fix(deps): force @opentelemetry/core >=2.8.0 (CVE-2026-54285)

[JohnMcLear]

Resolves Dependabot alert #205 — GHSA-8988-4f7v-96qf / CVE-2026-54285 (medium, CVSS 5.3).

The vulnerability

W3CBaggagePropagator.extract() in @opentelemetry/core < 2.8.0 does not enforce the W3C Baggage size limits (8,192 bytes / 180 entries) on inbound baggage headers — limits were only applied on inject(). Parsing oversized baggage allocates memory proportional to the header size with no cap (CWE-770). Fixed in 2.8.0.

Dependency chain (transitive, runtime)

src/package.json -> @elastic/elasticsearch@^9.4.2
                 -> @elastic/transport@9.3.6
                 -> @opentelemetry/core@2.7.1   <- vulnerable

Practical reachability in Etherpad: low

• @elastic/elasticsearch is only exercised by the optional Elasticsearch ueberdb backend.
• The vulnerable path is extract() on inbound baggage headers; Etherpad's ES client makes outbound requests to a trusted, operator-configured ES server — there is no attacker-controlled inbound baggage reaching the propagator.
• Node's default --max-http-header-size (16 KB) independently caps the vector; the advisory itself rates availability impact as "limited".

Still worth patching to clear the alert and harden non-HTTP/raised-limit deployments.

The fix

@elastic/transport@9.3.6 declares its dep as @opentelemetry/core: 2.x, so 2.8.0 satisfies the existing range — no parent bump needed. 2.8.0's peer range (@opentelemetry/api >=1.0.0 <1.10.0) is satisfied by the 1.9.1 already in the tree.

Added a >=2.8.0 override to pnpm-workspace.yaml alongside the other CVE force-bumps (pnpm 11 no longer reads root package.json pnpm.overrides). Lockfile diff is surgical: only the override line and the 2.7.1 -> 2.8.0 resolution.

🤖 Generated with Claude Code

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[qodo-free-for-open-source-projects]

PR Summary by Qodo

Fix CVE-2026-54285 by forcing @opentelemetry/core >= 2.8.0 via pnpm override
🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Walkthroughs

Description

• Add pnpm override to enforce @opentelemetry/core >=2.8.0 and clear CVE-2026-54285 alert.
• Update lockfile resolution from @opentelemetry/core 2.7.1 to 2.8.0 under @elastic/transport.

Diagram

graph TD
  A["Etherpad repo"] --> B["pnpm-workspace.yaml"] --> C["pnpm overrides"] --> D["@opentelemetry/core"]
  A --> E["pnpm-lock.yaml"] --> D

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Bump the parent dependency (e.g., @elastic/transport/@elastic/elasticsearch)

• ➕ Keeps dependency selection within upstream-managed ranges without overrides
• ➕ May pull in additional upstream fixes and metadata updates
• ➖ Potentially larger upgrade surface area and behavioral changes
• ➖ May be blocked by compatibility constraints elsewhere in the tree

2. Use root package.json pnpm.overrides (if supported)

• ➕ Centralizes overrides in a familiar manifest file
• ➖ Not effective in pnpm 11 setups that ignore root pnpm.overrides (as noted in repo comments)
• ➖ Can create confusion if the override is not actually applied

3. Patch-package / vendor a fix

• ➕ Precise control over the exact patched code path
• ➖ Higher maintenance burden than upgrading
• ➖ Easy to drift from upstream; unsuitable when a fixed release exists

Recommendation: The current approach (workspace-level pnpm override to force @opentelemetry/core >=2.8.0) is the best fit: it’s minimally invasive, aligns with the existing semver range (2.x), and matches the repo’s documented pnpm 11 behavior. Prefer an upstream parent bump only if future constraints require removing overrides or if additional upstream fixes are needed.

File Changes

Other (2)

pnpm-lock.yaml Resolve @opentelemetry/core to 2.8.0 via override +5/-4

Resolve @opentelemetry/core to 2.8.0 via override

• Adds an override entry for @opentelemetry/core <2.8.0 and updates the locked package/snapshot resolutions from 2.7.1 to 2.8.0. This ensures the transitive dependency pulled via @elastic/transport resolves to the non-vulnerable version.

pnpm-lock.yaml

---

pnpm-workspace.yaml Add workspace override forcing @opentelemetry/core >=2.8.0 +1/-0

Add workspace override forcing @opentelemetry/core >=2.8.0

• Introduces a pnpm workspace-level override for @opentelemetry/core to enforce >=2.8.0 across the workspace. This aligns with the existing pattern of CVE-related force-bumps maintained in this file.

pnpm-workspace.yaml

---