Skip to content

chore: update dependencies#2751

Open
DmitryAnansky wants to merge 2 commits intomainfrom
chore/update-dependencies-to-fix-potential-vulnerabilities
Open

chore: update dependencies#2751
DmitryAnansky wants to merge 2 commits intomainfrom
chore/update-dependencies-to-fix-potential-vulnerabilities

Conversation

@DmitryAnansky
Copy link
Copy Markdown
Contributor

@DmitryAnansky DmitryAnansky commented Apr 17, 2026
edited by cursor bot
Loading

What/Why/How?

Update dependencies to avoid discovered vulnerabilities.

Reference

Closes: #2749

Testing

Screenshots (optional)

Check yourself

  • This PR follows the contributing guide
  • All new/updated code is covered by tests
  • Core code changed? - Tested with other Redocly products (internal contributions only)
  • New package installed? - Tested in different environments (browser/node)
  • Documentation update has been considered

Security

  • The security impact of the change has been considered
  • Code follows company security practices and guidelines

Note

Medium Risk
Dependency-only change but it updates the OpenTelemetry tracing stack used by packages/cli/src/utils/otel.ts, which could affect telemetry initialization/export behavior at runtime.

Overview
Resolves GHSA-xq3m-2v4x-88gg by bumping @redocly/cli patch via a new Changeset and updating OpenTelemetry dependencies.

Updates @opentelemetry/* versions used for CLI telemetry (notably exporter-trace-otlp-http, resources, sdk-trace-node, and semantic-conventions) and refreshes package-lock.json to reflect the new dependency tree.

Reviewed by Cursor Bugbot for commit 350ebb8. Bugbot is set up for automated code reviews on this repo. Configure here.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 17, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 350ebb8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@redocly/cli Patch
@redocly/openapi-core Patch
@redocly/respect-core Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 79.94% (🎯 79%) 6732 / 8421
🔵 Statements 79.39% (🎯 79%) 6975 / 8785
🔵 Functions 83.16% (🎯 82%) 1368 / 1645
🔵 Branches 71.64% (🎯 71%) 4583 / 6397
File CoverageNo changed files found.
Generated in workflow #9490 for commit 350ebb8 by the Vitest Coverage Report Action

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026
edited
Loading

CLI Version Mean Time ± Std Dev (s) Relative Performance (Lower is Faster)
cli-latest 3.199s ± 0.061s ▓ 1.02x
cli-next 3.133s ± 0.016s ▓ 1.00x (Fastest)

@DmitryAnansky DmitryAnansky requested a review from a team April 17, 2026 15:56
@DmitryAnansky DmitryAnansky marked this pull request as ready for review April 17, 2026 16:05
@DmitryAnansky DmitryAnansky requested review from a team as code owners April 17, 2026 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kanoru3101 kanoru3101 kanoru3101 approved these changes

@JLekawa JLekawa JLekawa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade dependencies to address critical protobufjs vulnerability (GHSA-xq3m-2v4x-88gg)

3 participants

@DmitryAnansky @kanoru3101 @JLekawa