fix(deps): upgrade OpenTelemetry and nyc to resolve audit vulns, drop protobufjs overrides#1508
Merged
JacksonWeber merged 2 commits intoJun 24, 2026
Conversation
… protobufjs overrides - Bump @azure/monitor-opentelemetry to ^1.18.1 and OTel 0.x exporters/sdk to ^0.218.0. otlp-transformer@0.218 no longer pulls protobufjs, so the only protobufjs left is the safe 7.x line via @grpc/proto-loader. Resolves the high-severity protobufjs advisories without overrides. - Remove the @opentelemetry/otlp-transformer and @grpc/proto-loader protobufjs overrides. - Bump nyc to ^18.0.0, which resolves the @babel/core and uuid (dev) advisories via patched istanbul-lib-instrument and istanbul-lib-processinfo. - Keep the mocha -> serialize-javascript override: it is the only fix for a high-severity advisory since no mocha release ships a patched serialize-javascript (dev-only). Remaining audit findings are upstream-gated (@opentelemetry/core <2.8.0, pending the Azure Monitor distro) or dev-only with no patched release (js-yaml via nyc). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates dependency versions to address npm audit findings by upgrading the Azure Monitor OpenTelemetry distro and OpenTelemetry 0.x packages, upgrading nyc, and removing now-unneeded protobufjs overrides.
Changes:
- Bump
@azure/monitor-opentelemetryto^1.18.1and related OpenTelemetry0.xdeps to^0.218.0. - Upgrade
nycto^18.0.0to pick up patched transitive dependencies. - Remove
protobufjsoverrides for@opentelemetry/otlp-transformer/@grpc/proto-loaderfrompackage.jsonand refresh the lockfile accordingly.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates direct dependency versions and removes protobufjs overrides while keeping the remaining mocha -> serialize-javascript override. |
| package-lock.json | Updates the resolved dependency graph to reflect the new versions and removed overrides. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The perf harness installs the candidate applicationinsights, which pulls @opentelemetry/instrumentation-pg -> @types/pg -> pg-protocol@1.14.0 whose .d.ts uses a generic Buffer<...>. With the harness's @types/node@18 (non-generic Buffer), tsc failed with TS2315. Enable skipLibCheck (matching the root tsconfig) so type-checking of third-party .d.ts files no longer breaks the perf build. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
hectorhdzg
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves npm audit vulnerabilities by upgrading to safe packages directly and removing the
protobufjsoverrides.Vulnerability count dropped from 35 (1 high, 33 moderate, 1 low) to 31 (all moderate).
Changes
@azure/monitor-opentelemetryto^1.18.1and the OpenTelemetry0.xexporters/sdk deps to^0.218.0.@opentelemetry/otlp-transformer@0.218no longer depends onprotobufjs, so the onlyprotobufjsleft in the tree is the safe7.xline (via@grpc/proto-loader). This resolves the high-severity protobufjs advisories without any override.@opentelemetry/otlp-transformerand@grpc/proto-loader->protobufjsoverrides.nycto^18.0.0, which resolves the@babel/coreanduuid(dev) advisories via patchedistanbul-lib-instrumentandistanbul-lib-processinfo.Resolved without overrides
0.218upgrade (onlyprotobufjs@7.6.4remains)nyc@18patched transitivenyc@18->istanbul-lib-processinfo@3.0.1Validation
npm run build✅npm run test:unit✅ 247 passing, 0 failing