fix(deps): force @opentelemetry/core >=2.8.0 (CVE-2026-54285) by JohnMcLear · Pull Request #7975 · ether/etherpad

JohnMcLear · 2026-06-16T15:33:59Z

Resolves Dependabot alert #205 — GHSA-8988-4f7v-96qf / CVE-2026-54285 (medium, CVSS 5.3).

The vulnerability

W3CBaggagePropagator.extract() in @opentelemetry/core < 2.8.0 does not enforce the W3C Baggage size limits (8,192 bytes / 180 entries) on inbound baggage headers — limits were only applied on inject(). Parsing oversized baggage allocates memory proportional to the header size with no cap (CWE-770). Fixed in 2.8.0.

Dependency chain (transitive, runtime)

src/package.json -> @elastic/elasticsearch@^9.4.2
                 -> @elastic/transport@9.3.6
                 -> @opentelemetry/core@2.7.1   <- vulnerable

Practical reachability in Etherpad: low

@elastic/elasticsearch is only exercised by the optional Elasticsearch ueberdb backend.
The vulnerable path is extract() on inbound baggage headers; Etherpad's ES client makes outbound requests to a trusted, operator-configured ES server — there is no attacker-controlled inbound baggage reaching the propagator.
Node's default --max-http-header-size (16 KB) independently caps the vector; the advisory itself rates availability impact as "limited".

Still worth patching to clear the alert and harden non-HTTP/raised-limit deployments.

The fix

@elastic/transport@9.3.6 declares its dep as @opentelemetry/core: 2.x, so 2.8.0 satisfies the existing range — no parent bump needed. 2.8.0's peer range (@opentelemetry/api >=1.0.0 <1.10.0) is satisfied by the 1.9.1 already in the tree.

Added a >=2.8.0 override to pnpm-workspace.yaml alongside the other CVE force-bumps (pnpm 11 no longer reads root package.json pnpm.overrides). Lockfile diff is surgical: only the override line and the 2.7.1 -> 2.8.0 resolution.

🤖 Generated with Claude Code

Pin the transitive @opentelemetry/core dep (pulled in via @elastic/elasticsearch -> @elastic/transport) to >=2.8.0 to clear GHSA-8988-4f7v-96qf / CVE-2026-54285: W3CBaggagePropagator.extract() did not enforce W3C size limits on inbound baggage headers, allowing unbounded memory allocation. @elastic/transport declares the dep as "2.x" so 2.8.0 satisfies the existing range with no parent bump, and 2.8.0's @opentelemetry/api peer range (>=1.0.0 <1.10.0) is satisfied by the 1.9.1 already in the tree. Override added to pnpm-workspace.yaml alongside the other CVE force-bumps (pnpm 11 ignores root package.json pnpm.overrides). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

qodo-code-review · 2026-06-16T15:34:04Z

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

qodo-free-for-open-source-projects · 2026-06-16T15:34:08Z

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

qodo-free-for-open-source-projects · 2026-06-16T15:34:37Z

PR Summary by Qodo

Fix CVE-2026-54285 by forcing @opentelemetry/core >= 2.8.0 via pnpm override
🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Walkthroughs

Description

• Add pnpm override to enforce @opentelemetry/core >=2.8.0 and clear CVE-2026-54285 alert.
• Update lockfile resolution from @opentelemetry/core 2.7.1 to 2.8.0 under @elastic/transport.

Diagram

graph TD
  A["Etherpad repo"] --> B["pnpm-workspace.yaml"] --> C["pnpm overrides"] --> D["@opentelemetry/core"]
  A --> E["pnpm-lock.yaml"] --> D

High-Level Assessment

The following are alternative approaches to this PR:

1. Bump the parent dependency (e.g., @elastic/transport/@elastic/elasticsearch)

➕ Keeps dependency selection within upstream-managed ranges without overrides
➕ May pull in additional upstream fixes and metadata updates
➖ Potentially larger upgrade surface area and behavioral changes
➖ May be blocked by compatibility constraints elsewhere in the tree

2. Use root package.json pnpm.overrides (if supported)

➕ Centralizes overrides in a familiar manifest file
➖ Not effective in pnpm 11 setups that ignore root pnpm.overrides (as noted in repo comments)
➖ Can create confusion if the override is not actually applied

3. Patch-package / vendor a fix

➕ Precise control over the exact patched code path
➖ Higher maintenance burden than upgrading
➖ Easy to drift from upstream; unsuitable when a fixed release exists

Recommendation: The current approach (workspace-level pnpm override to force @opentelemetry/core >=2.8.0) is the best fit: it’s minimally invasive, aligns with the existing semver range (2.x), and matches the repo’s documented pnpm 11 behavior. Prefer an upstream parent bump only if future constraints require removing overrides or if additional upstream fixes are needed.

File Changes

Other (2)

pnpm-lock.yaml Resolve @opentelemetry/core to 2.8.0 via override +5/-4
Resolve @opentelemetry/core to 2.8.0 via override
• Adds an override entry for @opentelemetry/core <2.8.0 and updates the locked package/snapshot resolutions from 2.7.1 to 2.8.0. This ensures the transitive dependency pulled via @elastic/transport resolves to the non-vulnerable version.
pnpm-lock.yaml

pnpm-workspace.yaml Add workspace override forcing @opentelemetry/core >=2.8.0 +1/-0
Add workspace override forcing @opentelemetry/core >=2.8.0
• Introduces a pnpm workspace-level override for @opentelemetry/core to enforce >=2.8.0 across the workspace. This aligns with the existing pattern of CVE-related force-bumps maintained in this file.
pnpm-workspace.yaml

JohnMcLear merged commit 3e53962 into develop Jun 17, 2026
37 checks passed

JohnMcLear deleted the fix/otel-core-cve-2026-54285 branch June 17, 2026 07:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): force @opentelemetry/core >=2.8.0 (CVE-2026-54285)#7975

fix(deps): force @opentelemetry/core >=2.8.0 (CVE-2026-54285)#7975
JohnMcLear merged 1 commit into
developfrom
fix/otel-core-cve-2026-54285

JohnMcLear commented Jun 16, 2026

Uh oh!

qodo-code-review Bot commented Jun 16, 2026

Uh oh!

qodo-free-for-open-source-projects Bot commented Jun 16, 2026 •

edited

Loading

Uh oh!

qodo-free-for-open-source-projects Bot commented Jun 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

JohnMcLear commented Jun 16, 2026

The vulnerability

Dependency chain (transitive, runtime)

Practical reachability in Etherpad: low

The fix

Uh oh!

qodo-code-review Bot commented Jun 16, 2026

Qodo reviews are paused for this user.

Uh oh!

qodo-free-for-open-source-projects Bot commented Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review by Qodo

Great, no issues found!

Uh oh!

qodo-free-for-open-source-projects Bot commented Jun 16, 2026

PR Summary by Qodo

Walkthroughs

File Changes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

qodo-free-for-open-source-projects Bot commented Jun 16, 2026 •

edited

Loading