vulnerable transitive devDependency `js-yaml`

[ankitdn]

What happened?

While working on opentelemetry-js project, I discovered a security vulnerability (CVE-2025-64718) in the js-yaml package. Versions 4.1.0 and below are affected by a prototype pollution issue that allows attackers to modify the object prototype through crafted YAML input. This can lead to unexpected or unsafe application behavior.

CVE Link
CVE Report

OpenTelemetry Setup Code

package.json

Relevant log output

Operating System and Version

No response

Runtime and Version

No response

Tip

_{React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.}

[cjihrig]

I discovered a security vulnerability

If you feel like you have found a security related issue, it's generally considered irresponsible to report it on a public issue tracker. See the security policy in the README.

In this case, it looks like the problematic version comes from dependencies. Have you verified if the OpenTelemetry project is actually vulnerable?

[pichlermarc]

Hi @ankitdn thanks for reaching out - I've looked into this.

This dependency is not pulled in by any of our published artifacts. Further we don't parse any untrusted yaml (An exception to this is @opentelemetry/configuration which is in-development and not available to end-users yet. It also uses a different yaml library so we should be okay on that front)

As @cjihrig already said, in the future please use the security tab for reporting any vulnerabilities 🙂

[pichlermarc]

Updated everything execpt the transitive dependency through lerna. We'll have to wait for lerna to publish a new version.