	Updates OTel dependencies used by the TypeScript starter API template.
src/Aspire.Cli/Templating/Templates/java-starter/api/package.json	Updates OTel dependencies used by the Java starter API template.
playground/JavaAppHost/api/package.json	Updates matching OTel dependencies for the Java AppHost playground API.

[davidfowl]

I'm assuming you verified that no code changes are needed

[IEvangelist]

@davidfowl Yes — verified. Quick summary of what I checked:

API surface in instrumentation.ts (identical across all three locations, modulo playground/JavaAppHost/api/... adding a .catch() on sdk.start()):

• new NodeSDK({ traceExporter, metricReader, logRecordProcessor, instrumentations })
• getNodeAutoInstrumentations()
• OTLP{Trace,Metric,Log}Exporter() (no-arg)
• BatchLogRecordProcessor, PeriodicExportingMetricReader
• sdk.start() / sdk.shutdown()

All of these are stable across the 0.213 → 0.218 / 0.71 → 0.76 / 2.6 → 2.7.1 jumps — no constructor signature, option-shape, or import-path changes that affect this surface.

Lockfiles — none sit next to the three changed api/package.json files, and neither the repo-root yarn.lock nor the frontend/package-lock.json files reference any @opentelemetry/* package, so nothing else needs regenerating.

Strongest CI signal — Aspire CLI Starter Validation (Windows + Windows ARM64) both passed on this PR. Those exercise the templates end-to-end, so any template-API breakage from the bump would have surfaced there.

The one red job (Cli.EndToEnd-ConfigHealingTests) failed at the "Download prebuilt CLI E2E Docker image" step (Artifact not found for name: cli-e2e-dotnet-image) — infrastructure, not code.

[sebastienros]

Local review found no actionable issues.

[github-actions]

❓ CLI E2E Tests unknown — 94 passed, 0 failed, 2 unknown (commit 3d9ec78)

View all recordings

Status	Test	Recording
✅	AddPackageInteractiveWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AddPackageWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AgentCommands_AllHelpOutputs_AreCorrect	✅ ▶️ View recording
✅	AgentInitCommand_DefaultSelection_InstallsDefaultSkills	✅ ▶️ View recording
✅	AgentInitCommand_MigratesDeprecatedConfig	✅ ▶️ View recording
✅	AllPublishMethodsBuildDockerImages	✅ ▶️ View recording
✅	AspireAddPackageVersionToDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireInitSingleFileAppHostRunsViaDotnetRunAppHost	✅ ▶️ View recording
✅	AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles	✅ ▶️ View recording
❔	AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive	❔ ▶️ View recording
✅	AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent	✅ ▶️ View recording
✅	Banner_DisplayedOnFirstRun	✅ ▶️ View recording
✅	Banner_DisplayedWithExplicitFlag	✅ ▶️ View recording
✅	Banner_NotDisplayedWithNoLogoFlag	✅ ▶️ View recording
✅	CertificatesClean_RemovesCertificates	✅ ▶️ View recording
✅	CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	✅ ▶️ View recording
✅	CertificatesTrust_WithUntrustedCert_TrustsCertificate	✅ ▶️ View recording
✅	ConfigSetGet_CreatesNestedJsonFormat	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProject	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProjectWithBundle	✅ ▶️ View recording
✅	CreateAndRunEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJavaEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJsReactProject	✅ ▶️ View recording
✅	CreateAndRunPythonReactProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptStarterProject	✅ ▶️ View recording
✅	CreateJavaAppHostWithViteApp	✅ ▶️ View recording
✅	CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain	✅ ▶️ View recording
✅	DashboardRunWithOtelTracesReturnsNoTraces	✅ ▶️ View recording
✅	DeployK8sBasicApiService	✅ ▶️ View recording
✅	DeployK8sWithExternalHelmChart	✅ ▶️ View recording
✅	DeployK8sWithGarnet	✅ ▶️ View recording
✅	DeployK8sWithMongoDB	✅ ▶️ View recording
✅	DeployK8sWithMySql	✅ ▶️ View recording
✅	DeployK8sWithPostgres	✅ ▶️ View recording
✅	DeployK8sWithRabbitMQ	✅ ▶️ View recording
✅	DeployK8sWithRedis	✅ ▶️ View recording
✅	DeployK8sWithSqlServer	✅ ▶️ View recording
✅	DeployK8sWithValkey	✅ ▶️ View recording
✅	DeployTypeScriptAppToKubernetes	✅ ▶️ View recording
✅	DescribeCommandResolvesReplicaNames	✅ ▶️ View recording
✅	DescribeCommandShowsRunningResources	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJson	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance	✅ ▶️ View recording
✅	DoListStepsShowsPipelineSteps	✅ ▶️ View recording
✅	DocsCommand_RendersInteractiveMarkdownFromLocalSource	✅ ▶️ View recording
✅	DoctorCommand_DetectsDeprecatedAgentConfig	✅ ▶️ View recording
✅	DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain	✅ ▶️ View recording
✅	DoctorCommand_WithSslCertDir_ShowsTrusted	✅ ▶️ View recording
✅	DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	✅ ▶️ View recording
✅	GlobalMigration_HandlesCommentsAndTrailingCommas	✅ ▶️ View recording
✅	GlobalMigration_HandlesMalformedLegacyJson	✅ ▶️ View recording
✅	GlobalMigration_PreservesAllValueTypes	✅ ▶️ View recording
✅	GlobalMigration_SkipsWhenNewConfigExists	✅ ▶️ View recording
✅	GlobalSettings_MigratedFromLegacyFormat	✅ ▶️ View recording
✅	InitTypeScriptAppHost_AugmentsExistingViteRepoAtRoot	✅ ▶️ View recording
✅	InteractiveCSharpInitCreatesExpectedFiles	✅ ▶️ View recording
✅	InvalidAppHostPathWithComments_IsHealedOnRun	✅ ▶️ View recording
✅	JavaScriptHostingApisRunFromTypeScriptAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelTypeScriptAppHost	✅ ▶️ View recording
✅	LegacySettingsMigration_AdjustsRelativeAppHostPath	✅ ▶️ View recording
✅	LogLevelTrace_ProducesTraceEntriesInCliLogFile	✅ ▶️ View recording
✅	LogsCommandShowsResourceLogs	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterApp	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterAppIsolated	✅ ▶️ View recording
✅	PsCommandListsRunningAppHost	✅ ▶️ View recording
✅	PsFormatJsonOutputsOnlyJsonToStdout	✅ ▶️ View recording
✅	PublishWithConfigureEnvFileUpdatesEnvOutput	✅ ▶️ View recording
✅	PublishWithDockerComposeServiceCallbackSucceeds	✅ ▶️ View recording
✅	PublishWithoutOutputPathUsesAppHostDirectoryDefault	✅ ▶️ View recording
✅	ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries	✅ ▶️ View recording
✅	ResourceCommand_FailsWhenInteractionServiceIsRequired	✅ ▶️ View recording
✅	ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles_WithConfiguredToolchain	✅ ▶️ View recording
✅	RestoreRefreshesGeneratedSdkAfterAddingIntegration	✅ ▶️ View recording
✅	RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	✅ ▶️ View recording
✅	RunFromParentDirectory_UsesExistingConfigNearAppHost	✅ ▶️ View recording
❔	RunPublishFailureScenarioAsync	❔ ▶️ View recording
✅	RunReportsSyntaxErrorsForDotNetAppHost	✅ ▶️ View recording
✅	RunReportsSyntaxErrorsForTypeScriptAppHost	✅ ▶️ View recording
✅	SecretCrudOnDotNetAppHost	✅ ▶️ View recording
✅	SecretCrudOnTypeScriptAppHost	✅ ▶️ View recording
✅	StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	✅ ▶️ View recording
✅	StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets	✅ ▶️ View recording
✅	StartReportsSyntaxErrorsForDotNetAppHost	✅ ▶️ View recording
✅	StartReportsSyntaxErrorsForTypeScriptAppHost	✅ ▶️ View recording
✅	StopAllAppHostsFromAppHostDirectory	✅ ▶️ View recording
✅	StopJavaPolyglotAppHostUsingApphostDirectory	✅ ▶️ View recording
✅	StopNonInteractiveSingleAppHost	✅ ▶️ View recording
✅	StopTypeScriptPolyglotAppHostUsingApphostDirectory	✅ ▶️ View recording
✅	StopWithNoRunningAppHostExitsSuccessfully	✅ ▶️ View recording
✅	UnAwaitedChainsCompileWithAutoResolvePromises	✅ ▶️ View recording
✅	UpdateProjectChannelToStable_TypeScript_PicksUpStablePackages	✅ ▶️ View recording

---

_{📹 Recordings uploaded automatically from CI run #26170085920}