Skip to content

Commit 014cfde

Browse files
veksenclaude
veksen
and
claude
committed
fix(nodejs): raise @opentelemetry/core peer floor to >=2.8.0 (GHSA-8988-4f7v-96qf)
The `>=1.0.0` peer range let downstream consumers resolve a vulnerable @opentelemetry/core (<2.8.0 — unbounded memory allocation in W3C Baggage propagation, GHSA-8988-4f7v-96qf), surfacing as a moderate `npm audit` finding in projects that depend on these packages. The advisory has no 1.x backport — 2.8.0 is the only fixed line — so the peer floor is raised to `>=2.8.0`. All three packages import W3CTraceContextPropagator from @opentelemetry/core, which is unchanged and compatible in 2.8.0; builds and the drizzle pglite integration test pass against the patched version. Bumps: - @query-doctor/sqlcommenter-drizzle 0.2.0 -> 0.3.0 - @query-doctor/sqlcommenter-mikroorm 0.1.0 -> 0.2.0 - @query-doctor/sqlcommenter-typeorm 0.1.0 -> 0.2.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 2458ab4 commit 014cfde

6 files changed

Lines changed: 24 additions & 24 deletions

File tree

nodejs/sqlcommenter-nodejs/packages/sqlcommenter-drizzle/package-lock.json

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

nodejs/sqlcommenter-nodejs/packages/sqlcommenter-drizzle/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@query-doctor/sqlcommenter-drizzle",
3-
"version": "0.2.0",
3+
"version": "0.3.0",
44
"description": "SQLCommenter patch for drizzle-orm",
55
"main": "dist/cjs/index.js",
66
"type": "module",
@@ -43,7 +43,7 @@
4343
"@opentelemetry/api": "~1.9.0"
4444
},
4545
"peerDependencies": {
46-
"@opentelemetry/core": ">=1.0.0",
46+
"@opentelemetry/core": ">=2.8.0",
4747
"drizzle-orm": ">=0.35.0"
4848
},
4949
"engines": {

nodejs/sqlcommenter-nodejs/packages/sqlcommenter-mikroorm/package-lock.json

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

nodejs/sqlcommenter-nodejs/packages/sqlcommenter-mikroorm/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@query-doctor/sqlcommenter-mikroorm",
3-
"version": "0.1.0",
3+
"version": "0.2.0",
44
"description": "SQLCommenter patch for MikroORM",
55
"main": "dist/cjs/index.js",
66
"type": "module",
@@ -42,7 +42,7 @@
4242
},
4343
"peerDependencies": {
4444
"@mikro-orm/core": ">=6.4.0",
45-
"@opentelemetry/core": ">=1.0.0"
45+
"@opentelemetry/core": ">=2.8.0"
4646
},
4747
"engines": {
4848
"node": ">=20.0.0"

nodejs/sqlcommenter-nodejs/packages/sqlcommenter-typeorm/package-lock.json

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

nodejs/sqlcommenter-nodejs/packages/sqlcommenter-typeorm/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@query-doctor/sqlcommenter-typeorm",
3-
"version": "0.1.0",
3+
"version": "0.2.0",
44
"description": "SQLCommenter patch for TypeORM",
55
"main": "dist/cjs/index.js",
66
"type": "module",
@@ -42,7 +42,7 @@
4242
"@opentelemetry/api": "~1.9.0"
4343
},
4444
"peerDependencies": {
45-
"@opentelemetry/core": ">=1.0.0",
45+
"@opentelemetry/core": ">=2.8.0",
4646
"typeorm": ">=0.3.0"
4747
},
4848
"engines": {

0 commit comments

Comments
 (0)