feat: update to avoid brace-extansion issue#20205
feat: update to avoid brace-extansion issue#20205MaitreGEEK wants to merge 1 commit intogetsentry:masterfrom
Conversation
@sentry/node › @fastify/otel › minimatch › brace-expansion moderate: brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
sdk-maintainer-bot
bot
added
missing-maintainer-discussion
|
This PR has been automatically closed. The referenced issue does not show a discussion between you and a maintainer. To avoid wasted effort on both sides, please discuss your proposed approach in the issue first and wait for a maintainer to respond before opening a PR. Please review our contributing guidelines for more details. |
Semver Impact of This PR🟡 Minor (new features) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
🤖 This preview updates automatically when you update the PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 53ef9de. Configure here.
| "@opentelemetry/semantic-conventions": "^1.40.0", | ||
| "@prisma/instrumentation": "7.6.0", | ||
| "@fastify/otel": "0.18.0", | ||
| "@fastify/otel": "0.18.1", |
There was a problem hiding this comment.
yarn.lock not updated for dependency version bump
High Severity
The package.json bumps @fastify/otel to 0.18.1 (exact pin, no ^/~), but the yarn.lock still resolves @fastify/otel@0.18.0. This inconsistency means yarn install --frozen-lockfile (common in CI) will fail, and the intended security fix for the brace-expansion vulnerability won't actually take effect since the lockfile still pins the old version with the vulnerable transitive dependency. The yarn.lock needs to be regenerated to include the new version.
Reviewed by Cursor Bugbot for commit 53ef9de. Configure here.
1 participant
@sentry/node › @fastify/otel › minimatch › brace-expansion
moderate: brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
Before submitting a pull request, please take a look at our
Contributing guidelines and verify:
yarn lint) & (yarn test).Closes #20204 #20204