chore(deps): bump actions/create-github-app-token from 2 to 3 by dependabot[bot] · Pull Request #32 · traceloop/opentelemetry-mcp-server

dependabot · 2026-03-16T06:21:35Z

Bumps actions/create-github-app-token from 2 to 3.

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

feat!: node 24 support (#275) (2e564a0)

fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

deps: bump @actions/core from 1.11.1 to 3.0.0 (#337) (b044133)

deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)

deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)

deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

deps: bump @octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)

deps: bump @octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)

deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)

deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

f8d387b build(release): 3.0.0 [skip ci]
d2129bd style: remove extra blank line in release workflow
77b94ef build: refresh generated artifacts
3ab4c66 chore: move undici to devDependencies
739cf66 docs: update README action versions
db40289 build(deps): bump actions versions in test.yml
496a7ac test: migrate from AVA to Node.js native test runner (#346)
3870dc3 Rename end-to-end proxy job in test workflow
4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
dce0ab0 fix: remove custom proxy handling (#143)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2 to 3. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@v2...v3) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-03-16T06:21:36Z

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

CLAassistant · 2026-03-16T06:21:45Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

github-actions · 2026-03-16T06:23:15Z

Container Security Scan (opentelemetry-mcp-server-amd64)

Click to expand results


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


opentelemetry-mcp-server:3a7c55fb5e5e57d18e541899c0b3157f2df3713c-amd64 (debian 13.4)
=====================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├──────────┼───────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2026-0861 │ HIGH     │ affected │ 2.41-12+deb13u2   │               │ glibc: Integer overflow in memalign leads to heap corruption │
│          │               │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-0861                    │
├──────────┤               │          │          │                   ├───────────────┤                                                              │
│ libc6    │               │          │          │                   │               │                                                              │
│          │               │          │          │                   │               │                                                              │
└──────────┴───────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Python (python-pkg)
===================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ Authlib (METADATA) │ CVE-2026-28802 │ HIGH     │ fixed  │ 1.6.6             │ 1.6.7         │ authlib: Authlib: Signature verification bypass via        │
│                    │                │          │        │                   │               │ malicious JWT allows unauthorized access                   │
│                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-28802                 │
├────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ PyJWT (METADATA)   │ CVE-2026-32597 │          │        │ 2.10.1            │ 2.12.0        │ pyjwt: PyJWT accepts unknown `crit` header extensions (RFC │
│                    │                │          │        │                   │               │ 7515 §4.1.11 MUST violation)...                            │
│                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-32597                 │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

github-actions · 2026-03-16T06:24:26Z

Container Security Scan (opentelemetry-mcp-server-arm64)

Click to expand results


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


opentelemetry-mcp-server:3a7c55fb5e5e57d18e541899c0b3157f2df3713c-arm64 (debian 13.4)
=====================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├──────────┼───────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2026-0861 │ HIGH     │ affected │ 2.41-12+deb13u2   │               │ glibc: Integer overflow in memalign leads to heap corruption │
│          │               │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-0861                    │
├──────────┤               │          │          │                   ├───────────────┤                                                              │
│ libc6    │               │          │          │                   │               │                                                              │
│          │               │          │          │                   │               │                                                              │
└──────────┴───────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Python (python-pkg)
===================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ Authlib (METADATA) │ CVE-2026-28802 │ HIGH     │ fixed  │ 1.6.6             │ 1.6.7         │ authlib: Authlib: Signature verification bypass via        │
│                    │                │          │        │                   │               │ malicious JWT allows unauthorized access                   │
│                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-28802                 │
├────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ PyJWT (METADATA)   │ CVE-2026-32597 │          │        │ 2.10.1            │ 2.12.0        │ pyjwt: PyJWT accepts unknown `crit` header extensions (RFC │
│                    │                │          │        │                   │               │ 7515 §4.1.11 MUST violation)...                            │
│                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-32597                 │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump actions/create-github-app-token from 2 to 3#32

chore(deps): bump actions/create-github-app-token from 2 to 3#32
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions/create-github-app-token-3

dependabot Bot commented on behalf of github Mar 16, 2026

Uh oh!

dependabot Bot commented on behalf of github Mar 16, 2026

Uh oh!

CLAassistant commented Mar 16, 2026

Uh oh!

github-actions Bot commented Mar 16, 2026

Uh oh!

github-actions Bot commented Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Mar 16, 2026

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

BREAKING CHANGES

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

BREAKING CHANGES

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

Uh oh!

dependabot Bot commented on behalf of github Mar 16, 2026

Labels

Uh oh!

CLAassistant commented Mar 16, 2026

Uh oh!

github-actions Bot commented Mar 16, 2026

Container Security Scan (opentelemetry-mcp-server-amd64)

Uh oh!

github-actions Bot commented Mar 16, 2026

Container Security Scan (opentelemetry-mcp-server-arm64)

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant