From 53fec2968a2a7c96f32ea9a69fbef7bf7473d832 Mon Sep 17 00:00:00 2001
From: Jackson Weber <jacksonweber@microsoft.com>
Date: Mon, 15 Jun 2026 10:21:20 -0700
Subject: [PATCH] Block preview/dev/alpha prereleases of
 @azure/monitor-opentelemetry-exporter

The `^1.0.0-beta.41` caret range previously specified for
`@azure/monitor-opentelemetry-exporter` is permissive enough under semver
that `npm install` (with no lockfile) can resolve it to
`@azure/monitor-opentelemetry-exporter@1.0.0-preview.6` -- the prerelease
identifier `preview` sorts higher than `beta` lexicographically, so
`maxSatisfying` picks it as the "best" match.

`1.0.0-preview.6` (published October 2020) still exists on npm and pulls
in the deprecated `@azure/core-http@1.2.6` -> `uuid@^8.3.0` chain, plus
the legacy `@opentelemetry/tracing@0.10.2` -> `@opentelemetry/resources@0.10.2`
-> `gcp-metadata@3.5.0` -> `json-bigint@0.3.1` chain. These transitives
re-introduce CVE-2020-8237 (json-bigint) and the GHSA-w5hq-g745-h8pq
uuid advisory that have been the subject of recent issue reports
(#1501, #1502). Today we are protected only because
`@azure/monitor-opentelemetry@1.18.0` happens to pin the exporter to an
exact version transitively, but that is fragile and would not hold for a
lockfile-less consumer install.

Replace the caret with an explicit two-clause range that:

  - allows the current `1.0.0-beta.41` and any future `1.0.0-beta.*` (the
    `b` in `beta` is alphabetically less than `c`); and
  - allows future stable `1.x.x` releases via the `|| ^1.0.0` clause; but
  - rejects `1.0.0-preview.*`, `1.0.0-dev.*`, and `1.0.0-alpha.*` because
    their prerelease identifiers sort >= `c`.

The resolved version in `package-lock.json` is unchanged
(`1.0.0-beta.41`), so the runtime tree is identical. All 247 unit tests
pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 package-lock.json | 2 +-
 package.json      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 74e05cb95..c31d7bada 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,7 +13,7 @@
         "@azure/functions": "^4.11.2",
         "@azure/identity": "^4.13.1",
         "@azure/monitor-opentelemetry": "^1.18.0",
-        "@azure/monitor-opentelemetry-exporter": "^1.0.0-beta.41",
+        "@azure/monitor-opentelemetry-exporter": ">=1.0.0-beta.41 <1.0.0-c || ^1.0.0",
         "@azure/opentelemetry-instrumentation-azure-sdk": "^1.0.0-beta.7",
         "@opentelemetry/api": "^1.9.0",
         "@opentelemetry/api-logs": "^0.217.0",
diff --git a/package.json b/package.json
index 02ec52080..bc2a58f21 100644
--- a/package.json
+++ b/package.json
@@ -68,7 +68,7 @@
     "@azure/functions": "^4.11.2",
     "@azure/identity": "^4.13.1",
     "@azure/monitor-opentelemetry": "^1.18.0",
-    "@azure/monitor-opentelemetry-exporter": "^1.0.0-beta.41",
+    "@azure/monitor-opentelemetry-exporter": ">=1.0.0-beta.41 <1.0.0-c || ^1.0.0",
     "@azure/opentelemetry-instrumentation-azure-sdk": "^1.0.0-beta.7",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/api-logs": "^0.217.0",