SIB-004: update vulnerable OpenTelemetry dependencies

[jmrpineda]

Discovery date: 2026-05-28
Reported by: Codex
Severity: medium
Environment: local dotnet test SphereIntegrationHub.slnx on macOS with .NET SDK 10.0.102
Scope / affected surface: NuGet dependencies for CLI, SDK, MCP, and test projects using OpenTelemetry.Api and OpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.0
Evidence: dotnet test emits NU1902 warnings for GHSA-g94r-2vxg-569j, GHSA-4625-4j76-fww9, GHSA-mr8r-92fq-pj8p, and GHSA-q834-8qmm-v933.

Summary

The solution currently restores OpenTelemetry packages with known moderate-severity vulnerabilities, so every validation run reports NU1902 warnings.

Expected behavior

The solution should restore dependency versions that do not emit known vulnerability warnings for the supported package graph.

Current behavior

dotnet test SphereIntegrationHub.slnx succeeds, but package restore reports moderate vulnerability advisories for OpenTelemetry packages used across runtime and test projects.

Reproduction steps

1. Run dotnet test SphereIntegrationHub.slnx.
2. Observe restore/build output.
3. Confirm NU1902 warnings for OpenTelemetry.Api and OpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.0.

Environment details

• Repository: PinedaTec-EU/SphereIntegrationHub
• Date observed: 2026-05-28
• SDK: .NET 10.0.102
• Platform: macOS

Notes

• The test suite still passes; this is a dependency hygiene and security remediation item.
• Package upgrades should be validated against telemetry initialization and report-generation paths.

[jmrpineda]

Validation update on 2026-05-28: dotnet build still succeeds but emits NU1902 warnings for OpenTelemetry.Api 1.15.0 and OpenTelemetry.Exporter.OpenTelemetryProtocol 1.15.0 across CLI, MCP, SDK, and test projects. Advisories observed: GHSA-g94r-2vxg-569j, GHSA-4625-4j76-fww9, GHSA-mr8r-92fq-pj8p, and GHSA-q834-8qmm-v933.