Is your feature request related to a problem? Please describe.
Yes. In our project, trigger.dev@4.4.6 resolves a dependency chain that includes vulnerable protobufjs:
trigger.dev@4.4.6 → @trigger.dev/core@4.4.6 → @opentelemetry/exporter-logs-otlp-http@0.203.0 / @opentelemetry/exporter-trace-otlp-http@0.203.0 → @opentelemetry/otlp-transformer@0.203.0 → protobufjs@7.5.5
Upstream, @opentelemetry/otlp-transformer@0.203.0 still declares protobufjs@^7.3.0, which allows this vulnerable resolution. OpenTelemetry addressed this starting in @opentelemetry/otlp-transformer@0.209.0, which depends on protobufjs@8.0.0.
Describe the solution you'd like to see
Please bump Trigger.dev’s OpenTelemetry OTLP dependencies (e.g. @opentelemetry/exporter-logs-otlp-http and @opentelemetry/exporter-trace-otlp-http in @trigger.dev/core) from 0.203.0 to at least 0.209.0, so downstream installs resolve @opentelemetry/otlp-transformer@0.209.0+ and protobufjs >= 7.5.6.
Describe alternate solutions
N/A
Additional information
Related packages in our repo on the same Trigger.dev line:
trigger.dev@4.4.6, @trigger.dev/sdk@4.4.6, @trigger.dev/build@4.4.6.
Is your feature request related to a problem? Please describe.
Yes. In our project,
trigger.dev@4.4.6resolves a dependency chain that includes vulnerableprotobufjs:trigger.dev@4.4.6→@trigger.dev/core@4.4.6→@opentelemetry/exporter-logs-otlp-http@0.203.0/@opentelemetry/exporter-trace-otlp-http@0.203.0→@opentelemetry/otlp-transformer@0.203.0→protobufjs@7.5.5Upstream,
@opentelemetry/otlp-transformer@0.203.0still declaresprotobufjs@^7.3.0, which allows this vulnerable resolution. OpenTelemetry addressed this starting in@opentelemetry/otlp-transformer@0.209.0, which depends onprotobufjs@8.0.0.Describe the solution you'd like to see
Please bump Trigger.dev’s OpenTelemetry OTLP dependencies (e.g.
@opentelemetry/exporter-logs-otlp-httpand@opentelemetry/exporter-trace-otlp-httpin@trigger.dev/core) from0.203.0to at least0.209.0, so downstream installs resolve@opentelemetry/otlp-transformer@0.209.0+andprotobufjs >= 7.5.6.Describe alternate solutions
N/A
Additional information
Related packages in our repo on the same Trigger.dev line:
trigger.dev@4.4.6,@trigger.dev/sdk@4.4.6,@trigger.dev/build@4.4.6.