From c59fb681cb47c522600ab01f59c4f3727d455f6e Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Tue, 16 Jun 2026 16:33:40 +0100
Subject: [PATCH] fix(deps): force @opentelemetry/core >=2.8.0 (CVE-2026-54285)

Pin the transitive @opentelemetry/core dep (pulled in via
@elastic/elasticsearch -> @elastic/transport) to >=2.8.0 to clear
GHSA-8988-4f7v-96qf / CVE-2026-54285: W3CBaggagePropagator.extract()
did not enforce W3C size limits on inbound baggage headers, allowing
unbounded memory allocation. @elastic/transport declares the dep as
"2.x" so 2.8.0 satisfies the existing range with no parent bump, and
2.8.0's @opentelemetry/api peer range (>=1.0.0 <1.10.0) is satisfied
by the 1.9.1 already in the tree.

Override added to pnpm-workspace.yaml alongside the other CVE
force-bumps (pnpm 11 ignores root package.json pnpm.overrides).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pnpm-lock.yaml      | 9 +++++----
 pnpm-workspace.yaml | 1 +
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 618cfc05424..999457d786b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,6 +6,7 @@ settings:
 
 overrides:
   '@babel/core@<7.29.6': '>=7.29.6'
+  '@opentelemetry/core@<2.8.0': '>=2.8.0'
   basic-ftp@<5.3.1: '>=5.3.1 <6.0.0'
   brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3'
   diff@>=6.0.0 <8.0.3: '>=8.0.3'
@@ -1143,8 +1144,8 @@ packages:
     resolution: {integrity: sha512-gLyJlPHPZYdAk1JENA9LeHejZe1Ti77/pTeFm/nMXmQH/HFZlcS/O2XJB+L8fkbrNSqhdtlvjBVjxwUYanNH5Q==}
     engines: {node: '>=8.0.0'}
 
-  '@opentelemetry/core@2.7.1':
-    resolution: {integrity: sha512-QAqIj32AtK6+pEVNG7EOVxHdE06RP+FM5qpiEJ4RtDcFIqKUZHYhl7/7UY5efhwmwNAg7j8QbJVBLxMerc0+gw==}
+  '@opentelemetry/core@2.8.0':
+    resolution: {integrity: sha512-hd1Lfh8p545nNz+jq1Ejfz+Mn1hyLuxYn1YzTfFNrxr8urEWMNQLPf1Th8kjOH+HxwawCrtgBp8JpBUR4ZSgww==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
@@ -6239,7 +6240,7 @@ snapshots:
   '@elastic/transport@9.3.6':
     dependencies:
       '@opentelemetry/api': 1.9.1
-      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/core': 2.8.0(@opentelemetry/api@1.9.1)
       debug: 4.4.3(supports-color@8.1.1)
       hpagent: 1.2.0
       ms: 2.1.3
@@ -6540,7 +6541,7 @@ snapshots:
 
   '@opentelemetry/api@1.9.1': {}
 
-  '@opentelemetry/core@2.7.1(@opentelemetry/api@1.9.1)':
+  '@opentelemetry/core@2.8.0(@opentelemetry/api@1.9.1)':
     dependencies:
       '@opentelemetry/api': 1.9.1
       '@opentelemetry/semantic-conventions': 1.41.1
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 0fdd602821f..3e6b40fbf0d 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -22,6 +22,7 @@ strictDepBuilds: false
 # is no longer read). Force-bump transitive deps with known CVEs.
 overrides:
   '@babel/core@<7.29.6': '>=7.29.6'
+  '@opentelemetry/core@<2.8.0': '>=2.8.0'
   basic-ftp@<5.3.1: '>=5.3.1 <6.0.0'
   brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3'
   diff@>=6.0.0 <8.0.3: '>=8.0.3'