From c59e666de2b1361ae80697d546633a7d3643ba00 Mon Sep 17 00:00:00 2001 From: yoanyomba2023 <154270259+yoanyomba2023@users.noreply.github.com> Date: Tue, 19 Dec 2023 10:19:47 -0500 Subject: [PATCH 1/3] fix(host-metrics): bump minimum systeminformation version to 5.21.20 (security) (#1868) * chore: bump system info version to address arbitrary command injection vulnerability in systeminformation Signed-off-by: yyomba * chore: sync package-lock.json --------- Signed-off-by: yyomba Co-authored-by: Marc Pichler --- package-lock.json | 16 ++++++++-------- packages/opentelemetry-host-metrics/package.json | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index e9904a6b57..7674555cd2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -29911,9 +29911,9 @@ } }, "node_modules/systeminformation": { - "version": "5.21.17", - "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.21.17.tgz", - "integrity": "sha512-JZYRCbIjk3WuBV59A9/rTla2rROX+aAJ9uo2Z1dI+bjieORcukClN8rlM1zE9NYKpULSbaGc+KKct/870lO0DA==", + "version": "5.21.20", + "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.21.20.tgz", + "integrity": "sha512-AyS1fNc+MDoAJtFknFbbo587H8h6yejJwM+H9rVusnOToIEkiMehMyD5JM7o3j55Cto20MawIZrcgNMgd4BfOQ==", "os": [ "darwin", "linux", @@ -33654,7 +33654,7 @@ "license": "Apache-2.0", "dependencies": { "@opentelemetry/sdk-metrics": "^1.8.0", - "systeminformation": "^5.0.0" + "systeminformation": "^5.21.20" }, "devDependencies": { "@opentelemetry/api": "^1.3.0", @@ -42919,7 +42919,7 @@ "nyc": "15.1.0", "rimraf": "5.0.5", "sinon": "15.2.0", - "systeminformation": "^5.0.0", + "systeminformation": "^5.21.20", "ts-mocha": "10.0.0", "typescript": "4.4.4" } @@ -62830,9 +62830,9 @@ "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "systeminformation": { - "version": "5.21.17", - "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.21.17.tgz", - "integrity": "sha512-JZYRCbIjk3WuBV59A9/rTla2rROX+aAJ9uo2Z1dI+bjieORcukClN8rlM1zE9NYKpULSbaGc+KKct/870lO0DA==" + "version": "5.21.20", + "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.21.20.tgz", + "integrity": "sha512-AyS1fNc+MDoAJtFknFbbo587H8h6yejJwM+H9rVusnOToIEkiMehMyD5JM7o3j55Cto20MawIZrcgNMgd4BfOQ==" }, "tapable": { "version": "1.1.3", diff --git a/packages/opentelemetry-host-metrics/package.json b/packages/opentelemetry-host-metrics/package.json index d58d1b5539..db007ccf23 100644 --- a/packages/opentelemetry-host-metrics/package.json +++ b/packages/opentelemetry-host-metrics/package.json @@ -56,7 +56,7 @@ }, "dependencies": { "@opentelemetry/sdk-metrics": "^1.8.0", - "systeminformation": "^5.0.0" + "systeminformation": "^5.21.20" }, "homepage": "https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/packages/opentelemetry-host-metrics#readme" } From e35e3705ed5bac91f9558f70adaaf34b4fa532a4 Mon Sep 17 00:00:00 2001 From: Jamie Danielson Date: Wed, 20 Dec 2023 11:56:11 -0500 Subject: [PATCH 2/3] maint: specify label for stale, exempt never-stale (#1732) we may want information but still never stale it so set exempt label first for early return. any-of-label is comma-separated allowlist. remove instr-request and bug to avoid needing to remove labels. Co-authored-by: Marc Pichler --- .github/workflows/close-stale.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml index 15bfec637b..5c5dcfc7b2 100644 --- a/.github/workflows/close-stale.yml +++ b/.github/workflows/close-stale.yml @@ -17,5 +17,6 @@ jobs: close-pr-message: 'This PR was closed because it has been stale for 14 days with no activity.' stale-issue-label: stale stale-pr-label: stale - exempt-issue-labels: never-stale,instrumentation-request,bug + exempt-issue-labels: never-stale exempt-pr-labels: never-stale + any-of-labels: information-requested From 44cba00c9579629ecb0f65020aeb14197b914284 Mon Sep 17 00:00:00 2001 From: Trent Mick Date: Wed, 20 Dec 2023 22:51:16 -0800 Subject: [PATCH 3/3] test: temporarily pin Node.js 18 testing to 18.18.2 (#1873) This is as a workaround for ESM testing failing with v18.19.0 due to node's off-thread ESM loading and import-in-the-middle's limitation with reexports. Refs: https://github.com/open-telemetry/opentelemetry-js-contrib/issues/1872 --- .github/workflows/test-all-versions.yml | 2 +- .github/workflows/unit-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-all-versions.yml b/.github/workflows/test-all-versions.yml index 5225010453..aa0b908342 100644 --- a/.github/workflows/test-all-versions.yml +++ b/.github/workflows/test-all-versions.yml @@ -18,7 +18,7 @@ jobs: strategy: fail-fast: false matrix: - node: ["14", "16", "18"] + node: ["14", "16", "18.18.2"] runs-on: ubuntu-latest services: mongo: diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index f5bfd63f06..b306cdc413 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -9,7 +9,7 @@ jobs: strategy: fail-fast: false matrix: - node: ["14", "16", "18"] + node: ["14", "16", "18.18.2"] include: - node: 14 code-coverage: true